The JBoss server must separate hosted application functionality from application server management functionality.

From JBoss EAP 6.3 Security Technical Implementation Guide

Part of SRG-APP-000211-AS-000146

Associated with: CCI-001082

SV-76787r1_rule The JBoss server must separate hosted application functionality from application server management functionality.

Vulnerability discussion

The application server consists of the management interface and hosted applications. By separating the management interface from hosted applications, the user must authenticate as a privileged user to the management interface before being presented with management functionality. This prevents non-privileged users from having visibility to functions not available to the user. By limiting visibility, a compromised non-privileged account does not offer information to the attacker or functionality and information needed to further the attack on the application server.JBoss is designed to operate with separate application and management interfaces.The JBoss server is started via a script. To start the JBoss server in domain mode, the admin will execute the <JBOSS_HOME>/bin/domain.sh or domain.bat script.To start the JBoss server in standalone mode, the admin will execute <JBOSS_HOME>/bin/standalone.bat or standalone.sh.Command line flags are used to specify which network address is used for management and which address is used for public/application access.

Check content

If JBoss is not started with separate management and public interfaces, this is a finding. Review the network design documents to identify the IP address space for the management network. Use relevant OS commands and administrative techniques to determine how the system administrator starts the JBoss server. This includes interviewing the system admin, using the "ps -ef|grep" command for UNIX like systems or checking command line flags and properties on batch scripts for Windows systems. Ensure the startup syntax used to start JBoss specifies a management network address and a public network address. The "-b" flag specifies the public address space. The "-bmanagement" flag specifies the management address space. Example: /bin/standalone.sh -bmanagement 10.10.10.35 -b 192.168.10.25 If JBoss is not started with separate management and public interfaces, this is a finding.

Fix text

Start the application server with a -bmanagement and a -b flag so that admin management functionality and hosted applications are separated. Refer to section 4.9 in the JBoss EAP 6.3 Installation Guide for specific instructions on how to start the JBoss server as a service.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer