Skip to content

Vendor-supplied user accounts for the WebSphere Application Server must be defined to the ACP.

An XCCDF Rule

Description

<VulnDiscussion>Vendor-supplied user accounts are defined to the ACP with factory-set passwords during the installation of the WebSphere Application Server (WAS). These user accounts are common to all WAS environments and have access to restricted resources and functions. Failure to delete vendor-supplied user accounts from the ACP may lead to unauthorized access. This exposure could compromise the integrity and availability of system services, applications, and customer data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance>IAO will ensure that CBADMIN user password is changed from default.</SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>

ID
SV-3900r4_rule
Severity
High
References
Updated



Remediation - Manual Procedure

The IAO will ensure that the CBADMIN user account is removed or not  defined to the ACP.