Java permissions must be set for hosted applications.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-213496	SRG-APP-000033-AS-000024	JBOS-AS-000025	SV-213496r1069472_rule	2025-02-20	2

Description
The Java Security Manager is a java class that manages the external boundary of the Java Virtual Machine (JVM) sandbox, controlling how code executing within the JVM can interact with resources outside the JVM. The JVM requires a security policy in order to restrict application access. A properly configured security policy will define what rights the application has to the underlying system. For example, rights to make changes to files on the host system or to initiate network sockets in order to connect to another system.

Description

The Java Security Manager is a java class that manages the external boundary of the Java Virtual Machine (JVM) sandbox, controlling how code executing within the JVM can interact with resources outside the JVM. The JVM requires a security policy in order to restrict application access. A properly configured security policy will define what rights the application has to the underlying system. For example, rights to make changes to files on the host system or to initiate network sockets in order to connect to another system.

ℹ️ Check
Enabling the Security Manager in JDK 24 is an error and if using JDK 24, this is not a finding. Note: Security Manager was deprecated in Java 17 and will be permanently removed in JDK 24. For additional information: <https://openjdk.org/jeps/486> Obtain documentation from the admin that identifies the applications hosted on the JBoss server as well as the corresponding rights the application requires. For example, if the application requires network socket permissions and file write permissions, document those requirements. 1. Identify the JBoss installation as either domain or standalone and review the relevant configuration file. For domain installs: JBOSS_HOME/bin/domain.conf For standalone installs: JBOSS_HOME/bin/standalone.conf 2. Identify the location and name of the security policy by reading the JAVA_OPTS flag -Djava.security.policy=<file name> where <file name> will indicate name and location of security policy. If the application uses a policy URL, obtain the URL and policy file from system admin. 3. Review security policy and ensure hosted applications have the appropriate restrictions placed on them per documented application functionality requirements. If the security policy does not restrict application access to host resources per documented requirements, this is a finding.

ℹ️ Check

Enabling the Security Manager in JDK 24 is an error and if using JDK 24, this is not a finding. Note: Security Manager was deprecated in Java 17 and will be permanently removed in JDK 24. For additional information: <https://openjdk.org/jeps/486> Obtain documentation from the admin that identifies the applications hosted on the JBoss server as well as the corresponding rights the application requires. For example, if the application requires network socket permissions and file write permissions, document those requirements. 1. Identify the JBoss installation as either domain or standalone and review the relevant configuration file. For domain installs: JBOSS_HOME/bin/domain.conf For standalone installs: JBOSS_HOME/bin/standalone.conf 2. Identify the location and name of the security policy by reading the JAVA_OPTS flag -Djava.security.policy=<file name> where <file name> will indicate name and location of security policy. If the application uses a policy URL, obtain the URL and policy file from system admin. 3. Review security policy and ensure hosted applications have the appropriate restrictions placed on them per documented application functionality requirements. If the security policy does not restrict application access to host resources per documented requirements, this is a finding.

✔️ Fix
Enabling the Security Manager in JDK 24 is an error and if using JDK 24, this is not a finding. Configure the Java security manager to enforce access restrictions to the host system resources in accordance with application design and resource requirements.