The WebSphere Application Server plug-in is not specified in accordance with the proper security requirements.
An XCCDF Rule
Description
<VulnDiscussion>Requests processed by the WebSphere Application Server (WAS) are dependent on directives configured in the HTTP server httpd.conf file. These directives specify critical files containing the WAS plug-in and WAS configuration. These files provide the operational and security characteristics of WAS. Failure to properly configure WAS-related directives could lead to undesirable operations and degraded security. This exposure may compromise the availability and integrity of applications and customer data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>
- ID
- SV-3901r3_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
The IAO will ensure that the WebSphere Application Server directives in the httpd.conf file are configured as outlined below.
Ensure that all WAS-related directives are configured using the ServerInit, Service, and ServerTerm statements as outlined below.
The following path entries were added to the /etc/httpd.conf file for WebSphere 3.5:
ServerInit /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:init_exit /usr/lpp/WebSphere/etc/WebSphere/AppServer/properties/was.conf