STIGQter: STIG Summary: IBM WebSphere Traditional V9.x Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 23 Aug 2018:

The WebSphere Application Server security cookies must be set to HTTPOnly.

DISA Rule

SV-95935r1_rule

Vulnerability Number

V-81221

Group Title

SRG-APP-000015-AS-000010

Rule Version

WBSP-AS-000190

Severity

CAT II

CCI(s)

• CCI-001453 - The information system implements cryptographic mechanisms to protect the integrity of remote access sessions.

Weight

10

Fix Recommendation

From the administrative console, navigate to Security >> Global Security.

Expand "Web and SIP security".

Select "Set security cookies to HTTPOnly".

Click "OK".

Click "Save".

Restart the DMGR and all the JVMs.

Check Contents

From the administrative console, navigate to Security >> Global Security.

Expand "Web and SIP security".

Click on "Single sign-on (SSO)".

If "Set security cookies to HTTPOnly" is not selected, this is a finding.

Vulnerability Number

V-81221

Documentable

False

Rule Version

WBSP-AS-000190

Severity Override Guidance

From the administrative console, navigate to Security >> Global Security.

Expand "Web and SIP security".

Click on "Single sign-on (SSO)".

If "Set security cookies to HTTPOnly" is not selected, this is a finding.

Check Content Reference

M

Target Key

3399

Comments