The JBoss server must be configured to bind the management interfaces to only management networks.

An XCCDF Rule

Description

JBoss provides multiple interfaces for accessing the system. By default, these are called "public" and "management". Allowing non-management traffic to access the JBoss management interface increases the chances of a security compromise. The JBoss server must be configured to bind the management interface to a network that controls access. This is usually a network that has been designated as a management network and has restricted access. Similarly, the public interface must be bound to a network that is not on the same segment as the management interface.

ID: SV-217099r961863_rule
Version: JBOS-AS-000285
Severity: Medium
References: CCI-000366 CCI-000778
Updated: 5 days ago

Remediation Templates

Refer to Section 4.9 of the JBoss EAP 6.3 Installation guide for detailed instructions on how to start JBoss as a service.

Use the following command line parameters to assign the management interface to a specific management network.

These command line flags must be added both when starting JBoss as a service and when starting from the command line.
Substitute your actual network address for the 10.x.x.x addresses provided as an example below.

For a standalone configuration:
JBOSS_HOME/bin/standalone.sh -bmanagement=10.2.2.1 -b 10.1.1.1

JBOSS_HOME/bin/domain.sh -bmanagement=10.2.2.1 -b 10.1.1.1

If a management network is not available, you may substitute localhost/127.0.0.1 for management address.  This will force you to manage the JBoss server from the local host.

The JBoss server must be configured to bind the management interfaces to only management networks.

Description

Remediation Templates

A Manual Procedure