The JBoss server must be configured to bind the management interfaces to only management networks.
An XCCDF Rule
Description
<VulnDiscussion>JBoss provides multiple interfaces for accessing the system. By default, these are called "public" and "management". Allowing non-management traffic to access the JBoss management interface increases the chances of a security compromise. The JBoss server must be configured to bind the management interface to a network that controls access. This is usually a network that has been designated as a management network and has restricted access. Similarly, the public interface must be bound to a network that is not on the same segment as the management interface.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-217099r961863_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Refer to Section 4.9 of the JBoss EAP 6.3 Installation guide for detailed instructions on how to start JBoss as a service.
Use the following command line parameters to assign the management interface to a specific management network.
These command line flags must be added both when starting JBoss as a service and when starting from the command line.