Check for Latest Version of Java

Risk Level: Low (generally tolerable level of risk)

Rule ID: AppService-004

Ensure that all Microsoft Azure App Service applications developed with Java are using the latest available version of Java software in order to take advantage of the most recent security fixes, performance improvements and new features.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Reliability

Performance
efficiency

To benefit from the latest security and performance enhancements, and include any new software capabilities and features, it is strongly recommended to enable the newest version of Java software supported by Microsoft Azure App Service. For example, Azure App Service supports now Java 11, expanding the programming language support to the two latest LTS versions of the Java runtime. This allows you to run your App Service Java applications without incurring unplanned Java SE subscription fees, all while benefit from free security patches and platform bug fixes.

Audit

To determine if your Microsoft Azure App Service applications are using the latest version of Java, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to App Services blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Web%2Fsites.

03 Click on the name of the App Service web application that you want to examine.

04 In the navigation menu, under Settings, select Configuration to access the configuration settings defined for the selected application.

05 On the Configuration panel, select General settings tab to access the application general settings.

06 In the Stack settings section, check the Stack setting value to determine the type of the software stack used by the selected web application. If Stack is set to Java, check the stack software version available in the Java version dropdown list. If Java version does not show the latest version available in the list (for example, Java 11), the selected Microsoft Azure App Service web application is not configured to use the latest version of Java software.

07 Repeat steps no. 3 – 6 for each Azure App Service web application deployed in the current subscription.

08 Repeat steps no. 3 – 7 for other subscriptions created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run webapp list-runtimes command (Windows/macOS/Linux) using custom query filters to list the Java versions currently supported by Microsoft Azure App Service:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

az webapp list-runtimes | grep java

02 The command output should return the supported versions of the Java software:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

"java|1.7|Tomcat|7.0",
"java|1.7|Tomcat|8.0",
"java|1.7|Tomcat|8.5",
"java|1.7|Tomcat|9.0",
"java|1.7|Jetty|9.1",
"java|1.7|Jetty|9.3",
"java|1.8|Tomcat|7.0",
"java|1.8|Tomcat|8.0",
"java|1.8|Tomcat|8.5",
"java|1.8|Tomcat|9.0",
"java|1.8|Jetty|9.1",
"java|1.8|Jetty|9.3",
"java|11|Tomcat|7.0",
"java|11|Tomcat|8.0",
"java|11|Tomcat|8.5",
"java|11|Tomcat|9.0",
"java|11|Jetty|9.1",
"java|11|Jetty|9.3"

03 Run webapp list command (Windows/macOS/Linux) using custom query filters to list the IDs of all App Service web applications launched in the current Azure subscription:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

az webapp list
   --query '[*].id'

04 The command output should return the requested Azure App Service application IDs:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

[
"/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-tomcat-webapp",
"/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-mobile-webapp",
"/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-frontend-webapp"
]

05 Run webapp config show command (Windows/macOS/Linux) using the ID of the application that you want to examine as identifier parameter and custom query filters to describe the Java software version configured for the selected Azure App Service web application:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

az webapp config show
	--ids "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-tomcat-webapp"
	--query '{"javaVersion":javaVersion}'

06 The command output should return the Java software version currently in use:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

{
  "javaVersion": "1.8"
}

If the value returned by the webapp config show command output for "javaVersion" configuration attribute is null or an empty string (i.e. ""), the selected application is not using a Java software stack. Otherwise, check the returned attribute value and compare it with each version returned at step no. 2. If "javaVersion" value is different than the latest version of Java returned at step no. 2, the selected Microsoft Azure App Service web application is not using the latest version of Java software.

07 Repeat steps no. 3 – 6 for each Azure App Service web application available within the current subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To reconfigure your Azure App Service web applications in order to enable the latest version of Java software, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to App Services blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Web%2Fsites.

03 Click on the name of the web application that you want to reconfigure (see Audit section part I to identify the right Java application).

04 In the navigation menu, under Settings, select Configuration to access the configuration settings defined for the selected application.

05 On the Configuration panel, select General settings tab to access the web application general settings.

06 In the Stack settings section, perform the following:

Select the latest version of the Java software available in the Java version dropdown list.
Set Java minor version to the latest minor version available.
Select the latest stable version of the web application container from the Java container version dropdown list.

07 Click Save to apply the configuration changes. Once these changes become active, the Azure Management Console should display the following confirmation message: "Successfully updated web app settings".

08 Repeat steps no. 3 – 7 for each Azure App Service Java web application deployed in the current subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run webapp list-runtimes command (Windows/macOS/Linux) using custom query filters to list the Java software versions currently supported by Microsoft Azure App Service:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

az webapp list-runtimes | grep php

02 The command output should return the Java versions supported by Azure App Service:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

"java|1.7|Tomcat|7.0",
"java|1.7|Tomcat|8.0",
"java|1.7|Tomcat|8.5",
"java|1.7|Tomcat|9.0",
"java|1.7|Jetty|9.1",
"java|1.7|Jetty|9.3",
"java|1.8|Tomcat|7.0",
"java|1.8|Tomcat|8.0",
"java|1.8|Tomcat|8.5",
"java|1.8|Tomcat|9.0",
"java|1.8|Jetty|9.1",
"java|1.8|Jetty|9.3",
"java|11|Tomcat|7.0",
"java|11|Tomcat|8.0",
"java|11|Tomcat|8.5",
"java|11|Tomcat|9.0",
"java|11|Jetty|9.1",
"java|11|Jetty|9.3"

03 Run webapp config set command (Windows/macOS/Linux) using the ID of the Azure App Service web application that you want to reconfigure as identifier parameter (see Audit section part I to identify the right Java application) to enable the latest version of Java software stack, as described at step no. 2, for the selected web application. For example, the following command request enables Java 11 for an application using Tomcat 9.0 as web container software, identified by the ID "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-tomcat-webapp":

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

az webapp config set
	--ids "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-tomcat-webapp"
	--java-version "11"
	--java-container "Tomcat"
	--java-container-version "9.0"

04 The command output should return the metadata available for the reconfigured Azure App Service Java application:

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899

{
  "alwaysOn": false,
  "apiDefinition": null,
  "appCommandLine": "",
  "appSettings": null,
  "autoHealEnabled": false,
  "autoHealRules": null,
  "autoSwapSlotName": null,
  "azureStorageAccounts": null,
  "connectionStrings": null,
  "detailedErrorLoggingEnabled": false,
  "documentRoot": null,
  "ftpsState": "AllAllowed",
  "handlerMappings": null,
  "http20Enabled": false,
  "httpLoggingEnabled": false,
 
  ...
 
  "javaContainer": "TOMCAT",
  "javaContainerVersion": "9.0",
  "javaVersion": "11",
  "loadBalancing": "LeastRequests",
  "localMySqlEnabled": false,
  "location": "West Europe",
  "logsDirectorySizeLimit": 35,
  "machineKey": null,
  "managedPipelineMode": "Integrated",
  "managedServiceIdentityId": null,
  "minTlsVersion": "1.2",
  "name": "cc-tomcat-webapp",
  "vnetName": "",
  "webSocketsEnabled": false,
  "windowsFxVersion": null,
  "xManagedServiceIdentityId": null
}

05 Repeat step no. 3 and 4 for each Azure App Service Java web application deployed in the current subscription.

06 Repeat steps no. 3 – 5 for each subscription created in your Microsoft Azure cloud account.

References

Azure Official Documentation
Configure an App Service app in the Azure portal
Azure App Service update: Free Linux Tier, Python and Java support, and more
CIS Microsoft Azure Foundations

Publication date Sep 30, 2019

Audit

Using Azure Console

Using Azure CLI

Remediation / Resolution

Using Azure Console

Using Azure CLI

References

Related AppService rules