Access to JMX management interface must be restricted.

An XCCDF Rule

Description

<VulnDiscussion>Java Management Extensions (JMX) is used to provide programmatic access to Tomcat for management purposes. This includes monitoring and control of java applications running on Tomcat. If network access to the JMX port is not restricted, attackers can gain access to the application used to manage the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-222969r879631_rule
Severity: Medium
References: CCI-001082
Updated: 8 months ago

Make an operational determination regarding the use of JMX. If JMX management is decided upon, identify the management networks that are used for system management. Update the system security plan and network documentation with the information. 

Edit the /etc/systemd/system/tomcat.service file.

Add or modify the existing CATALINA_OPTS  -Dcom.sun.management.jmxremote.host setting. Set the host parameter to an IP address that is only available on a management network.
EXAMPLE:
CATALINA_OPTS='-Dcom.sun.management.jmxremote.host=192.168.0.150'

Restart Tomcat:
sudo systemctl restart tomcat
sudo systemctl daemon-reload

Verify jmxmanagement access is restricted to the management network IP address range.

Access to JMX management interface must be restricted.

Description

Remediation - Manual Procedure