🛡️ Azure App Service does not run the latest Java version🟢⚪

• Contextual name: 🛡️ App Service does not run the latest Java version🟢⚪
• ID: /ce/ca/azure/app-service/latest-java-version
• Tags:
  • ⚪ Impossible policy
  • 🟢 Policy with categories
  • 🟢 Policy with type
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY, RELIABILITY, PERFORMANCE

Similar Policies

• Cloud Conformity: Check for Latest Version of Java
• Internal: dec-x-879aa996

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-879aa996	1

Description

Open File

Description

Periodically, older versions of Java may be deprecated and no longer supported. Using a supported version of Java for app services is recommended to avoid potential unpatched vulnerabilities.

Rationale

Deprecated and unsupported versions of programming and scripting languages can present vulnerabilities which may not be addressed or may not be addressable.

Impact

If your app is written using version-dependent features or libraries, they may not be available on more recent versions. If you wish to update, research the impact thoroughly.

Audit

Take note of currently supported version of Java here: https://www.oracle.com/java/technologies/java-se-support-roadmap.html

From Azure Portal

1. Login to Azure Portal using https://portal.azure.com.
2. Go to App Services.
3. Click on each App.
4. Under Settings section, click on Configuration.
5. Click on the General settings pane and ensure that for a Stack of Java the Major Version and Minor Version reflect a currently supported release, and that the Java web server version is set to the auto-update option.

... see more

Remediation

Open File

Remediation

From Azure Portal

1. Login to Azure Portal using https://portal.azure.com.
2. Go to App Services.
3. Click on each App.
4. Under Settings section, click on Configuration.
5. Click on the General settings pane and ensure that for a Stack of Java the Major Version and Minor Version reflect a currently supported release, and that the Java web server version is set to the auto-update option.

NOTE: No action is required if Java version is set to Off, as Java is not used by your web app.

From Azure CLI

To see the list of supported runtimes:

az webapp list-runtimes

To set a currently supported Java version for an existing app, run the following command:

az webapp config set --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --java-version <JAVA_VERSION> --java-container <JAVA_CONTAINER> --java-container-version <JAVA_CONTAINER_VERSION> --windows-fx-version <JAVA_RUNTIME_VERSION> --linux-fx-version <JAVA_RUNTIME_VERSION>

If creating a new application to use a currently supported version of Java, run the following commands. To create an app service plan:

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 APRA CPG 234 → 💼 36h patch management controls — to manage the assessment and application of patches and other updates that address known vulnerabilities in a timely manner;		7	7		no data
💼 APRA CPG 234 → 💼 40 An important aspect of information asset life-cycle management involves minimising vulnerabilities and maintaining support. Information security exposures could arise from hardware and software which is outdated or has limited or no support (whether through a third party, a related party or in-house). Technology that is end-of-life5 , out-of-support or in extended support is typically less secure by design, has a dated security model and can take longer, or is unable, to be updated to address new threats.		7	7		no data
💼 CIS Azure v1.1.0 → 💼 9.9 Ensure that 'Java version' is the latest, if used to run the web app		1	1		no data
💼 CIS Azure v1.3.0 → 💼 9.8 Ensure that 'Java version' is the latest, if used to run the web app - Level 1 (Manual)		1	1		no data
💼 CIS Azure v1.4.0 → 💼 9.8 Ensure that 'Java version' is the latest, if used to run the Web App - Level 1 (Manual)		1	1		no data
💼 CIS Azure v1.5.0 → 💼 9.8 Ensure that 'Java version' is the latest, if used to run the Web App - Level 1 (Manual)		1	1		no data
💼 CIS Azure v2.0.0 → 💼 9.8 Ensure that 'Java version' is the latest, if used to run the Web App - Level 1 (Manual)		1	1		no data
💼 CIS Azure v2.1.0 → 💼 9.7 Ensure that 'Java version' is the latest, if used to run the Web App - Level 1 (Manual)		1	1		no data
💼 CIS Azure v3.0.0 → 💼 9.9 Ensure that 'Java version' is currently supported (if in use) (Manual)			1		no data
💼 Cloudaware Framework → 💼 Infrastructure Modernization			16		no data
💼 FedRAMP High Security Controls → 💼 CM-5 Access Restrictions for Change (L)(M)(H)	2	14	16		no data
💼 FedRAMP High Security Controls → 💼 CM-7 Least Functionality (L)(M)(H)	3	18	33		no data
💼 FedRAMP High Security Controls → 💼 CM-11 User-installed Software (L)(M)(H)		4	4		no data
💼 FedRAMP Low Security Controls → 💼 CM-5 Access Restrictions for Change (L)(M)(H)			8		no data
💼 FedRAMP Low Security Controls → 💼 CM-7 Least Functionality (L)(M)(H)			29		no data
💼 FedRAMP Low Security Controls → 💼 CM-11 User-installed Software (L)(M)(H)			4		no data
💼 FedRAMP Moderate Security Controls → 💼 CM-5 Access Restrictions for Change (L)(M)(H)	2		16		no data
💼 FedRAMP Moderate Security Controls → 💼 CM-7 Least Functionality (L)(M)(H)	3		33		no data
💼 FedRAMP Moderate Security Controls → 💼 CM-11 User-installed Software (L)(M)(H)			4		no data
💼 ISO/IEC 27001:2013 → 💼 A.12.5.1 Installation of software on operational systems		5	5		no data
💼 NIST CSF v1.1 → 💼 DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events		20	26		no data
💼 NIST CSF v1.1 → 💼 DE.CM-5: Unauthorized mobile code is detected		11	12		no data
💼 NIST CSF v1.1 → 💼 ID.AM-2: Software platforms and applications within the organization are inventoried		5	7		no data
💼 NIST CSF v1.1 → 💼 PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity		22	27		no data
💼 NIST CSF v1.1 → 💼 PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)		4	26		no data
💼 NIST CSF v1.1 → 💼 PR.IP-3: Configuration change control processes are in place		5	5		no data
💼 NIST CSF v1.1 → 💼 PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities		21	30		no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			145		no data
💼 NIST CSF v2.0 → 💼 DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events			85		no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			142		no data
💼 NIST CSF v2.0 → 💼 ID.AM-02: Inventories of software, services, and systems managed by the organization are maintained			9		no data
💼 NIST CSF v2.0 → 💼 ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked			31		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			148		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-2(6) Flaw Remediation _ Removal of Previous Versions of Software and Firmware		6	6		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-7(12) Software, Firmware, and Information Integrity _ Integrity Verification		19	21		no data
💼 UK Cyber Essentials → 💼 3.1 All software on in-scope devices must be licensed and supported		6	6		no data