V-223007
SV-223007r961863_rule
CAT III
Hosted applications must be documented in the system security plan.
From: Apache Tomcat Application Server 9 Security Technical Implementation Guide (V3R4)
Description
<VulnDiscussion>The ISSM/ISSO must be cognizant of all applications operating on the Tomcat server, and must address any security implications associated with the operation of the applications.
If unknown/undocumented applications are operating on the Tomcat server, these applications increase risk for the system due to not being managed, patched or monitored for unapproved activity on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Check Procedure
Review the Tomcat servers System Security Plan/server documentation.
Access the Tomcat server and review the $CATALINA_BASE/webapps folder.
Ensure that all webapps are documented in the SSP.
If the applications that are hosted on the Tomcat server are not documented in the SSP, this is a finding.
Fix Text
Document the applications that have an ATO on the Tomcat server.
Retain the information in the SSP and present to the auditor in the event of a CCRI.
CCI Reference
CCI-000366- Created
- 2026-04-07 20:08:10
- Last Updated
- 2026-04-07 20:08:10