Ensure that 'Java version' is currently supported (if in use)

Overview

Older versions of Java may periodically be deprecated and no longer supported. To avoid potential unpatched vulnerabilities, it is recommended that you use a supported version of Java for app services.

Rationale

Deprecated and unsupported versions of programming and scripting languages can present vulnerabilities that are either unaddressable or not addressable.

Impact

If your app is written using version-dependent features or libraries, they may not be available on more recent versions. If you wish to update, research the impact thoroughly.

Default Value

You select the value when creating the web app.

Remediation guidance

Remediate from Azure Portal

Open the app using the Open in Azure button.
Under Settings section, click on Configuration
Click on the General settings pane and ensure that for a Stack of Java the Major Version and Minor Version reflect a currently supported release, and that the Java web server version is set to the auto-update option.

Remediate from Azure CLI

To see the list of supported runtimes:

az webapp list-runtimes

To set a currently supported Java version for an existing app, run the following command:

az webapp config set --resource-group  --name  [--java-version  --java-container  --java-container-version  [--windows-fx-version ] [--linux-fx-version ]

Multiple Remediation Paths

Azure

SERVICE-WIDE (RECOMMENDED when many resources are affected): Assign Azure Policy initiatives at management group/subscription scope and trigger remediation tasks.

az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

ASSET-LEVEL: Apply the resource-specific remediation steps above to the listed non-compliant resources.

PREVENTIVE: Embed Azure Policy checks into landing zones and IaC workflows to block or auto-remediate drift.

References for Service-Wide Patterns

Azure Policy overview: https://learn.microsoft.com/en-us/azure/governance/policy/overview
Azure Policy remediation: https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
Azure Policy initiative structure: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/initiative-definition-structure

Operational Rollout Workflow

Use this sequence to reduce risk and avoid repeated drift.

1. Contain at Service-Wide Scope First (Recommended)

Azure: assign policy initiatives at management group/subscription scope and run remediation tasks.

az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

2. Remediate Existing Affected Assets

Execute the control-specific Console/CLI steps documented above for each flagged resource.
Prioritize internet-exposed and production assets first.

3. Validate and Prevent Recurrence

Re-scan after each remediation batch.
Track exceptions with owner and expiry date.
Add preventive checks in IaC/CI pipelines.

Query logic

These are the stored checks tied to this control.

Azure app services running unsupported Java versions

Connectors

Microsoft Azure

Covered asset types

Site

Expected check: eq []

{
  sites(
    where: { siteConfig: { NOT: { javaVersion: "" }, isDeprecated: true } }
  ) {
    ...AssetFragment
  }
}