Title

Any unapproved applications must be removed. (Cat II impact)

Discussion

Extraneous services and applications running on an application server expands the attack surface and increases risk to the application server. Securing any server involves identifying and removing any unnecessary services and, in the case of an application server, unnecessary and/or unapproved applications.

Check Content

Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder. Run the jboss-cli script. Connect to the server and authenticate. Run the command: ls /deployment The list of deployed applications is displayed. Have the system admin identify the applications listed and confirm they are approved applications. If the system admin cannot provide documentation proving their authorization for deployed applications, this is a finding.

Fix Text

Identify, authorize, and document all applications that are deployed to the application server. Remove unauthorized applications.

Additional Identifiers

Rule ID: SV-213524r954822_rule

Vulnerability ID: V-213524

Group Title: SRG-APP-000141-AS-000095

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.