The application server must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

From JBoss EAP 6.3 Security Technical Implementation Guide

Part of SRG-APP-000340-AS-000185

Associated with: CCI-002235

SV-76795r1_rule The application server must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

Vulnerability discussion

Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.Restricting non-privileged users also prevents an attacker who has gained access to a non-privileged account, from elevating privileges, creating accounts, and performing system checks and maintenance.

Check content

Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the /bin/ folder. Run the jboss-cli script. Connect to the server and authenticate. Run the following command: For standalone servers: "ls /core-service=management/access=authorization/" For managed domain installations: "ls /host=master/core-service=management/access=authorization/" If the "provider" attribute is not set to "rbac", this is a finding.

Fix text

Run the following command. /bin/jboss-cli.sh -c -> connect -> cd /core-service=management/access-authorization :write-attribute(name=provider, value=rbac) Restart JBoss. Map users to roles by running the following command. Upper-case words are variables. role-mapping=ROLENAME/include=ALIAS:add(name-USERNAME, type=USER ROLE)

Pro Tips

Powered by sagemincer