STIGQter: STIG Summary: IBM WebSphere Traditional V9.x Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 23 Aug 2018:

The WebSphere Application Server plugin must be configured to use HTTPS only.

DISA Rule

SV-96109r1_rule

Vulnerability Number

V-81395

Group Title

SRG-APP-000440-AS-000167

Rule Version

WBSP-AS-001630

Severity

CAT II

CCI(s)

• CCI-002421 - The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by organization-defined alternative physical safeguards.

Weight

10

Fix Recommendation

From the admin console, navigate to Servers >> Server Types >> WebSphere Application Servers >> select each server (server name) >> Web Container Settings >> Web container transport chains.

Select the "WCInboundDefault" and the "HttpQueueInboundDefault" transport chains and disable them.

Click "Apply".

Click "Save".

Restart the DMGR and resynch the JVMs.

Check Contents

From the admin console, navigate to Servers >> Server Types >> WebSphere Application Servers >> select each server (server name) >> Web Container Settings >> Web container transport chains.

Verify both "WCInboundDefault" and the "HttpQueueInboundDefault" transport chains are disabled.

If they are not disabled, this is a finding.

Vulnerability Number

V-81395

Documentable

False

Rule Version

WBSP-AS-001630

Severity Override Guidance

From the admin console, navigate to Servers >> Server Types >> WebSphere Application Servers >> select each server (server name) >> Web Container Settings >> Web container transport chains.

Verify both "WCInboundDefault" and the "HttpQueueInboundDefault" transport chains are disabled.

If they are not disabled, this is a finding.

Check Content Reference

M

Target Key

3399

Comments