IBM WebSphere Traditional V9.x Security Technical Implementation Guide

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]

Details

Version / Release: V1R1

Published: 2018-08-24

Updated At: 2018-10-11 21:50:13

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-95907r1_rule WBSP-AS-000010 CCI-000054 MEDIUM The WebSphere Application Server maximum in-memory session count must be set according to application requirements. Application management includes the ability to control the number of sessions that utilize an application by all accounts and/or account types. Limiting the number of allowed sessions is helpful in limiting risks related to Denial of Service attacks. App
    SV-95909r1_rule WBSP-AS-000020 CCI-002361 MEDIUM The WebSphere Application Server admin console session timeout must be configured. An attacker can take advantage of user sessions that are left open, thus bypassing the user authentication process. To thwart the vulnerability of open and unused user sessions, the application server must be configured to close the sessions when a confi
    SV-95911r1_rule WBSP-AS-000120 CCI-000067 MEDIUM The WebSphere Application Server automatic repository checkpoints must be enabled to track configuration changes. Without enabling repository checkpoints, you will not be able to determine the history of changes to WebSphere configuration files, and who made those changes.
    SV-95913r1_rule WBSP-AS-000130 CCI-002314 HIGH The WebSphere Application Server administrative security must be enabled. In previous releases of WebSphere® Application Server, when a user enabled global security, both administrative and application security were enabled. The previous notion of global security is split into administrative security and application security,
    SV-95915r1_rule WBSP-AS-000140 CCI-002315 HIGH The WebSphere Application Server bus security must be enabled. A service integration bus is a group of one or more application servers or server clusters in a WebSphere® Application Server cell that cooperate to provide asynchronous messaging services. The application servers or server clusters in a bus are known as
    SV-95917r1_rule WBSP-AS-000070 CCI-000067 MEDIUM The WebSphere Application Server security auditing must be enabled. Security auditing will not be performed unless the audit security subsystem has been enabled. Global security must be enabled for the security audit subsystem to function, as no security auditing occurs if global security is not also enabled. Enable globa
    SV-95919r1_rule WBSP-AS-000080 CCI-000067 MEDIUM The WebSphere Application Server groups in the user registry mapped to WebSphere auditor roles must be configured in accordance with the security plan. Logging must be utilized in order to track system activity, assist in diagnosing system issues, and provide evidence needed for forensic investigations post security incident. Remote access by administrators requires that the admin activity be logged. A
    SV-95921r1_rule WBSP-AS-000090 CCI-000067 MEDIUM The WebSphere Application Server users in the WebSphere auditor role must be configured in accordance with the System Security Plan. Logging must be utilized in order to track system activity, assist in diagnosing system issues, and provide evidence needed for forensic investigations post security incident. Remote access by administrators requires that the admin activity be logged. A
    SV-95923r1_rule WBSP-AS-000100 CCI-000067 MEDIUM The WebSphere Application Server audit event type filters must be configured. Logging must be utilized in order to track system activity, assist in diagnosing system issues, and provide evidence needed for forensic investigations post security incident. Remote access by administrators requires that the admin activity be logged. A
    SV-95925r1_rule WBSP-AS-000110 CCI-000067 MEDIUM The WebSphere Application Server audit service provider must be enabled. Logging must be utilized in order to track system activity, assist in diagnosing system issues, and provide evidence needed for forensic investigations post security incident. Remote access by administrators requires that the admin activity be logged. A
    SV-95927r1_rule WBSP-AS-000150 CCI-000213 MEDIUM The WebSphere Application Server users in a local user registry group must be authorized for that group. Application servers provide remote access capability and must be able to enforce remote access policy requirements or work in conjunction with enterprise tools designed to enforce policy requirements. Automated monitoring and control of remote access sess
    SV-95929r1_rule WBSP-AS-000160 CCI-000068 MEDIUM The WebSphere Application Server Quality of Protection (QoP) must be set to use TLSv1.2 or higher. Quality of Protection specifies the security level, ciphers, and mutual authentication settings for the Secure Socket Layer (SSL/TLS) configuration.
    SV-95931r1_rule WBSP-AS-000170 CCI-000068 HIGH The WebSphere Application Server global application security must be enabled. Application security enables security for the applications in your environment. This setting provides application isolation and meets security requirements such as using SSL for authenticating application users. In previous releases of WebSphere® Applic
    SV-95933r1_rule WBSP-AS-000180 CCI-000068 HIGH The WebSphere Application Server Single Sign On (SSO) must have SSL enabled for Web and SIP Security. Remote management access is accomplished by leveraging common communication protocols and establishing a remote connection to the application server via a network for the purposes of managing the application server. If cryptography is not used, then the s
    SV-95935r1_rule WBSP-AS-000190 CCI-001453 MEDIUM The WebSphere Application Server security cookies must be set to HTTPOnly. Web applications use cookies to track users across requests. These cookies, while typically not sensitive in themselves, connect you to your existing state on the back end system. If an intruder were to capture one of your cookies, they could potentially
    SV-95937r1_rule WBSP-AS-000211 CCI-000213 HIGH The WebSphere Application Server Java 2 security must be enabled. Java 2 security provides a policy-based fine grained access control mechanism that increases overall system integrity by checking for permissions before allowing access to certain protected system resources. Java 2 Security is independent on J2EE role-bas
    SV-95939r1_rule WBSP-AS-000212 CCI-000213 HIGH The WebSphere Application Server Java 2 security must not be bypassed. WebSphere provides a passive filter mechanism that will allow administrators to set Java 2 security in the admin console as enabled while still allowing applications to access host resources. This setting bypasses the enforcement of Java2 security. Applic
    SV-95941r1_rule WBSP-AS-000220 CCI-000213 MEDIUM The WebSphere Application Server users in the admin role must be authorized. Strong access controls are critical to securing the application server. Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control ma
    SV-95943r1_rule WBSP-AS-000230 CCI-000213 MEDIUM The WebSphere Application Server LDAP groups must be authorized for the WebSphere role. Strong access controls are critical to securing the application server. Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control ma
    SV-95945r1_rule WBSP-AS-000240 CCI-002235 MEDIUM The WebSphere Application Server users in a LDAP user registry group must be authorized for that group. Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Restricting non-privileged users also prevents an attacker, who ha
    SV-95947r1_rule WBSP-AS-000310 CCI-000048 MEDIUM The WebSphere Application Server management interface must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. Application servers are required to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system management interface, providing privacy and security notices consistent with applicable federal laws, Executive Orders, d
    SV-95949r1_rule WBSP-AS-000320 CCI-000050 MEDIUM The WebSphere Application Server management interface must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access. To establish acceptance of system usage policy, a click-through banner at the application server management interface logon is required. The banner shall prevent further activity on the application server unless and until the user executes a positive acti
    SV-95951r1_rule WBSP-AS-000380 CCI-000172 LOW The WebSphere Application Server must generate log records when successful/unsuccessful attempts to access subject privileges occur. Accessing a subject's privileges can be used to elevate a lower-privileged subject's privileges temporarily in order to cause harm to the application server or to gain privileges to operate temporarily for a designed purpose. When these actions take place
    SV-95953r1_rule WBSP-AS-000580 CCI-001849 MEDIUM The WebSphere Application Server must allocate JVM log record storage capacity in accordance with organization-defined log record storage requirements. JVM logs are logs used to store application and runtime related events, rather than audit related events. They are mainly used to diagnose application or runtime bugs. But sometimes they may be useful in providing more context when correlated with audit r
    SV-95955r1_rule WBSP-AS-000590 CCI-001849 MEDIUM The WebSphere Application Server must allocate audit log record storage capacity in accordance with organization-defined log record storage requirements. The proper management of log records not only dictates proper archiving processes and procedures be established, it also requires allocating enough storage space to maintain the logs online for a defined period of time. If adequate online log storage cap
    SV-95957r1_rule WBSP-AS-000630 CCI-001858 MEDIUM The WebSphere Application Server must provide an immediate real-time alert to authorized users of all log failure events requiring real-time alerts. It is critical for the appropriate personnel to be aware if a system is at risk of failing to process logs as required. Log processing failures include software/hardware errors, failures in the log capturing mechanisms, and log storage capacity being reac
    SV-95959r1_rule WBSP-AS-000640 CCI-000139 LOW The WebSphere Application Server must alert the SA and ISSO, at a minimum, in the event of a log processing failure. Logs are essential to monitor the health of the system, investigate changes that occurred to the system, or investigate a security incident. When log processing fails, the events during the failure can be lost. To minimize the timeframe of the log failure
    SV-95961r1_rule WBSP-AS-000650 CCI-000139 MEDIUM The WebSphere Application Server audit subsystem failure action must be set to Log warning. Logs are essential to monitor the health of the system, investigate changes that occurred to the system, or investigate a security incident. When log processing fails, the events during the failure can be lost. To minimize the timeframe of the log failure
    SV-95963r1_rule WBSP-AS-000660 CCI-000140 LOW The WebSphere Application Server must shut down by default upon log failure (unless availability is an overriding concern). It is critical that, when a system is at risk of failing to process logs, it detects and takes action to mitigate the failure. Log processing failures include software/hardware errors, failures in the log capturing mechanisms, and log storage capacity bei
    SV-95965r1_rule WBSP-AS-000670 CCI-000140 LOW The WebSphere Application Server high availability applications must be configured to fail over to another system in the event of log subsystem failure. This requirement is dependent upon system MAC and availability. If the system MAC and availability do not specify redundancy requirements, this requirement is NA. It is critical that, when a system is at risk of failing to process logs as required, it de
    SV-95967r1_rule WBSP-AS-000740 CCI-000162 LOW The WebSphere Application Server must be configured to protect log information from any type of unauthorized read access. WebSphere uses role-based access controls to restrict access to log data. To take advantage of this capability, WebSphere administrators must identify specific users and place them into their respective roles. The auditor role is used for controlling acce
    SV-95969r1_rule WBSP-AS-000750 CCI-000163 MEDIUM The WebSphere Application Server must protect log information from unauthorized modification. WebSphere uses role-based access controls to restrict access to log data. To take advantage of this capability, WebSphere administrators must identify specific users and place them into their respective roles. The auditor role is used for controlling acce
    SV-95971r1_rule WBSP-AS-000760 CCI-000164 MEDIUM The WebSphere Application Server must protect log information from unauthorized deletion. WebSphere uses role based access controls to restrict access to log data. To take advantage of this capability, WebSphere administrators must identify specific users and place them into their respective roles. The auditor role is used for controlling acce
    SV-95973r1_rule WBSP-AS-000770 CCI-001493 MEDIUM The WebSphere Application Server wsadmin file must be protected from unauthorized access. Protecting log data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application
    SV-95975r1_rule WBSP-AS-000780 CCI-001494 MEDIUM The WebSphere Application Server wsadmin file must be protected from unauthorized modification. Protecting log data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application
    SV-95977r1_rule WBSP-AS-000790 CCI-001495 MEDIUM The WebSphere Application Server wsadmin file must be protected from unauthorized deletion. Protecting log data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application
    SV-95979r1_rule WBSP-AS-000810 CCI-001350 MEDIUM The WebSphere Application Server must be configured to encrypt log information. Protection of log records is of critical importance. Encrypting log records provides a level of protection that does not rely on host-based protections that can be accidentally misconfigured, such as file system permissions. Cryptographic mechanisms are t
    SV-95981r1_rule WBSP-AS-000820 CCI-001350 MEDIUM The WebSphere Application Server must be configured to sign log information. Protection of log records is of critical importance. Encrypting log records provides a level of protection that does not rely on host-based protections that can be accidentally misconfigured, such as file system permissions. Cryptographic mechanisms are t
    SV-95983r1_rule WBSP-AS-000910 CCI-000381 MEDIUM The WebSphere Application Server process must not be started from the command line with the -password option. The use of the -password option to launch a WebSphere process from the command line can result in a security exposure. Password information may become visible to any user with the ability to view system processes. For example, on a Linux system the "ps" c
    SV-95985r1_rule WBSP-AS-000920 CCI-000381 MEDIUM The WebSphere Application Server files must be owned by the non-root WebSphere user ID. Having files owned by the root or administrator user is an indication that the WebSphere processes are being run with escalated privileges. Running as root/admin user gives attackers elevated privileges that can be used to compromise the system more easil
    SV-95987r1_rule WBSP-AS-000930 CCI-000381 LOW The WebSphere Application Server sample applications must be removed. WebSphere samples are not intended for use in a production environment. Do not run them there, as they create significant security risks. In particular, the snoop servlet can provide an outsider with tremendous amounts of information about your system. Th
    SV-95989r1_rule WBSP-AS-000940 CCI-000381 LOW The WebSphere Application Server must remove JREs left by web server and plug-in installers for web servers and plugins running in the DMZ. When you install IBM HTTP Server, the installer leaves behind a JRE. Remove this JRE, as it provides functions that are not needed by the Web server or plug-in under normal conditions. Keep in mind that this will make it impossible to run some tools such
    SV-95991r1_rule WBSP-AS-000960 CCI-000381 MEDIUM The WebSphere Application Server must be run as a non-admin user. Running WebSphere as an admin user gives attackers immediate admin privileges in the event the WebSphere processes are compromised. Best practice is to operate the WebSphere server with an account that has limited OS privileges. To configure system sta
    SV-95993r1_rule WBSP-AS-000970 CCI-000381 MEDIUM The WebSphere Application Server must disable JSP class reloading. Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system. Application servers must provide the capability to disab
    SV-96007r1_rule WBSP-AS-000980 CCI-000382 MEDIUM The WebSphere Application Server must prohibit or restrict the use of nonsecure ports, protocols, modules, and/or services as defined in the PPSM CAL and vulnerability assessments. Some networking protocols may not meet organizational security requirements to protect data and components. Application servers natively host a number of various features, such as management interfaces, httpd servers, and message queues. These features a
    SV-96013r1_rule WBSP-AS-001010 CCI-000764 MEDIUM The WebSphere Application Server LDAP user registry must be used. To assure accountability and prevent unauthorized access, application server users must be uniquely identified and authenticated. This is typically accomplished via the use of a user store which is either local (OS-based) or centralized (LDAP) in nature.
    SV-96019r1_rule WBSP-AS-001020 CCI-000764 MEDIUM The WebSphere Application Server local file-based user registry must not be used. WebSphere does not provide direct audit of changes to the built-in file registry. The built-in file registry must not be used to support user logon accounts. Use an LDAP/AD server and manage user accounts centrally.
    SV-96025r1_rule WBSP-AS-001030 CCI-000187 MEDIUM The WebSphere Application Server multifactor authentication for network access to privileged accounts must be used. Multifactor authentication creates a layered defense and makes it more difficult for an unauthorized person to access the application server. If one factor is compromised or broken, the attacker still has at least one more barrier to breach before success
    SV-96039r1_rule WBSP-AS-001080 CCI-001941 MEDIUM The WebSphere Application Server must provide security extensions to extend the SOAP protocol and provide secure authentication when accessing sensitive data. Application servers may provide a web services capability that could be leveraged to allow remote access to sensitive application data. A web service which is a repeatable process used to make data available to remote clients, should not be confused with
    SV-96043r1_rule WBSP-AS-001090 CCI-001941 MEDIUM The WebSphere Application Server must provide security extensions to extend the SOAP protocol and provide secure authentication when accessing sensitive data. Application servers may provide a web services capability that could be leveraged to allow remote access to sensitive application data. A web service, which is a repeatable process used to make data available to remote clients, should not be confused with
    SV-96047r1_rule WBSP-AS-001110 CCI-000187 MEDIUM The WebSphere Application Server must authenticate all network-connected endpoint devices before establishing any connection. Device authentication requires unique identification and authentication that may be defined by type, by specific device, or by a combination of type and device. Device authentication is accomplished via the use of certificates and protocols such as SSL m
    SV-96055r1_rule WBSP-AS-001120 CCI-001967 MEDIUM The WebSphere Application Server must authenticate all endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based. Device authentication requires unique identification and authentication that may be defined by type, by specific device, or by a combination of type and device. Bidirectional authentication provides stronger safeguards to validate the identity of other d
    SV-96057r1_rule WBSP-AS-001180 CCI-000197 HIGH The WebSphere Application Server application security must be enabled for each security domain except for publicly available applications specified in the System Security Plan. By default, all administrative and user applications in WebSphere® Application Server use the global security configuration. For example, a user registry defined in global security is used to authenticate users for every application in the cell. WebSpher
    SV-96061r1_rule WBSP-AS-001200 CCI-000197 HIGH The WebSphere Application Server secure LDAP (LDAPS) must be used for authentication. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. Application servers have the capability to utilize LDAP directories for authentication. If LDAP connections are not protecte
    SV-96065r1_rule WBSP-AS-001210 CCI-002007 MEDIUM The WebSphere Application Server must prohibit the use of cached authenticators after an organization-defined time period. When the application server is using PKI authentication, a local revocation cache must be stored for instances when the revocation cannot be authenticated through the network, but if cached authentication information is out of date, the validity of the au
    SV-96071r1_rule WBSP-AS-001230 CCI-000186 HIGH The WebSphere Application Server default keystore passwords must be changed. The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the pri
    SV-96075r1_rule WBSP-AS-001260 CCI-000187 MEDIUM The WebSphere Application Server must use signer for DoD-issued certificates. The cornerstone of PKI is the private key used to encrypt or digitally sign information. The key by itself is a cryptographic value that does not contain specific user information, but the key can be mapped to a user. Without mapping the certificate used
    SV-96079r1_rule WBSP-AS-001290 CCI-000803 MEDIUM The WebSphere Application Server must utilize FIPS 140-2-approved encryption modules when authenticating users and processes. Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. The use
    SV-96081r1_rule WBSP-AS-001300 CCI-002009 MEDIUM The WebSphere Application Server must accept Personal Identity Verification (PIV) credentials from other federal agencies to access the management interface. Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requireme
    SV-96083r1_rule WBSP-AS-001370 CCI-002450 MEDIUM The WebSphere Application Server must use DoD-approved Signer Certificates. Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. Class 4 certificates are used for business-to-business transactions. Utilizing unapproved certificates not issued or approved by DoD or CNS creates
    SV-96085r1_rule WBSP-AS-001390 CCI-001082 MEDIUM The WebSphere Application Servers must not be in the DMZ. The application server consists of the management interface and hosted applications. By separating the management interface from hosted applications, the user must authenticate as a privileged user to the management interface before being presented with m
    SV-96087r1_rule WBSP-AS-001410 CCI-001184 MEDIUM The WebSphere Application Server DoD root CAs must be in the trust store. This control focuses on communications protection at the session, versus packet level. At the application layer, session IDs are tokens generated by web applications to uniquely identify an application user's session. Web applications utilize session tok
    SV-96089r1_rule WBSP-AS-001460 CCI-002470 MEDIUM The WebSphere Application Server personal certificates in all keystores must be issued by an approved DoD CA. Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate
    SV-96091r1_rule WBSP-AS-001470 CCI-001190 LOW The WebSphere Application Server must be configured to perform complete application deployments when using A/B clusters. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. When an application is deployed to the application server, if the deploy
    SV-96093r1_rule WBSP-AS-001480 CCI-001190 LOW The WebSphere Application servers with an RMF categorization of high must be in a high-availability (HA) cluster. This requirement is dependent upon system MAC and confidentiality. If the system MAC and confidentiality levels do not specify redundancy requirements, this requirement is NA. Failure to a known secure state helps prevent a loss of confidentiality, integ
    SV-96095r1_rule WBSP-AS-001520 CCI-002475 LOW The WebSphere Application Server must not generate LTPA keys automatically. Automated LTPA key generation can create unplanned outages. Plan to change your LTPA keys during a scheduled outage. Distribute the new keys to all nodes in the cell and to all external systems/cells during this outage window.
    SV-96097r1_rule WBSP-AS-001530 CCI-002475 LOW The WebSphere Application Server must periodically regenerate LTPA keys. The encryption of authentication information that is exchanged between servers involves the Lightweight Third-Party Authentication (LTPA) mechanism. LTPA utilizes encryption keys, if LTPA is utilized, the LTPA keys must be regenerated on a regular basis.
    SV-96099r1_rule WBSP-AS-001570 CCI-002385 MEDIUM The WebSphere Application Server high availability applications must be installed on a cluster. DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce the possibility or effect of a DoS, the application server mu
    SV-96101r1_rule WBSP-AS-001580 CCI-002385 LOW The WebSphere Application Server memory session settings must be defined according to application load requirements. DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce the possibility or effect of a DoS, the application server mu
    SV-96103r1_rule WBSP-AS-001590 CCI-002385 MEDIUM The WebSphere Application Server thread pool size must be defined according to application load requirements. A thread pool enables components of the application server to reuse threads, which eliminates the need to create new threads at run time. Creating new threads expends system resources and can possibly lead to a DoS. Perform loading for your application to
    SV-96105r1_rule WBSP-AS-001610 CCI-002418 MEDIUM The WebSphere Application Server must remove all export ciphers to protect the confidentiality and integrity of transmitted information. Export grade encryption suites are not strong and do not meet DoD requirements. The encryption for the session becomes easy for the attacker to break. Do not use export grade encryption. Information on disabling export ciphers can be found in Knowledge Ce
    SV-96107r1_rule WBSP-AS-001620 CCI-002420 MEDIUM The WebSphere Application Server distribution and consistency services (DCS) transport links must be encrypted. A Core Group (HA Domain) is a component of the high availability manager function. It can contain stand-alone servers, cluster members, node agents, administrative agents, and the deployment manager. Core groups rely on DCS, which uses a reliable multic
    SV-96109r1_rule WBSP-AS-001630 CCI-002421 MEDIUM The WebSphere Application Server plugin must be configured to use HTTPS only. The Web server plug-in transmits information from the Web server to the Web container over HTTP by default. Extra steps must be taken to protect the traffic from the Web server to the Web container. To force the use of HTTPS for all traffic from the plug-
    SV-96111r1_rule WBSP-AS-001740 CCI-002617 MEDIUM The WebSphere Application Server must remove organization-defined software components after updated versions have been installed. By default, when updating WebSphere application server, the older version of binaries are saved in case a "roll back" is necessary. Not keeping the older version makes it more difficult for attackers to "revert" back to the older version.
    SV-96113r1_rule WBSP-AS-001750 CCI-002605 MEDIUM The WebSphere Application Server must apply the latest security fixes. Security vulnerabilities are often addressed by testing and applying the latest security patches and fix packs. Latest fixpacks can be found at: http://www-01.ibm.com/support/docview.wss?uid=swg27009661
    SV-96115r1_rule WBSP-AS-001760 CCI-002605 MEDIUM The WebSphere Application Server must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVMs, CTOs, DTMs, and STIGs). Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to