Detections
Analytics

9.9 Ensure that 'Java version' is currently supported (if in use)

Information

Periodically, older versions of Java may be deprecated and no longer supported. Using a supported version of Java for app services is recommended to avoid potential unpatched vulnerabilities.

Rationale:

Deprecated and unsupported versions of programming and scripting languages can present vulnerabilities which may not be addressed or may not be addressable.

Impact:

If your app is written using version-dependent features or libraries, they may not be available on more recent versions. If you wish to update, research the impact thoroughly.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Remediate from Azure Portal

Login to Azure Portal using https://portal.azure.com

Go to App Services

Click on each App

Under Settings section, click on Configuration

Click on the General settings pane and ensure that for a Stack of Java the Major Version and Minor Version reflect a currently supported release, and that the Java web server version is set to the auto-update option.

NOTE: No action is required if Java version is set to Off, as Java is not used by your app.

Remediate from Azure CLI
To see the list of supported runtimes:

az webapp list-runtimes

To set a currently supported Java version for an existing app, run the following command:

az webapp config set --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> [--java-version <JAVA_VERSION> --java-container <JAVA_CONTAINER> --java-container-version <JAVA_CONTAINER_VERSION> [--windows-fx-version <JAVA_RUNTIME_VERSION>] [--linux-fx-version <JAVA_RUNTIME_VERSION>]

If creating a new application to use a currently supported version of Java, run the following commands.
To create an app service plan:

az appservice plan create --resource-group <RESOURCE_GROUP_NAME> --name <PLAN_NAME> --location <LOCATION> [--is-linux --number-of-workers <INT> --sku <PRICING_TIER>] [--hyper-v --sku <PRICING_TIER>]

Get the app service plan ID:

az appservice plan list --query '[].{Name:name, ID:id, SKU:sku, Location:location}'

To create a new Java web application using the retrieved app service ID:

az webapp create --resource-group <RESOURCE_GROUP_NAME> --plan <APP_SERVICE_PLAN_ID> --name <app name> [--linux-fx-version <JAVA_RUNTIME_VERSION>] [--windows-fx-version <JAVA_RUNTIME_VERSION>]

Remediate from PowerShell
As of this writing, there is no way to update an existing application's SiteConfig or set a new application's SiteConfig settings during creation via PowerShell.

Default Value:

The default setting is whichever setting was chosen in the creation of the webapp.

See Also

https://workbench.cisecurity.org/benchmarks/16820

Item Details

Category: SYSTEM AND SERVICES ACQUISITION

References: 800-53|SA-22, CSCv7|2.2

Plugin: microsoft_azure

Control ID: c803e9eebbf700c77ea800ff421dd387f6e8310b66a40e95b354ea87a61b7e07