Skip to content

The WebSphere Application Server plug-in is not specified in accordance with the proper security requirements.

An XCCDF Rule

Description

<VulnDiscussion>Requests processed by the WebSphere Application Server (WAS) are dependent on directives configured in the HTTP server httpd.conf file. These directives specify critical files containing the WAS plug-in and WAS configuration. These files provide the operational and security characteristics of WAS. Failure to properly configure WAS-related directives could lead to undesirable operations and degraded security. This exposure may compromise the availability and integrity of applications and customer data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>

ID
SV-3901r3_rule
Severity
Medium
References
Updated



Remediation - Manual Procedure

The IAO will ensure that the WebSphere Application Server directives in the httpd.conf file are configured as outlined below.

Ensure that all WAS-related directives are configured using the ServerInit, Service, and ServerTerm statements as outlined below.

The following path entries were added to the /etc/httpd.conf file for WebSphere 3.5:
 ServerInit /usr/lpp/WebSphere/AppServer/bin/was350plugin.so:init_exit /usr/lpp/WebSphere/etc/WebSphere/AppServer/properties/was.conf