STIGQter STIGQter: STIG Summary: JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The JBoss server, when hosting mission critical applications, must be in a high-availability (HA) cluster.

DISA Rule

SV-213546r615939_rule

Vulnerability Number

V-213546

Group Title

SRG-APP-000435-AS-000069

Rule Version

JBOS-AS-000640

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the application server to provide LB or HA services for the hosted application.

Check Contents

Interview the system admin and determine if the applications hosted on the application server are mission critical and require load balancing (LB) or high availability (HA).

If the applications do not require LB or HA, this requirement is NA.

If the documentation shows the LB or HA services are being provided by another system other than the application server, this requirement is NA.

If applications require LB or HA, request documentation from the system admin that identifies what type of LB or HA configuration has been implemented on the application server.

Ask the system admin to identify the components that require protection. Some options are included here as an example. Bear in mind the examples provided are not complete and absolute and are only provided as examples. The components being made redundant or HA by the application server will vary based upon application availability requirements.

Examples are:
Instances of the Application Server
Web Applications
Stateful, stateless and entity Enterprise Java Beans (EJBs)
Single Sign On (SSO) mechanisms
Distributed Cache
HTTP sessions
JMS and Message Services.

If the hosted application requirements specify LB or HA and the JBoss server has not been configured to offer HA or LB, this is a finding.

Vulnerability Number

V-213546

Documentable

False

Rule Version

JBOS-AS-000640

Severity Override Guidance

Interview the system admin and determine if the applications hosted on the application server are mission critical and require load balancing (LB) or high availability (HA).

If the applications do not require LB or HA, this requirement is NA.

If the documentation shows the LB or HA services are being provided by another system other than the application server, this requirement is NA.

If applications require LB or HA, request documentation from the system admin that identifies what type of LB or HA configuration has been implemented on the application server.

Ask the system admin to identify the components that require protection. Some options are included here as an example. Bear in mind the examples provided are not complete and absolute and are only provided as examples. The components being made redundant or HA by the application server will vary based upon application availability requirements.

Examples are:
Instances of the Application Server
Web Applications
Stateful, stateless and entity Enterprise Java Beans (EJBs)
Single Sign On (SSO) mechanisms
Distributed Cache
HTTP sessions
JMS and Message Services.

If the hosted application requirements specify LB or HA and the JBoss server has not been configured to offer HA or LB, this is a finding.

Check Content Reference

M

Target Key

3987

Comments