Title

Welcome Web Application must be disabled. (Cat III impact)

Discussion

The Welcome to JBoss web page provides a redirect to the JBoss admin console, which, by default, runs on TCP 9990 as well as redirects to the Online User Guide and Online User Groups hosted at locations on the Internet. The welcome page is unnecessary and should be disabled or replaced with a valid web page.

Check Content

Use a web browser and browse to HTTP://JBOSS SERVER IP ADDRESS:8080 If the JBoss Welcome page is displayed, this is a finding.

Fix Text

Use the Management CLI script JBOSS_HOME/bin/jboss-cli.sh to run the following command. You may need to change the profile to modify a different managed domain profile, or remove the "/profile=default" portion of the command for a standalone server. "/profile=default/subsystem=web/virtual-server=default-host:writeattribute(name=enable-welcome-root,value=false)" To configure your web application to use the root context (/) as its URL address, modify the applications jboss-web.xml, which is located in the applications META-INF/ or WEB-INF/ directory. Replace its <context-root> directive with one that looks like the following: <jboss-web> <context-root>/</context-root> </jboss-web>

Additional Identifiers

Rule ID: SV-213523r954822_rule

Vulnerability ID: V-213523

Group Title: SRG-APP-000141-AS-000095

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.