ALLOW_BACKSLASH must be set to false.

An XCCDF Rule

Description

<VulnDiscussion>When Tomcat is installed behind a proxy configured to only allow access to certain Tomcat contexts (web applications), an HTTP request containing "/\../" may allow attackers to work around the proxy restrictions using directory traversal attack methods. If allow_backslash is true the '\' character will be permitted as a path delimiter. The default value for the setting is false but Tomcat should always be configured as if no proxy restricting context access was used and allow_backslash should be set to false to prevent directory traversal style attacks. This setting can create operability issues with non-compliant clients. In order to accommodate a non-compliant client, any deviation from the STIG setting must be approved by the ISSO.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-223004r961863_rule
Severity: Medium
References: CCI-000366
Updated: 17 days ago

As a privileged user on the Tomcat server:

If the finding is in the catalina.properties file, edit the $CATALINA_BASE/conf/catalina.properties file.

sudo nano $CATALINA_BASE/conf/catalina.properties
Change the org.apache.catalina.connector.ALLOW_BACKSLASH=true setting to =false.

If the finding is in the /etc/systemd/services/tomcat/service file, edit the file using a text editor.

sudo nano /etc/systemd/services/tomcat.service

Locate the "Environment='CATALINA_OPTS=' line and change the -D.org.apache.catalina.connectorALLOW_BACKSLASH=true setting to =false.

Restart Tomcat by running the following commands:
sudo systemctl restart tomcat
sudo systemctl daemon-reload

ALLOW_BACKSLASH must be set to false.

Description

Remediation - Manual Procedure