Skip to main content
CUI

STIG Rule - V-217099

Back to STIG Browser

V-217099

SV-217099r961863_rule

CAT II

The JBoss server must be configured to bind the management interfaces to only management networks.

From: JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide (V2R6)

Description

<VulnDiscussion>JBoss provides multiple interfaces for accessing the system. By default, these are called "public" and "management". Allowing non-management traffic to access the JBoss management interface increases the chances of a security compromise. The JBoss server must be configured to bind the management interface to a network that controls access. This is usually a network that has been designated as a management network and has restricted access. Similarly, the public interface must be bound to a network that is not on the same segment as the management interface.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Check Procedure

Obtain documentation and network drawings from system admin that shows the network interfaces on the JBoss server and the networks they are configured for. If a management network is not used, you may substitute localhost/127.0.0.1 for management address. If localhost/127.0.0.1 is used for management interface, this is not a finding. From the JBoss server open the web-based admin console by pointing a browser to HTTP://127.0.0.1:9990. Log on to the management console with admin credentials. Select "RUNTIME". Expand STATUS by clicking on +. Expand PLATFORM by clicking on +. In the "Environment" tab, click the > arrow until you see the "jboss.bind.properties" and the "jboss.bind.properties.management" values. If the jboss.bind.properties and the jboss.bind.properties.management do not have different IP network addresses assigned, this is a finding. Review the network documentation. If access to the management IP address is not restricted, this is a finding.

Fix Text

Refer to Section 4.9 of the JBoss EAP 6.3 Installation guide for detailed instructions on how to start JBoss as a service. Use the following command line parameters to assign the management interface to a specific management network. These command line flags must be added both when starting JBoss as a service and when starting from the command line. Substitute your actual network address for the 10.x.x.x addresses provided as an example below. For a standalone configuration: JBOSS_HOME/bin/standalone.sh -bmanagement=10.2.2.1 -b 10.1.1.1 JBOSS_HOME/bin/domain.sh -bmanagement=10.2.2.1 -b 10.1.1.1 If a management network is not available, you may substitute localhost/127.0.0.1 for management address. This will force you to manage the JBoss server from the local host.

CCI Reference

CCI-000366,CCI-000778
Created
2026-04-07 20:08:21
Last Updated
2026-04-07 20:08:21
Back to Browse
CUI