Description
Periodically, older versions of Java may be deprecated and no longer supported. Using a supported version of Java for app services is recommended to avoid potential unpatched vulnerabilities.
Rationaleโ
Deprecated and unsupported versions of programming and scripting languages can present vulnerabilities which may not be addressed or may not be addressable.
Impactโ
If your app is written using version-dependent features or libraries, they may not be available on more recent versions. If you wish to update, research the impact thoroughly.
Auditโ
Take note of currently supported version of Java here: https://www.oracle.com/java/technologies/java-se-support-roadmap.html
From Azure Portalโ
- Login to Azure Portal using https://portal.azure.com.
- Go to
App Services. - Click on each App.
- Under
Settingssection, click onConfiguration. - Click on the
General settingspane and ensure that for aStackofJavatheMajor VersionandMinor Versionreflect a currently supported release, and that theJava web server versionis set to theauto-updateoption.
NOTE: No action is required if Java version is set to Off, as Java is not used by your web app.
From Azure CLIโ
To check Java version for an existing app, run the following command:
az webapp config show --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --query "{LinuxFxVersion:linuxFxVersion, WindowsFxVersion:windowsFxVersion, JavaVersion:javaVersion, JavaContainerVersion:javaContainerVersion, JavaContainer:javaContainer}"
Ensure the Java version used within the application is a currently supported version (if java is being used for the app being audited).
From PowerShellโ
For each application, store the application information within an object, and then interrogate the SiteConfig information for that application object:
$app = Get-AzWebApp -Name <APP_NAME> -ResourceGroup <RESOURCE_GROUP_NAME> $app.SiteConfig |Select-Object LinuxFXVersion, WindowsFxVersion, JavaVersion, JavaContainerVersion, JavaContainer
Ensure the Java version used within the application is a currently supported version (if Java is being used for the app being audited).
From Azure Policyโ
If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure.
- Policy ID: e1d1b522-02b0-4d18-a04f-5ab62d20445f - Name:
Function app slots that use Java should use a specified 'Java version' - Policy ID: 9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc - Name:
Function apps that use Java should use a specified 'Java version'
Default Valueโ
The default setting is whichever setting was chosen in the creation of the webapp.
Referencesโ
- https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings
- https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-posture-vulnerability-management#pv-3-define-and-establish-secure-configurations-for-compute-resources
- https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-posture-vulnerability-management#pv-6-rapidly-and-automatically-remediate-vulnerabilities
- https://www.oracle.com/java/technologies/java-se-support-roadmap.html
Additional Informationโ
Take note of currently supported version of Java here: https://www.oracle.com/java/technologies/java-se-support-roadmap.html