UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The JBoss server, when hosting mission critical applications, must be in a high-availability (HA) cluster.


Overview

Finding ID Version Rule ID IA Controls Severity
V-213546 JBOS-AS-000640 SV-213546r955685_rule Medium
Description
A MAC I system is a system that handles data vital to the organization's operational readiness or effectiveness of deployed or contingency forces. A MAC I system must maintain the highest level of integrity and availability. By HA clustering the application server, the hosted application and data are given a platform that is load-balanced and provides high availability.
STIG Date
JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide 2024-02-26

Details

Check Text ( C-14769r296304_chk )
Interview the system admin and determine if the applications hosted on the application server are mission critical and require load balancing (LB) or high availability (HA).

If the applications do not require LB or HA, this requirement is NA.

If the documentation shows the LB or HA services are being provided by another system other than the application server, this requirement is NA.

If applications require LB or HA, request documentation from the system admin that identifies what type of LB or HA configuration has been implemented on the application server.

Ask the system admin to identify the components that require protection. Some options are included here as an example. Bear in mind the examples provided are not complete and absolute and are only provided as examples. The components being made redundant or HA by the application server will vary based upon application availability requirements.

Examples are:
Instances of the Application Server
Web Applications
Stateful, stateless and entity Enterprise Java Beans (EJBs)
Single Sign On (SSO) mechanisms
Distributed Cache
HTTP sessions
JMS and Message Services.

If the hosted application requirements specify LB or HA and the JBoss server has not been configured to offer HA or LB, this is a finding.
Fix Text (F-14767r296305_fix)
Configure the application server to provide LB or HA services for the hosted application.