Access to JMX management interface must be restricted.
An XCCDF Rule
Description
<VulnDiscussion>Java Management Extensions (JMX) is used to provide programmatic access to Tomcat for management purposes. This includes monitoring and control of java applications running on Tomcat. If network access to the JMX port is not restricted, attackers can gain access to the application used to manage the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-222969r961095_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Make an operational determination regarding the use of JMX. If JMX management is decided upon, identify the management networks that are used for system management. Update the system security plan and network documentation with the information.
Edit the /etc/systemd/system/tomcat.service file.
Add or modify the existing CATALINA_OPTS -Dcom.sun.management.jmxremote.host setting. Set the host parameter to an IP address that is only available on a management network.