| V-250326 | | Users in the REST API admin role must be authorized. | Users with console access and OS permissions to the folders where the Liberty Server is installed can make changes to the server. In addition, REST AP... |
| V-250335 | | Multifactor authentication for network access to privileged accounts must be used. | Multifactor authentication creates a layered defense and makes it more difficult for an unauthorized person to access the application server. If one f... |
| V-250336 | | The WebSphere Liberty Server must store only encrypted representations of user passwords. | WebSphere Liberty can either provide a local account store or integrate with enterprise account stores such as LDAP directories. If the application se... |
| V-250337 | | The WebSphere Liberty Server must use TLS-enabled LDAP. | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. If passwords are not ... |
| V-250339 | | The WebSphere Liberty Server must use FIPS 140-2 approved encryption modules when authenticating users and processes. | Application servers must use and meet requirements of the DOD Enterprise PKI infrastructure for application authentication. Encryption is only as good... |
| V-250341 | | Application security must be enabled on the WebSphere Liberty Server. | Application security enables security for the applications in the environment. This type of security provides application isolation and requirements f... |
| V-250322 | | Maximum in-memory session count must be set according to application requirements. | Application management includes the ability to control the number of sessions that use an application by all accounts and/or account types. Limiting t... |
| V-250323 | | The WebSphere Liberty Server Quality of Protection (QoP) must be set to use TLSv1.2 or higher. | Quality of Protection in WebSphere Liberty specifies the security level, ciphers, and mutual authentication settings for the Secure Socket Layer (SSL/... |
| V-250324 | | Security cookies must be set to HTTPOnly. | Web applications use cookies to track users across requests. These cookies, while typically not sensitive in themselves, connect to the existing state... |
| V-250325 | | The WebSphere Liberty Server must log remote session and security activity. | Security auditing must be configured in order to log remote session activity. Security auditing will not be performed unless the audit feature (audit-... |
| V-250327 | | The WebSphere Liberty Server must be configured to offload logs to a centralized system. | Log processing failures include, but are not limited to, failures in the application server log capturing mechanisms or log storage capacity being rea... |
| V-250328 | | The WebSphere Liberty Server must protect log information from unauthorized access or changes. | WebSphere Liberty provides the capability to encrypt and sign the log data to prevent unauthorized modification.
- The security feature (appSecurity... |
| V-250329 | | The WebSphere Liberty Server must protect log tools from unauthorized access. | Protecting log data also includes identifying and protecting the tools used to view and manipulate log data. Depending on the log format and applicati... |
| V-250330 | | The WebSphere Liberty Server must be configured to encrypt log information. | Protection of log records is of critical importance. Encrypting log records provides a level of protection that does not rely on host-based protection... |
| V-250331 | | The WebSphere Liberty Server must protect software libraries from unauthorized access. | Application servers have the ability to specify that the hosted applications use shared libraries. The application server must have a capability to di... |
| V-250332 | | The WebSphere Liberty Server must prohibit or restrict the use of nonsecure ports, protocols, modules, and/or services as defined in the PPSM CAL and vulnerability assessments. | Some networking protocols may not meet organizational security requirements to protect data and components.
Application servers natively host a numbe... |
| V-250333 | | The WebSphere Liberty Server must use an LDAP user registry. | To ensure accountability and prevent unauthorized access, application server users must be uniquely identified and authenticated. This is typically ac... |
| V-250334 | | Basic Authentication must be disabled. | Basic authentication does not use a centralized user store like LDAP. Not using a centralized user store complicates user management tasks and increas... |
| V-250338 | | The WebSphere Liberty Server must use DoD-issued/signed certificates. | The cornerstone of PKI is the private key used to encrypt or digitally sign information. The key by itself is a cryptographic value that does not cont... |
| V-250340 | | HTTP session timeout must be configured. | An attacker can take advantage of user sessions that are left open, thus bypassing the user authentication process.
To thwart the vulnerability of op... |
| V-250342 | | Users in a reader-role must be authorized. | The reader role is a management role that allows read-only access to select administrative REST APIs as well as the Admin Center UI (adminCenter-1.0).... |
| V-250343 | | The WebSphere Liberty Server must allocate JVM log record storage capacity in accordance with organization-defined log record storage requirements. | JVM logs are logs used to store application and runtime related events, rather than audit related events. They are mainly used to diagnose application... |
| V-250344 | | The server.xml file must be protected from unauthorized modification. | When dealing with access restrictions pertaining to change control, it should be noted that any changes to the software, and/or application server con... |
| V-250345 | | The WebSphere Liberty Server must prohibit the use of cached authenticators after an organization-defined time period. | Larger authentication cache timeout values can increase security risks. For example, a user who is revoked can still log in by using a credential that... |
| V-250346 | | The WebSphere Liberty Server LTPA keys password must be changed. | The default location of the automatically generated Lightweight Third Party Authentication (LTPA) keys file is ${server.output.dir}/resources/security... |
| V-250347 | | The WebSphere Liberty Server must remove all export ciphers to protect the confidentiality and integrity of transmitted information. | Export grade encryption suites are not strong and do not meet DoD requirements. The encryption for the session becomes easy for the attacker to break.... |
| V-250348 | | The WebSphere Liberty Server must be configured to use HTTPS only. | Transmission of data can take place between the application server and a large number of devices/applications external to the application server. Exam... |
| V-250349 | | The WebSphere Liberty Server must install security-relevant software updates within the time period directed by an authoritative source. | Security vulnerabilities are often addressed by testing and applying the latest security patches and fix packs. The latest fixpacks can be found at: h... |
| V-250350 | | The WebSphere Liberty Server must generate log records for authentication and authorization events. | Enabling authentication (SECURITY_AUTHN) and authorization (SECURITY_AUTHZ) event handlers configures the server to record security authorization and ... |
