The WebSphere Application Server Java 2 security must not be bypassed.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-81225 | WBSP-AS-000212 | SV-95939r1_rule | High |
| Description |
|---|
| WebSphere provides a passive filter mechanism that will allow administrators to set Java 2 security in the admin console as enabled while still allowing applications to access host resources. This setting bypasses the enforcement of Java2 security. Application access is allowed and activity is logged to the system.out file. This feature is to aid in the identification of application access requirements to the underlying host so security policies can be created. This feature is executed via a custom property that is set for each application server instance operating on the WebSphere server. This setting should only be enabled in a development or testing environment in order to identify what applications access requirements are so security policies can then be created. |
| STIG | Date |
|---|---|
| IBM WebSphere Traditional V9.x Security Technical Implementation Guide | 2018-08-24 |
Details
| Check Text ( C-80897r1_chk ) |
|---|
| If the system is a development or test system, this requirement is NA. From the admin console, select Servers >> Server Types >> WebSphere application servers. For each application server, select Server Infrastructure >> Administration >> Custom properties. If the "com.ibm.websphere.java2secman.norethrow" resource value exists and is set to "true", this is a finding. |
| Fix Text (F-88005r1_fix) |
|---|
| From the admin console, select Servers >> Server Types >> WebSphere application servers. For each application server, select Server Infrastructure >> Administration >> Custom properties. Delete the "com.ibm.websphere.java2secman.norethrow" resource value from production systems. |