STIGQter: STIG Summary: JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

Welcome Web Application must be disabled.

DISA Rule

SV-213523r615939_rule

Vulnerability Number

V-213523

Group Title

SRG-APP-000141-AS-000095

Rule Version

JBOS-AS-000245

Severity

CAT III

CCI(s)

CCI-000381 - The organization configures the information system to provide only essential capabilities.

Weight

Fix Recommendation

Use the Management CLI script JBOSS_HOME/bin/jboss-cli.sh to run the following command. You may need to change the profile to modify a different managed domain profile, or remove the "/profile=default" portion of the command for a standalone server.

"/profile=default/subsystem=web/virtual-server=default-host:writeattribute(name=enable-welcome-root,value=false)"

To configure your web application to use the root context (/) as its URL address, modify the applications jboss-web.xml, which is located in the applications META-INF/ or WEB-INF/ directory. Replace its <context-root> directive with one that looks like the following:

<jboss-web>
<context-root>/</context-root>
</jboss-web>

Check Contents

Use a web browser and browse to HTTP://JBOSS SERVER IP ADDRESS:8080

If the JBoss Welcome page is displayed, this is a finding.

Vulnerability Number

V-213523

Documentable

False

Rule Version

JBOS-AS-000245

Severity Override Guidance

Use a web browser and browse to HTTP://JBOSS SERVER IP ADDRESS:8080

If the JBoss Welcome page is displayed, this is a finding.

Check Content Reference

Target Key

3987

Welcome Web Application must be disabled.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments