Details

When you install IBM HTTP Server, the installer leaves behind a JRE. Remove this JRE, as it provides functions that are not needed by the Web server or plug-in under normal conditions. Keep in mind that this will make it impossible to run some tools such as ikeyman on this Web server.

When you install the WebSphere Application Server HTTP Server plug-in using the IBM installer, it also leaves behind a JRE. Also, remove this JRE post install.

Having a functioning JRE in the DMZ provides attackers who have breached into the DMZ with additional tools to carry out further attacks.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

For web servers provided with the WebSphere installation that are operating in the DMZ.

Remove the /java directory from within the plugins folder.

Supportive Information

The following resource is also helpful.

• http://iasecontent.disa.mil/stigs/zip/U_IBM_WebSphere_Traditional_V9-x_V1R1_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Windows.

References

• 800-53|CM-7a.
• CAT|III
• CCI|CCI-000381
• Rule-ID|SV-95989r1_rule
• STIG-ID|WBSP-AS-000940
• Vuln-ID|V-81275

Source

• Tenable.com/audits