STIGQter STIGQter: STIG Summary: JBoss EAP 6.3 Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 25 Oct 2019: Welcome Web Application must be disabled.

DISA Rule

SV-76761r1_rule

Vulnerability Number

V-62271

Group Title

SRG-APP-000141-AS-000095

Rule Version

JBOS-AS-000245

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

Use the Management CLI script JBOSS_HOME/bin/jboss-cli.sh to run the following command. You may need to change the profile to modify a different managed domain profile, or remove the "/profile=default" portion of the command for a standalone server.

"/profile=default/subsystem=web/virtual-server=default-host:writeattribute(name=enable-welcome-root,value=false)"

To configure your web application to use the root context (/) as its URL address, modify the applications jboss-web.xml, which is located in the applications META-INF/ or WEB-INF/ directory. Replace its <context-root> directive with one that looks like the following:

<jboss-web>
<context-root>/</context-root>
</jboss-web>

Check Contents

Use a web browser and browse to HTTP://JBOSS SERVER IP ADDRESS:8080

If the JBoss Welcome page is displayed, this is a finding.

Vulnerability Number

V-62271

Documentable

False

Rule Version

JBOS-AS-000245

Severity Override Guidance

Use a web browser and browse to HTTP://JBOSS SERVER IP ADDRESS:8080

If the JBoss Welcome page is displayed, this is a finding.

Check Content Reference

M

Target Key

2923

Comments