Details

The Welcome to JBoss web page provides a redirect to the JBoss admin console, which, by default, runs on TCP 9990 as well as redirects to the Online User Guide and Online User Groups hosted at locations on the Internet. The welcome page is unnecessary and should be disabled or replaced with a valid web page.

Solution

Use the Management CLI script JBOSS_HOME/bin/jboss-cli.sh to run the following command. You may need to change the profile to modify a different managed domain profile, or remove the ‘/profile=default’ portion of the command for a standalone server.

‘/profile=default/subsystem=web/virtual-server=default-host:writeattribute(name=enable-welcome-root,value=false)’

To configure your web application to use the root context (/) as its URL address, modify the applications jboss-web.xml, which is located in the applications META-INF/ or WEB-INF/ directory. Replace its directive with one that looks like the following:

/

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_JBoss_EAP_6-3_V2R2_STIG.ziphttps://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_JBoss_EAP_6-3_V2R2_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Unix.

References

• 800-53|CM-7a.
• CAT|III
• CCI|CCI-000381
• Rule-ID|SV-213523r615939_rule
• STIG-ID|JBOS-AS-000245
• STIG-Legacy|SV-76761
• STIG-Legacy|V-62271
• Vuln-ID|V-213523

Source

• Tenable.com/audits