Title

The web server must be configured to use a specified IP address and port. (Cat II impact)

Discussion

The web server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the web server to utilize, the web server will listen on all IP addresses available to the hosting server. If the web server has multiple IP addresses, i.e., a management IP address, the web server will also accept connections on the management IP address. Accessing the hosted application through an IP address normally used for non-application functions opens the possibility of user access to resources, utilities, files, ports, and protocols that are protected on the desired application IP address.

Check Content

Review the web server documentation and deployment configuration to determine whether the web server is configured to listen on a specified IP address and port. Request a client user try to access the web server on any other available IP addresses on the hosting hardware. If an IP address is not configured on the web server or a client can reach the web server on other IP addresses assigned to the hosting hardware, this is a finding.

Fix Text

Configure the web server to only listen on a specified IP address and port.

Additional Identifiers

Rule ID: SV-206386r960966_rule

Vulnerability ID: V-206386

Group Title: SRG-APP-000142

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.