An error occurred:

Check: JBOS-AS-000655

JBoss Enterprise Application Platform 6.3 STIG: JBOS-AS-000655 (in versions v2 r4 through v1 r2)

Title

JBoss must be configured to use an approved cryptographic algorithm in conjunction with TLS. (Cat II impact)

Discussion

Preventing the disclosure or modification of transmitted information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the network. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPSec tunnel. If data in transit is unencrypted, it is vulnerable to disclosure and modification. If approved cryptographic algorithms are not used, encryption strength cannot be assured. FIPS 140-2 approved TLS versions include TLS V1.2 or greater. TLS must be enabled, and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems.

Check Content

Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder. Run the jboss-cli script. Connect to the server and authenticate. Validate that the TLS protocol is used for HTTPS connections. Run the command: "ls /subsystem=web/connector=https/ssl=configuration" Review the cipher suites. The following suites are acceptable as per NIST 800-52r1 section 3.3.1 - Cipher Suites. Refer to the NIST document for a complete list of acceptable cipher suites. The source NIST document and approved encryption algorithms/cipher suites are subject to change and should be referenced. AES_128_CBC AES_256_CBC AES_128_GCM AES_128_CCM AES_256_CCM If the cipher suites utilized by the TLS server are not approved by NIST as per 800-52r1, this is a finding.

Fix Text

Reference section 4.6 of the JBoss EAP 6.3 Security Guide located on the Red Hat vendor's website for step-by-step instructions on establishing SSL encryption on JBoss. The overall steps include: 1. Add an HTTPS connector. 2. Configure the SSL encryption certificate and keys. 3. Set the Cipher to an approved algorithm.

Additional Identifiers

Rule ID: SV-213548r955695_rule

Vulnerability ID: V-213548

Group Title: SRG-APP-000440-AS-000167

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002421

The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by organization-defined alternative physical safeguards.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-8 (1)

Cryptographic Or Alternate Physical Protection