The shutdown port must be disabled.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-222951 | SRG-APP-000141-AS-000095 | TCAT-AS-000490 | SV-222951r960963_rule | 2025-02-11 | 3 |
| Description |
|---|
| Tomcat listens on TCP port 8005 to accept shutdown requests. By connecting to this port and sending the SHUTDOWN command, all applications within Tomcat are halted. The shutdown port is not exposed to the network as it is bound to the loopback interface. Set the shutdown attribute in $CATALINA_BASE/conf/server.xml. |
| ℹ️ Check |
|---|
| From the Tomcat server run the following OS command: $ sudo grep -i shutdown $CATALINA_BASE/conf/server.xml Ensure the server shutdown port attribute in $CATALINA_BASE/conf/server.xml is set to -1. EXAMPLE: <Server port="-1" shutdown="SHUTDOWN"> If Server port not = "-1" shutdown="SHUTDOWN", this is a finding. |
| ✔️ Fix |
|---|
| From the Tomcat server as a privileged user, edit the $CATALINA_BASE/conf/server.xml file: set the Server port setting to -1 and restart the Tomcat server. <Server port="-1" shutdown="SHUTDOWN"> sudo systemctl restart tomcat sudo systemctl daemon-reload |