View STIG - Oracle WebLogic Server 12c Security Technical Implementation Guide V2R1

b

Oracle WebLogic must utilize cryptography to protect the confidentiality of remote access management sessions.

AC-17 - Medium - CCI-000068 - V-235928 - SV-235928r628562_rule

RMF Control

AC-17

Severity

Medium

CCI

CCI-000068

Version

WBLC-01-000009

Vuln IDs

V-235928
V-56205

Rule IDs

SV-235928r628562_rule
SV-70459

Remote management access is accomplished by leveraging common communication protocols and establishing a remote connection to the application server via a network for the purposes of managing the application server. If cryptography is not used, then the session data traversing the remote connection could be intercepted and compromised. Types of management interfaces utilized by an application server include web-based HTTPS interfaces as well as command line-based management interfaces. All application server management interfaces must utilize cryptographic encryption.

Checks: C-39147r628560_chk

1. Access AC 2. From 'Domain Structure', select 'Environment' -> 'Servers' 3. From the list of servers, select one which needs check for SSL configuration verification 4. From 'Configuration' tab -> 'General' tab, ensure 'Listen Port Enabled' checkbox is deselected 5. Ensure 'SSL Listen Port Enabled' checkbox is selected and a valid port number is in 'SSL Listen Port' field, e.g., 7002 6 Repeat steps 3-5 for all servers requiring SSL configuration checking If 'Listen Port Enabled' is selected, this is a finding. If 'SSL Listen Port Enabled' is not selected, this is a finding.

Fix: F-39110r628561_fix

1. Obtain an identity (private key and digital certificates) and trust (certificates of trusted certificate authorities) to configure on the server 2. Create Identity keystore and load private key and certificate using ImportPrivateKey java utility, example: $ java utils.ImportPrivateKey -certfile <cert_file> -keyfile <private_key_file> [-keyfilepass <private_key_password>] -keystore <keystore> -storepass <storepass> [-storetype <storetype>] -alias <alias> [-keypass <keypass>] 3. Access AC 4. Utilize 'Change Center' to create a new change session 5. From 'Domain Structure', select 'Environment' -> 'Servers' 6. From the list of servers, select one which needs SSL set up 7. From 'Configuration' tab -> 'General' tab, deselect 'Listen Port Enabled' checkbox 8. Select 'SSL Listen Port Enabled' checkbox and enter a valid port number in 'SSL Listen Port' field, e.g., 7002 9. From 'Configuration' tab -> 'Keystores' tab, click 'Change' button in 'Keystores' section 10. From dropdown, select 'Custom Identity and Java Standard Trust' and click 'Save' 11. Enter the fully qualified path to Identity keystore, from step 2, in 'Custom Identity Keystore' field 12. Enter 'JKS' in the 'Custom Identity Keystore Type' field 13. Enter the Identity keystore password in 'Custom Identity Keystore Passphrase' and 'Confirm Custom Identity Keystore Passphrase' fields 14. Enter the Java Standard Trust keystore (cacerts) password in 'Java Standard Trust Keystore Passphrase' and 'Confirm Java Standard Trust Keystore Passphrase' fields 15. Leave all other fields blank and click 'Save' 16. From 'Configuration' tab -> 'SSL' tab, enter values from step 2 into corresponding fields, as follows: - Enter <alias> into 'Private Key Alias' - Enter <private_key_password> into 'Private Key Passphrase' - Enter <private_key_password> into 'Confirm Private Key Passphrase' 17. Click 'Save', and from 'Change Center' click 'Activate Changes' to enable configuration changes 18. Repeat steps 4-17 for all servers requiring SSL configuration 19. From 'Domain Structure', select 'Environment' -> 'Servers', click 'Control' tab 20. Select checkbox for all servers configured in previous steps and click 'Restart SSL'

b

Oracle WebLogic must use cryptography to protect the integrity of the remote access session.

AC-17 - Medium - CCI-001453 - V-235929 - SV-235929r628565_rule

RMF Control

AC-17

Severity

Medium

CCI

CCI-001453

Version

WBLC-01-000010

Vuln IDs

V-235929
V-56207

Rule IDs

SV-235929r628565_rule
SV-70461

Encryption is critical for protection of remote access sessions. If encryption is not being used for integrity, malicious users may gain the ability to modify the application server configuration. The use of cryptography for ensuring integrity of remote access sessions mitigates that risk. Application servers utilize a web management interface and scripted commands when allowing remote access. Web access requires the use of SSL 3.0 or TLS 1.0 and scripted access requires using ssh or some other form of approved cryptography. Application servers must have a capability to enable a secure remote admin capability.

Checks: C-39148r628563_chk

1. Access AC 2. From 'Domain Structure', select 'Environment' -> 'Servers' 3. From the list of servers, select one which needs check for SSL configuration verification 4. From 'Configuration' tab -> 'General' tab, ensure 'Listen Port Enabled' checkbox is deselected 5. Ensure 'SSL Listen Port Enabled' checkbox is selected and a valid port number is in 'SSL Listen Port' field, e.g., 7002 6. Repeat steps 3-5 for all servers requiring SSL configuration checking If 'Listen Port Enabled' is selected, this is a finding. If 'SSL Listen Port Enabled' is not selected, this is a finding.

Fix: F-39111r628564_fix

1. Obtain an identity (private key and digital certificates) and trust (certificates of trusted certificate authorities) to configure on the server 2. Create Identity keystore and load private key and certificate using ImportPrivateKey java utility, example: $ java utils.ImportPrivateKey -certfile <cert_file> -keyfile <private_key_file> [-keyfilepass <private_key_password>] -keystore <keystore> -storepass <storepass> [-storetype <storetype>] -alias <alias> [-keypass <keypass>] 3. Access AC 4. Utilize 'Change Center' to create a new change session 5. From 'Domain Structure', select 'Environment' -> 'Servers' 6. From the list of servers, select one which needs SSL set up 7. From 'Configuration' tab -> 'General' tab, deselect 'Listen Port Enabled' checkbox 8. Select 'SSL Listen Port Enabled' checkbox and enter a valid port number in 'SSL Listen Port' field, e.g., 7002 9. From 'Configuration' tab -> 'Keystores' tab, click 'Change' button in 'Keystores' section 10. From dropdown, select 'Custom Identity and Java Standard Trust' and click 'Save' 11. Enter the fully qualified path to Identity keystore, from step 2, in 'Custom Identity Keystore' field 12. Enter 'JKS' in the 'Custom Identity Keystore Type' field 13. Enter the Identity keystore password in 'Custom Identity Keystore Passphrase' and 'Confirm Custom Identity Keystore Passphrase' fields 14. Enter the Java Standard Trust keystore (cacerts) password in 'Java Standard Trust Keystore Passphrase' and 'Confirm Java Standard Trust Keystore Passphrase' fields 15. Leave all other fields blank and click 'Save' 16. From 'Configuration' tab -> 'SSL' tab, enter values from step 2 into corresponding fields, as follows: - Enter <alias> into 'Private Key Alias' - Enter <private_key_password> into 'Private Key Passphrase' - Enter <private_key_password> into 'Confirm Private Key Passphrase' 17. Click 'Save', and from 'Change Center' click 'Activate Changes' to enable configuration changes 18. Repeat steps 4-17 for all servers requiring SSL configuration 19. From 'Domain Structure', select 'Environment' -> 'Servers', click 'Control' tab 20. Select checkbox for all servers configured in previous steps and click 'Restart SSL'

b

Oracle WebLogic must employ automated mechanisms to facilitate the monitoring and control of remote access methods.

AC-17 - Medium - CCI-000067 - V-235930 - SV-235930r628568_rule

RMF Control

AC-17

Severity

Medium

CCI

CCI-000067

Version

WBLC-01-000011

Vuln IDs

V-235930
V-56209

Rule IDs

SV-235930r628568_rule
SV-70463

Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection. Application servers provide remote management access and need to provide the ability to facilitate the monitoring and control of remote user sessions. This includes the capability to directly trigger actions based on user activity or pass information to a separate application or entity that can then perform automated tasks based on the information. Examples of automated mechanisms include but are not limited to: automated monitoring of log activity associated with remote access or process monitoring tools. The application server must employ mechanisms that allow for monitoring and control of web-based and command line-based administrative remote sessions.

Checks: C-39149r628566_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'JDBC Data Sources' 3. From the list of data sources, select the one named 'opss-audit-DBDS', which connects to the IAU_APPEND schema of the audit database. Note the value in the 'JNDI name' field. 4. To verify, select 'Configuration' tab -> 'Connection Pool' tab 5. Ensure the 'URL' and 'Properties' fields contain the correct connection values for the IAU_APPEND schema 6. To test, select 'Monitoring' tab, select a server from the list and click 'Test Data Source'. Ensure test was successful. Repeat for each server in the list. 7. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Security' -> 'Security Provider Configuration' 8. Beneath 'Audit Service' section, click 'Configure' button 9. Ensure 'Data Source JNDI Name' value matches the JNDI Name value from data source in step 3 above 10. Repeat steps 2-6 for data source named 'wls-wldf-storeDS' and WLS schema If the data is not being stored for access by an external monitoring tool, this is a finding.

Fix: F-39112r628567_fix

1. Access AC 2. From 'Domain Structure', select 'Services' -> 'Data Sources' 3. Utilize 'Change Center' to create a new change session 4. Click 'New' data source to create a new data source for the audit data store using schema IAU_APPEND 5. Enter database details and JNDI name, click through wizard 6. Select all servers and clusters available as targets to deploy this data source to 7. Finish creating the data source and record the JNDI name 8. Access EM 9. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Security' -> 'Security Provider Configuration' 10. Beneath 'Audit Service' section, click 'Configure' button 11. Set the values for the IAU_APPEND schema and save configuration 12. Repeat steps 2-7 for data source named 'wls-wldf-storeDS' and WLS schema

b

Oracle WebLogic must ensure remote sessions for accessing security functions and security-relevant information are audited.

AC-17 - Medium - CCI-000067 - V-235931 - SV-235931r628571_rule

RMF Control

AC-17

Severity

Medium

CCI

CCI-000067

Version

WBLC-01-000013

Vuln IDs

V-235931
V-56211

Rule IDs

SV-235931r628571_rule
SV-70465

Auditing must be utilized in order to track system activity, assist in diagnosing system issues and provide evidence needed for forensic investigations post security incident. Remote access by administrators requires that the admin activity be audited. Application servers provide a web- and command line-based remote management capability for managing the application server. Application servers must ensure that all actions related to administrative functionality such as application server configuration are logged.

Checks: C-39150r628569_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Security' -> 'Audit Policy' 3. Select 'Oracle Platform Security Services' from the 'Audit Component Name' dropdown 4. Beneath 'Audit Policy Settings' section, ensure that the value 'Custom' is set in the 'Audit Level' dropdown 5. Beneath 'Audit Policy Settings' section, ensure that every checkbox is selected under the 'Select For Audit' column of the policy category table If all auditable events for the 'Oracle Platform Security Services' audit component are not selected, then this is a finding.

Fix: F-39113r628570_fix

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Security' -> 'Audit Policy' 3. Select 'Oracle Platform Security Services' from the 'Audit Component Name' dropdown 4. Beneath 'Audit Policy Settings' section, select 'Custom' from the 'Audit Level' dropdown 5. Once it is enabled, click the 'Audit All Events' button and ensure every checkbox is selected under the 'Select For Audit' column of the policy category table. Click 'Apply'

b

Oracle WebLogic must support the capability to disable network protocols deemed by the organization to be non-secure except for explicitly identified components in support of specific operational requirements.

CM-7 - Medium - CCI-000382 - V-235932 - SV-235932r672375_rule

RMF Control

CM-7

Severity

Medium

CCI

CCI-000382

Version

WBLC-01-000014

Vuln IDs

V-235932
V-56213

Rule IDs

SV-235932r672375_rule
SV-70467

Some networking protocols may not meet organizational security requirements to protect data and components. Application servers natively host a number of various features such as management interfaces, httpd servers, and message queues. These features all run on TCPIP ports. This creates the potential that the vendor may choose to utilize port numbers or network services that have been deemed unusable by the organization. The application server must have the capability to both reconfigure and disable the assigned ports without adversely impacting application server operation capabilities. For a list of approved ports and protocols, reference the DoD ports and protocols web site at https://cyber.mil/ppsm.

Checks: C-39151r628572_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Monitoring' -> 'Port Usage' 3. In the results table, ensure values in the 'Port in Use' column match approved ports 4. In the results table, ensure values in the 'Protocol' column match approved protocols If ports or protocols are in use that the organization deems nonsecure, this is a finding.

Fix: F-39114r628573_fix

1. Access AC 2. To change port or protocol values, from 'Domain Structure', select 'Environment' -> 'Servers' 3. From the list of servers, select one which needs modification 4. Utilize 'Change Center' to create a new change session 5. To modify port assignment, from 'Configuration' tab -> 'General' tab, reassign the port for this server by changing the 'SSL Listen Port' field and click 'Save' 6. To modify protocol configuration, select 'Protocols' tab 7. Use the subtabs 'HTTP', 'jCOM', and 'IIOP' to configure these protocols 8. Use the 'Channels' subtab to create/modify channels which configure other protocols 9. Repeat steps 3-8 for all servers requiring modification 10. Review the 'Port Usage' table in EM again to ensure port has been reassigned

b

Oracle WebLogic must automatically audit account creation.

AC-2 - Medium - CCI-000018 - V-235933 - SV-235933r628577_rule

RMF Control

AC-2

Severity

Medium

CCI

CCI-000018

Version

WBLC-01-000018

Vuln IDs

V-235933
V-56215

Rule IDs

SV-235933r628577_rule
SV-70469

Application servers require user accounts for server management purposes, and if the creation of new accounts is not logged, there is limited or no capability to track or alarm on account creation. This could result in the circumvention of the normal account creation process and introduce a persistent threat. Therefore, an audit trail that documents the creation of application user accounts must exist. An application server could possibly provide the capability to utilize either a local or centralized user registry. A centralized, enterprise user registry such as AD or LDAP is more likely to already contain provisions for automated account management, whereas a localized user registry will rely upon either the underlying OS or built-in application server user management capabilities. Either way, application servers must create a log entry when accounts are created.

Checks: C-39152r628575_chk

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Providers' tab -> 'Auditing' tab 5. Ensure the list of 'Auditing Providers' contains at least one Auditing Provider 6. From 'Domain Structure', select the top-level domain link 7. Click 'Advanced' near the bottom of the page 8. Ensure 'Configuration Audit Type' is set to 'Change Log and Audit' If the 'Configuration Audit Type' is not set to 'Change Log and Audit', this is a finding.

Fix: F-39115r628576_fix

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Providers' tab -> 'Auditing' tab 5. Utilize 'Change Center' to create a new change session 6. Click 'New'. Enter a value in 'Name' field and select an auditing provider type (ex: DefaultAuditor) in the 'Type' dropdown. Click 'OK'. 7. From 'Domain Structure', select the top-level domain link 8. Click 'Advanced' near the bottom of the page 9. Set 'Configuration Audit Type' dropdown to 'Change Log and Audit' 10. Click 'Save', and from 'Change Center' click 'Activate Changes' to enable configuration changes

b

Oracle WebLogic must automatically audit account modification.

AC-2 - Medium - CCI-001403 - V-235934 - SV-235934r628580_rule

RMF Control

AC-2

Severity

Medium

CCI

CCI-001403

Version

WBLC-01-000019

Vuln IDs

V-235934
V-56217

Rule IDs

SV-235934r628580_rule
SV-70471

Once an attacker establishes initial access to a system, they often attempt to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply modify an existing account. Application servers have the capability to contain user information in a local user store, or they can leverage a centralized authentication mechanism like LDAP. Either way, the mechanism used by the application server must automatically log when user accounts are modified.

Checks: C-39153r628578_chk

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Providers' tab -> 'Auditing' tab 5. Ensure the list of 'Auditing Providers' contains at least one Auditing Provider 6. From 'Domain Structure', select the top-level domain link 7. Click 'Advanced' near the bottom of the page 8. Ensure 'Configuration Audit Type' is set to 'Change Log and Audit' If the 'Configuration Audit Type' is not set to 'Change Log and Audit', this is a finding.

Fix: F-39116r628579_fix

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Providers' tab -> 'Auditing' tab 5. Utilize 'Change Center' to create a new change session 6. Click 'New'. Enter a value in 'Name' field and select an auditing provider type (ex: DefaultAuditor) in the 'Type' dropdown. Click 'OK'. 7. From 'Domain Structure', select the top-level domain link 8. Click 'Advanced' near the bottom of the page 9. Set 'Configuration Audit Type' dropdown to 'Change Log and Audit' 10. Click 'Save', and from 'Change Center' click 'Activate Changes' to enable configuration changes

b

Oracle WebLogic must provide access logging that ensures users who are granted a privileged role (or roles) have their privileged activity logged.

AU-12 - Medium - CCI-000172 - V-235935 - SV-235935r628583_rule

RMF Control

AU-12

Severity

Medium

CCI

CCI-000172

Version

WBLC-01-000030

Vuln IDs

V-235935
V-56219

Rule IDs

SV-235935r628583_rule
SV-70473

In order to be able to provide a forensic history of activity, the application server must ensure users who are granted a privileged role or those who utilize a separate distinct account when accessing privileged functions or data have their actions logged. If privileged activity is not logged, no forensic logs can be used to establish accountability for privileged actions that occur on the system.

Checks: C-39154r628581_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Security' -> 'Audit Policy' 3. Select 'Oracle Platform Security Services' from the 'Audit Component Name' dropdown 4. Beneath 'Audit Policy Settings' section, ensure that the comma-delimited list of privileged users (e.g., WebLogic, etc.) is set in the 'Users to Always Audit' field If all privileged users are not listed in the 'Users to Always Audit' field, this is a finding.

Fix: F-39117r628582_fix

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Security' -> 'Audit Policy' 3. Select 'Oracle Platform Security Services' from the 'Audit Component Name' dropdown 4. Beneath 'Audit Policy Settings' section, enter the comma-delimited list of privileged users (e.g., WebLogic, etc.) in the 'Users to Always Audit' field. Click 'Apply'

b

Oracle WebLogic must limit the number of failed login attempts to an organization-defined number of consecutive invalid attempts that occur within an organization-defined time period.

AC-7 - Medium - CCI-000044 - V-235936 - SV-235936r628586_rule

RMF Control

AC-7

Severity

Medium

CCI

CCI-000044

Version

WBLC-01-000032

Vuln IDs

V-235936
V-56221

Rule IDs

SV-235936r628586_rule
SV-70475

Anytime an authentication method is exposed so as to allow for the login to an application, there is a risk that attempts will be made to obtain unauthorized access. By limiting the number of failed login attempts that occur within a particular time period, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account once the number of failed attempts has been exceeded.

Checks: C-39155r628584_chk

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Configuration' tab -> 'User Lockout' tab 5. Ensure the following field values are set: 'Lockout Threshold' = 3 'Lockout Duration' = 15 'Lockout Reset Duration' = 15 If 'Lockout Threshold' is not set to 3 or 'Lockout Duration' is not set to 15 or 'Lockout Reset Duration' is not set to 15, this is a finding.

Fix: F-39118r628585_fix

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Configuration' tab -> 'User Lockout' tab 5. Utilize 'Change Center' to create a new change session 6. Set the following values in the fields as shown: 'Lockout Threshold' = 3 'Lockout Duration' = 15 'Lockout Reset Duration' = 15 7. Click 'Save', and from 'Change Center' click 'Activate Changes' to enable configuration changes

b

Oracle WebLogic must enforce the organization-defined time period during which the limit of consecutive invalid access attempts by a user is counted.

CM-6 - Medium - CCI-000366 - V-235937 - SV-235937r628589_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

WBLC-01-000033

Vuln IDs

V-235937
V-56223

Rule IDs

SV-235937r628589_rule
SV-70477

By limiting the number of failed login attempts, the risk of unauthorized system access via automated user password guessing, otherwise known as brute-forcing, is reduced. Best practice requires a time period be applied in which the number of failed attempts is counted (Example: 5 failed attempts within 5 minutes). Limits are imposed by locking the account. Application servers provide a management capability that allows a user to login via a web interface or a command shell. Application servers also utilize either a local user store or a centralized user store such as an LDAP server. As such, the authentication method employed by the application server must be able to limit the number of consecutive invalid access attempts within the specified time period regardless of access method or user store utilized.

Checks: C-39156r628587_chk

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Configuration' tab -> 'User Lockout' tab 5. Ensure the following field values are set: 'Lockout Threshold' = 3 'Lockout Duration' = 15 'Lockout Reset Duration' = 15 If 'Lockout Threshold' is not set to 3 or 'Lockout Duration' is not set to 15 or 'Lockout Reset Duration' is not set to 15, this is a finding.

Fix: F-39119r628588_fix

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Configuration' tab -> 'User Lockout' tab 5. Utilize 'Change Center' to create a new change session 6. Set the following values in the fields as shown: 'Lockout Threshold' = 3 'Lockout Duration' = 15 'Lockout Reset Duration' = 15 7. Click 'Save', and from 'Change Center' click 'Activate Changes' to enable configuration changes

b

Oracle WebLogic must automatically lock accounts when the maximum number of unsuccessful login attempts is exceeded for an organization-defined time period or until the account is unlocked by an administrator.

CM-6 - Medium - CCI-000366 - V-235938 - SV-235938r628592_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

WBLC-01-000034

Vuln IDs

V-235938
V-56225

Rule IDs

SV-235938r628592_rule
SV-70479

Anytime an authentication method is exposed so as to allow for the utilization of an application interface, there is a risk that attempts will be made to obtain unauthorized access. By locking the account when the pre-defined number of failed login attempts has been exceeded, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Specifying a time period in which the account is to remain locked serves to obstruct the operation of automated password guessing tools while allowing a valid user to reinitiate login attempts after the expiration of the time period without administrative assistance.

Checks: C-39157r628590_chk

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Configuration' tab -> 'User Lockout' tab 5. Ensure the following field values are set: 'Lockout Threshold' = 3 'Lockout Duration' = 15 'Lockout Reset Duration' = 15 If 'Lockout Threshold' is not set to 3 or 'Lockout Duration' is not set to 15 or 'Lockout Reset Duration' is not set to 15, this is a finding.

Fix: F-39120r628591_fix

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Configuration' tab -> 'User Lockout' tab 5. Utilize 'Change Center' to create a new change session 6. Set the following values in the fields as shown: 'Lockout Threshold' = 3 'Lockout Duration' = 15 'Lockout Reset Duration' = 15 7. Click 'Save', and from 'Change Center' click 'Activate Changes' to enable configuration changes

b

Oracle WebLogic must protect against an individual falsely denying having performed a particular action.

AU-10 - Medium - CCI-000166 - V-235939 - SV-235939r628595_rule

RMF Control

AU-10

Severity

Medium

CCI

CCI-000166

Version

WBLC-02-000062

Vuln IDs

V-235939
V-56227

Rule IDs

SV-235939r628595_rule
SV-70481

Non-repudiation of actions taken is required in order to maintain application integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message. Non-repudiation protects individuals against later claims by an author of not having authored a particular document, a sender of not having transmitted a message, a receiver of not having received a message, or a signatory of not having signed a document. Typical application server actions requiring non-repudiation will be related to application deployment among developer/users and administrative actions taken by admin personnel.

Checks: C-39158r628593_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Security' -> 'Audit Policy' 3. Select 'Oracle Platform Security Services' from the 'Audit Component Name' dropdown 4. Beneath 'Audit Policy Settings' section, ensure that the value 'Custom' is set in the 'Audit Level' dropdown 5. Beneath 'Audit Policy Settings' section, ensure that every checkbox is selected under the 'Select For Audit' column of the policy category table 6. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Logs' -> 'View Log Messages' 7. Within the 'Search' panel, expand 'Selected Targets' 8. Click 'Target Log Files' icon for any of the managed server or 'Application Deployment' type targets (not AdminServer) 9. From the list of log files, select '<server-name>.log', 'access.log' or '<server-name>-diagnostic.log' and click 'View Log File' button 10. User or process associated with audit event will be displayed in 'User' column 11. If 'User' column does not appear, use 'View' button -> 'Columns' list to add 'User' field, or select individual message in log message table and view the message detail (beneath the table) 12. Repeat steps 6-11 for each target If the user is not part of the audit events, this is a finding.

Fix: F-39121r628594_fix

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Security' -> 'Audit Policy' 3. Select 'Oracle Platform Security Services' from the 'Audit Component Name' dropdown 4. Beneath 'Audit Policy Settings' section, select 'Custom' from the 'Audit Level' dropdown 5. Once it is enabled, click the 'Audit All Events' button and ensure every checkbox is selected under the 'Select For Audit' column of the policy category table. Click 'Apply' 6. If managed server or deployments do not appear in the list of log files, the 'JRF Template' must be applied to the server/cluster 7. Access EM 8. Select the server or cluster from the navigation tree 9. If the 'Apply JRF Template' button appears, click this button and wait for the confirmation message that the template has been successfully applied 10. Again, select the server or cluster from the navigation tree 11. Click the 'Shut Down...' button, and click 'Shutdown' in the confirmation popup. Wait for server or cluster to shut down 12. Click the 'Start Up' button for the server or cluster to start up again

a

Oracle WebLogic must compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within an organization-defined level of tolerance.

AU-12 - Low - CCI-000174 - V-235940 - SV-235940r628598_rule

RMF Control

AU-12

Severity

Low

CCI

CCI-000174

Version

WBLC-02-000065

Vuln IDs

V-235940
V-56229

Rule IDs

SV-235940r628598_rule
SV-70483

Audit generation and audit records can be generated from various components within the application server. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records (e.g., auditable events, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked). The events occurring must be time-correlated in order to conduct accurate forensic analysis. In addition, the correlation must meet a certain tolerance criteria. For instance, DoD may define that the time stamps of different audited events must not differ by any amount greater than ten seconds. It is also acceptable for the application server to utilize an external auditing tool that provides this capability.

Checks: C-39159r628596_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'JDBC Data Sources' 3. From the list of data sources, select the one named 'opss-audit-DBDS', which connects to the IAU_APPEND schema of the audit database. Note the value in the 'JNDI name' field. 4. To verify, select 'Configuration' tab -> 'Connection Pool' tab 5. Ensure the 'URL' and 'Properties' fields contain the correct connection values for the IAU_APPEND schema 6. To test, select 'Monitoring' tab, select a server from the list and click 'Test Data Source'. Ensure test was successful. Repeat for each server in the list 7. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Security' -> 'Security Provider Configuration' 8. Beneath 'Audit Service' section, click 'Configure' button 9. Ensure 'Data Source JNDI Name' value matches the JNDI Name value from data source in step 3 above 10. Repeat steps 2-6 for data source named 'wls-wldf-storeDS' and WLS schema 11. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Logs' -> 'View Log Messages' 12. Within the 'Search' panel, expand 'Selected Targets' 13. Use the list of targets to navigate and drill into the log files across the domain If any of the targets are not being logged, this is a finding.

Fix: F-39122r628597_fix

1. Access AC 2. From 'Domain Structure', select 'Services' -> 'Data Sources' 3. Utilize 'Change Center' to create a new change session 4. Click 'New' data source to create a new data source for the audit data store using schema IAU_APPEND 5. Enter database details and JNDI name, click through wizard 6. Select all servers and clusters available as targets to deploy this data source to 7. Finish creating the data source and record the JNDI name 8. Access EM 9. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Security' -> 'Security Provider Configuration' 10. Beneath 'Audit Service' section, click 'Configure' button 11. Set the values for the IAU_APPEND schema and save configuration 12. Repeat steps 2-7 for data source named 'wls-wldf-storeDS' and WLS schema

a

Oracle WebLogic must generate audit records for the DoD-selected list of auditable events.

AU-12 - Low - CCI-000172 - V-235941 - SV-235941r628601_rule

RMF Control

AU-12

Severity

Low

CCI

CCI-000172

Version

WBLC-02-000069

Vuln IDs

V-235941
V-56231

Rule IDs

SV-235941r628601_rule
SV-70485

Audit records can be generated from various components within the application server. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records (e.g., auditable events, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked). The DoD-required auditable events are events that assist in intrusion detection and forensic analysis. Failure to capture them increases the likelihood that an adversary can breach the system without detection.

Checks: C-39160r628599_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Logs' -> 'View Log Messages' 3. Within the 'Search' panel, expand 'Selected Targets' 4. Click 'Target Log Files' icon for 'AdminServer' target 5. From the list of log files, select 'access.log' and click 'View Log File' button 6. All HTTPD, JVM, AS process event and other logging of the AdminServer will be displayed 7. Repeat for each managed server If there are no events being logged for any of the managed servers or the AdminServer, this is a finding.

Fix: F-39123r628600_fix

1. Access AC 2. From 'Domain Structure', select 'Environment' -> 'Servers' 3. From the list of servers, select one which needs logging enabled 4. Utilize 'Change Center' to create a new change session 5. From 'Logging' tab -> 'HTTP' tab, select 'HTTP access log file enabled' checkbox. Click 'Save' 6. From 'Logging' tab -> 'General' tab, set the 'Log file name' field to 'logs/<server-name>.log. Click 'Save' 7. From 'Change Center' click 'Activate Changes' to enable configuration changes 8. Access EM 9. Expand the domain from the navigation tree, and select the server which needs JVM logging configured 10. Use the dropdown to select 'WebLogic Server' -> 'Logs' -> 'Log Configuration' 11. Select the 'Log Levels' tab, and within the table, expand 'Root Logger' node 12. Set 'Oracle Diagnostic Logging Level' value to 'WARNING' and click 'Apply'

a

Oracle WebLogic must produce process events and severity levels to establish what type of HTTPD-related events and severity levels occurred.

AU-3 - Low - CCI-000130 - V-235942 - SV-235942r628604_rule

RMF Control

AU-3

Severity

Low

CCI

CCI-000130

Version

WBLC-02-000073

Vuln IDs

V-235942
V-56233

Rule IDs

SV-235942r628604_rule
SV-70487

Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Application servers must log all relevant log data that pertains to application server functionality. Examples of relevant data include, but are not limited to Java Virtual Machine (JVM) activity, HTTPD/Web server activity and application server-related system process activity.

Checks: C-39161r628602_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Logs' -> 'View Log Messages' 3. Within the 'Search' panel, expand 'Selected Targets' 4. Click 'Target Log Files' icon for 'AdminServer' target 5. From the list of log files, select 'access.log' and click 'View Log File' button 6. All HTTPD logging of the AdminServer will be displayed 7. Repeat for each managed server If any managed server or the AdminServer does not have HTTPD events within the access.log file, this is a finding.

Fix: F-39124r628603_fix

1. Access AC 2. From 'Domain Structure', select 'Environment' -> 'Servers' 3. From the list of servers, select one which needs HTTPD logging enabled 4. Utilize 'Change Center' to create a new change session 5. From 'Logging' tab -> 'HTTP' tab, select 'HTTP access log file enabled' checkbox 6. Click 'Save', and from 'Change Center' click 'Activate Changes' to enable configuration changes

a

Oracle WebLogic must produce audit records containing sufficient information to establish what type of JVM-related events and severity levels occurred.

AU-3 - Low - CCI-000130 - V-235943 - SV-235943r628607_rule

RMF Control

AU-3

Severity

Low

CCI

CCI-000130

Version

WBLC-02-000074

Vuln IDs

V-235943
V-56235

Rule IDs

SV-235943r628607_rule
SV-70489

Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control, includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Application servers must log all relevant log data that pertains to application server functionality. Examples of relevant data include, but are not limited to, Java Virtual Machine (JVM) activity, HTTPD activity and application server-related system process activity.

Checks: C-39162r628605_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Logs' -> 'View Log Messages' 3. Within the 'Search' panel, expand 'Selected Targets' 4. Click 'Target Log Files' icon for 'AdminServer' target 5. From the list of log files, select '<server-name>-diagnostic.log' and click 'View Log File' button 6. All JVM logging of the AdminServer will be displayed 7. Repeat for each managed server If there are no JVM-related events for the managed servers or the AdminServer, this is a finding.

Fix: F-39125r628606_fix

1. Access EM 2. Expand the domain from the navigation tree, and select the server which needs JVM logging configured 3. Use the dropdown to select 'WebLogic Server' -> 'Logs' -> 'Log Configuration' 4. Select the 'Log Levels' tab, and within the table, expand 'Root Logger' node 5. Set 'Oracle Diagnostic Logging Level' value to 'WARNING' and click 'Apply'

a

Oracle WebLogic must produce process events and security levels to establish what type of Oracle WebLogic process events and severity levels occurred.

AU-3 - Low - CCI-000130 - V-235944 - SV-235944r628610_rule

RMF Control

AU-3

Severity

Low

CCI

CCI-000130

Version

WBLC-02-000075

Vuln IDs

V-235944
V-56237

Rule IDs

SV-235944r628610_rule
SV-70491

Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control, includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Application servers must log all relevant log data that pertains to application server functionality. Examples of relevant data include, but are not limited to, Java Virtual Machine (JVM) activity, HTTPD activity and application server-related system process activity.

Checks: C-39163r628608_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Logs' -> 'View Log Messages' 3. Within the 'Search' panel, expand 'Selected Targets' 4. Click 'Target Log Files' icon for 'AdminServer' target 5. From the list of log files, select '<server-name>.log' and click 'View Log File' button 6. All AS process logging of the AdminServer will be displayed 7. Repeat for each managed server If the managed servers or AdminServer does not have process events, this is a finding.

Fix: F-39126r628609_fix

1. Access AC 2. From 'Domain Structure', select 'Environment' -> 'Servers' 3. From the list of servers, select one which needs AS process logging configured 4. Utilize 'Change Center' to create a new change session 5. From 'Logging' tab -> 'General' tab, set the 'Log file name' field to 'logs/<server-name>.log 6. Click 'Save', and from 'Change Center' click 'Activate Changes' to enable configuration changes

a

Oracle WebLogic must produce audit records containing sufficient information to establish when (date and time) the events occurred.

AU-3 - Low - CCI-000131 - V-235945 - SV-235945r628613_rule

RMF Control

AU-3

Severity

Low

CCI

CCI-000131

Version

WBLC-02-000076

Vuln IDs

V-235945
V-56239

Rule IDs

SV-235945r628613_rule
SV-70493

Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. In addition to logging event information, application servers must also log the corresponding dates and times of these events. Examples of event data include, but are not limited to, Java Virtual Machine (JVM) activity, HTTPD activity and application server-related system process activity.

Checks: C-39164r628611_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Logs' -> 'View Log Messages' 3. Within the 'Search' panel, expand 'Selected Targets' 4. Click 'Target Log Files' icon for any of the managed server or 'Application Deployment' type targets (not AdminServer) 5. From the list of log files, select '<server-name>.log', 'access.log' or '<server-name>-diagnostic.log' and click 'View Log File' button 6. Time stamp of audit event will be displayed in 'Time' column 7. If 'Time' column does not appear, use 'View' button -> 'Columns' list to add 'Time' field, or select individual message in log message table and view the message detail (beneath the table) 8. Repeat for each target If any of the targets generate audit records without date and time data, this is a finding.

Fix: F-39127r628612_fix

1. If managed server or deployments do not appear in the list of log files, the 'JRF Template' must be applied to the server/cluster 2. Access EM 3. Select the server or cluster from the navigation tree 4. If the 'Apply JRF Template' button appears, click this button and wait for the confirmation message that the template has been successfully applied 5. Again, select the server or cluster from the navigation tree 6. Click the 'Shut Down...' button, and click 'Shutdown' in the confirmation popup. Wait for server or cluster to shut down. 7. Click the 'Start Up' button for the server or cluster to start up again

a

Oracle WebLogic must produce audit records containing sufficient information to establish where the events occurred.

AU-3 - Low - CCI-000132 - V-235946 - SV-235946r628616_rule

RMF Control

AU-3

Severity

Low

CCI

CCI-000132

Version

WBLC-02-000077

Vuln IDs

V-235946
V-56241

Rule IDs

SV-235946r628616_rule
SV-70495

Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Without sufficient information establishing where the audit events occurred, investigation into the cause of events is severely hindered. In addition to logging relevant data, application servers must also log information to indicate the location of these events. Examples of relevant data include, but are not limited to, Java Virtual Machine (JVM) activity, HTTPD activity and application server-related system process activity.

Checks: C-39165r628614_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Logs' -> 'View Log Messages' 3. Within the 'Search' panel, expand 'Selected Targets' 4. Click 'Target Log Files' icon for any of the managed server or 'Application Deployment' type targets (not AdminServer) 5. From the list of log files, select '<server-name>.log', 'access.log' or '<server-name>-diagnostic.log' and click 'View Log File' button 6. Select any record which appears in the log message table 7. Location of audit event will be displayed in 'Component' and 'Module' fields of the message detail (beneath the table) 8. Repeat for each target If any of the targets generate audit records without sufficient information to establish where the event occurred, this is a finding.

Fix: F-39128r628615_fix

1. If managed server or deployments do not appear in the list of log files, the 'JRF Template' must be applied to the server/cluster 2. Access EM 3. Select the server or cluster from the navigation tree 4. If the 'Apply JRF Template' button appears, click this button and wait for the confirmation message that the template has been successfully applied 5. Again, select the server or cluster from the navigation tree 6. Click the 'Shut Down...' button, and click 'Shutdown' in the confirmation popup. Wait for server or cluster to shut down. 7. Click the 'Start Up' button for the server or cluster to start up again

a

Oracle WebLogic must produce audit records containing sufficient information to establish the sources of the events.

AU-3 - Low - CCI-000133 - V-235947 - SV-235947r628619_rule

RMF Control

AU-3

Severity

Low

CCI

CCI-000133

Version

WBLC-02-000078

Vuln IDs

V-235947
V-56243

Rule IDs

SV-235947r628619_rule
SV-70497

Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application specific events, success/fail indications, filenames involved, access control or flow control rules invoked. Without information establishing the source of activity, the value of audit records from a forensics perspective is questionable. Examples of activity sources include, but are not limited to, application process sources such as one process affecting another process, user-related activity, and activity resulting from remote network system access (IP addresses).

Checks: C-39166r628617_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Logs' -> 'View Log Messages' 3. Within the 'Search' panel, expand 'Selected Targets' 4. Click 'Target Log Files' icon for any of the managed server or 'Application Deployment' type targets (not AdminServer) 5. From the list of log files, select '<server-name>.log', 'access.log' or '<server-name>-diagnostic.log' and click 'View Log File' button 6. Select any record which appears in the log message table 7. Source of audit event will be displayed in 'Host', 'Host IP Address', 'Thread ID', 'REMOTE_HOST' fields of the message detail (beneath the table), depending on which logfile and target type is selected 8. Repeat for each target If any of the targets generate audit records without sufficient information to establish the source of the events, this is a finding.

Fix: F-39129r628618_fix

1. If managed server or deployments do not appear in the list of log files, the 'JRF Template' must be applied to the server/cluster 2. Access EM 3. Select the server or cluster from the navigation tree 4. If the 'Apply JRF Template' button appears, click this button and wait for the confirmation message that the template has been successfully applied 5. Again, select the server or cluster from the navigation tree 6. Click the 'Shut Down...' button, and click 'Shutdown' in the confirmation popup. Wait for server or cluster to shut down. 7. Click the 'Start Up' button for the server or cluster to start up again

a

Oracle WebLogic must produce audit records that contain sufficient information to establish the outcome (success or failure) of application server and application events.

AU-3 - Low - CCI-000134 - V-235948 - SV-235948r628622_rule

RMF Control

AU-3

Severity

Low

CCI

CCI-000134

Version

WBLC-02-000079

Vuln IDs

V-235948
V-56245

Rule IDs

SV-235948r628622_rule
SV-70499

Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application specific events, success/fail indications, filenames involved, access control or flow control rules invoked. Success and failure indicators ascertain the outcome of a particular application server event of function. As such, they also provide a means to measure the impact of an event and help authorized personnel to determine the appropriate response.

Checks: C-39167r628620_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Logs' -> 'View Log Messages' 3. Within the 'Search' panel, expand 'Selected Targets' 4. Click 'Target Log Files' icon for any of the managed server or 'Application Deployment' type targets (not AdminServer) 5. From the list of log files, select '<server-name>.log', 'access.log' or '<server-name>-diagnostic.log' and click 'View Log File' button 6. Outcome of audit event will be displayed in 'Message Type' column. 'Error' or 'Exception' indicates failures, others message types indicate success 7. If 'Message Type' column does not appear, use 'View' button -> 'Columns' list to add 'Message Type' field, or select individual message in log message table and view the message detail (beneath the table) 8. Repeat for each target If any of the targets generate audit records without sufficient information to establish the outcome of the event, this is a finding.

Fix: F-39130r628621_fix

1. If managed server or deployments do not appear in the list of log files, the 'JRF Template' must be applied to the server/cluster 2. Access EM 3. Select the server or cluster from the navigation tree 4. If the 'Apply JRF Template' button appears, click this button and wait for the confirmation message that the template has been successfully applied 5. Again, select the server or cluster from the navigation tree 6. Click the 'Shut Down...' button, and click 'Shutdown' in the confirmation popup. Wait for server or cluster to shut down. 7. Click the 'Start Up' button for the server or cluster to start up again

b

Oracle WebLogic must produce audit records containing sufficient information to establish the identity of any user/subject or process associated with the event.

AU-3 - Medium - CCI-001487 - V-235949 - SV-235949r628625_rule

RMF Control

AU-3

Severity

Medium

CCI

CCI-001487

Version

WBLC-02-000080

Vuln IDs

V-235949
V-56247

Rule IDs

SV-235949r628625_rule
SV-70501

Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control, includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Application servers have differing levels of logging capabilities which can be specified by setting a verbosity level. The application server must, at a minimum, be capable of establishing the identity of any user or process that is associated with any particular event.

Checks: C-39168r628623_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Logs' -> 'View Log Messages' 3. Within the 'Search' panel, expand 'Selected Targets' 4. Click 'Target Log Files' icon for any of the managed server or 'Application Deployment' type targets (not AdminServer) 5. From the list of log files, select '<server-name>.log', 'access.log' or '<server-name>-diagnostic.log' and click 'View Log File' button 6. User or process associated with audit event will be displayed in 'User' column 7. If 'User' column does not appear, use 'View' button -> 'Columns' list to add 'User' field, or select individual message in log message table and view the message detail (beneath the table) 8. Repeat for each target If any of the targets generate audit records without sufficient information to establish the identity of any user/subject or process, this is a finding.

Fix: F-39131r628624_fix

1. If managed server or deployments do not appear in the list of log files, the 'JRF Template' must be applied to the server/cluster 2. Access EM 3. Select the server or cluster from the navigation tree 4. If the 'Apply JRF Template' button appears, click this button and wait for the confirmation message that the template has been successfully applied 5. Again, select the server or cluster from the navigation tree 6. Click the 'Shut Down...' button, and click 'Shutdown' in the confirmation popup. Wait for server or cluster to shut down 7. Click the 'Start Up' button for the server or cluster to start up again

b

Oracle WebLogic must provide the ability to write specified audit record content to an audit log server.

AU-4 - Medium - CCI-001851 - V-235950 - SV-235950r628628_rule

RMF Control

AU-4

Severity

Medium

CCI

CCI-001851

Version

WBLC-02-000081

Vuln IDs

V-235950
V-56249

Rule IDs

SV-235950r628628_rule
SV-70503

Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application specific events, success/fail indications, filenames involved, access control or flow control rules invoked. Centralized management of audit records and logs provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records. Application servers and their related components are required to be capable of writing logs to centralized audit log servers.

Checks: C-39169r628626_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'JDBC Data Sources' 3. From the list of data sources, select the one named 'opss-audit-DBDS', which connects to the IAU_APPEND schema of the audit database. Note the value in the 'JNDI name' field 4. To verify, select 'Configuration' tab -> 'Connection Pool' tab 5. Ensure the 'URL' and 'Properties' fields contain the correct connection values for the IAU_APPEND schema 6. To test, select 'Monitoring' tab, select a server from the list and click 'Test Data Source'. Ensure test was successful. Repeat for each server in the list 7. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Security' -> 'Security Provider Configuration' 8. Beneath 'Audit Service' section, click 'Configure' button 9. Ensure 'Data Source JNDI Name' value matches the JNDI Name value from data source in step 3 above 10. Repeat steps 2-6 for data source named 'wls-wldf-storeDS' and WLS schema If the location for audit data is not an audit log server, this is a finding.

Fix: F-39132r628627_fix

1. Access AC 2. From 'Domain Structure', select 'Services' -> 'Data Sources' 3. Utilize 'Change Center' to create a new change session 4. Click 'New' data source to create a new data source for the audit data store using schema IAU_APPEND 5. Enter database details and JNDI name, click through wizard 6. Select all servers and clusters available as targets to deploy this data source to 7. Finish creating the data source and record the JNDI name 8. Access EM 9. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Security' -> 'Security Provider Configuration' 10. Beneath 'Audit Service' section, click 'Configure' button 11. Set the values for the IAU_APPEND schema and save configuration 12. Repeat steps 2-7 for data source named 'wls-wldf-storeDS' and WLS schema

a

Oracle WebLogic must provide a real-time alert when organization-defined audit failure events occur.

AU-5 - Low - CCI-000139 - V-235951 - SV-235951r628631_rule

RMF Control

AU-5

Severity

Low

CCI

CCI-000139

Version

WBLC-02-000083

Vuln IDs

V-235951
V-56251

Rule IDs

SV-235951r628631_rule
SV-70505

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Notification of the failure event will allow administrators to take actions so that logs are not lost.

Checks: C-39170r628629_chk

1. Access AC 2. From 'Domain Structure', select 'Diagnostics' -> 'Diagnostic Modules' 3. Select 'Module-HealthState' from 'Diagnostic System Modules' list 4. Select 'Configuration' tab -> 'Watches and Notifications' tab. Select the 'Watches' tab from the bottom of page 5. Ensure 'ServerHealthWatch' row has 'Enabled' column value set to 'true' 6. Select 'Configuration' tab -> 'Watches and Notifications' tab. Select the 'Notifications' tab from the bottom of page 7. Ensure 'ServerHealthNotification' row has 'Enable Notification' column value set to 'true' If 'ServerHealthNotification' row has 'Enable Notification' column value is not set to 'true', this is a finding.

Fix: F-39133r628630_fix

1. Access AC 2. Utilize 'Change Center' to create a new change session 3. From 'Domain Structure', select 'Diagnostics' -> 'Diagnostic Modules' 4. If 'Module-HealthState' does not exist, click 'New' button. Enter 'Module-HealthState' in 'Name' field and click 'OK' button. 5. Select 'Module-HealthState' from 'Diagnostic System Modules' list 6. Select 'Configuration' tab -> 'Watches and Notifications' tab. Select the 'Watches' tab from the bottom of page 7. Click 'New' button. Set the following values in the fields as shown: 'Watch Name' = 'ServerHealthWatch' 'Watch Type' = 'Collected Metrics' 'Enable Watch' = selected 8. Click 'Next' 9. Click 'Add Expressions' 10. Set 'MBean Server location' dropdown value to 'ServerRuntime'. Click 'Next' 11. Set 'MBean Type' dropdown value to 'weblogic.management.runtime.ServerRuntimeMBean'. Click 'Next' 12. Set 'Instance' dropdown value to a WebLogic Server instance to be monitored. Click 'Next' 13. Select 'Enter an Attribute Expression' radio button, enter following value in 'Attribute Expression' field: HealthState.State 14. Set 'Operator' dropdown value to '>='. Set 'Value' field to '3'. Click 'Finish' 15. Repeat steps 9-14 for all WebLogic Server instances to be monitored. Click 'Finish' 16. Continuing from step 6 above, select the 'Notifications' tab from the bottom of page 17. Click 'New' button. Set 'Type' dropdown value to 'SMTP (E-Mail)'. Click 'Next'. Set the following values in the fields as shown: 'Notification Name' = 'ServerHealthNotification' 'Enable Notification' = selected 18. Click 'Next' 19. Select an existing 'Mail Session Name', or click 'Create a New Mail Session' button to create one (JNDI name and Java mail settings must be known) 20. In 'E-Mail Recipients' text area, add list of administrator email addresses, and customize 'E-Mail Subject' and 'E-Mail Body' fields as needed. Click 'Finish' 21. Return to the 'Watches' tab from the bottom of page. Select 'ServerHealthWatch' Select 'Notifications' tab 22. Use shuttle list to set 'ServerHealthNotification' into the 'Chosen' table. Click 'Save'

a

Oracle WebLogic must alert designated individual organizational officials in the event of an audit processing failure.

AU-5 - Low - CCI-000139 - V-235952 - SV-235952r628634_rule

RMF Control

AU-5

Severity

Low

CCI

CCI-000139

Version

WBLC-02-000084

Vuln IDs

V-235952
V-56253

Rule IDs

SV-235952r628634_rule
SV-70507

Audit processing failures include, but are not limited to, failures in the application server log capturing mechanisms or audit storage capacity being reached or exceeded. In some instances, it is preferred to send alarms to individuals rather than to an entire group. Application servers must be able to trigger an alarm and send that alert to designated individuals in the event there is an application server audit processing failure.

Checks: C-39171r628632_chk

1. Access AC 2. From 'Domain Structure', select 'Diagnostics' -> 'Diagnostic Modules' 3. Select 'Module-HealthState' from 'Diagnostic System Modules' list 4. Select 'Configuration' tab -> 'Watches and Notifications' tab. Select the 'Watches' tab from the bottom of page 5. Ensure 'ServerHealthWatch' row has 'Enabled' column value set to 'true' 6. Select 'Configuration' tab -> 'Watches and Notifications' tab. Select the 'Notifications' tab from the bottom of page 7. Ensure 'ServerHealthNotification' row has 'Enable Notification' column value set to 'true' If 'ServerHealthNotification' row has 'Enable Notification' column value is not set to 'true', this is a finding.

Fix: F-39134r628633_fix

1. Access AC 2. Utilize 'Change Center' to create a new change session 3. From 'Domain Structure', select 'Diagnostics' -> 'Diagnostic Modules' 4. If 'Module-HealthState' does not exist, click 'New' button. Enter 'Module-HealthState' in 'Name' field and click 'OK' button 5. Select 'Module-HealthState' from 'Diagnostic System Modules' list 6. Select 'Configuration' tab -> 'Watches and Notifications' tab. Select the 'Watches' tab from the bottom of page 7. Click 'New' button. Set the following values in the fields as shown: 'Watch Name' = 'ServerHealthWatch' 'Watch Type' = 'Collected Metrics' 'Enable Watch' = selected 8. Click 'Next' 9. Click 'Add Expressions' 10. Set 'MBean Server location' dropdown value to 'ServerRuntime'. Click 'Next' 11. Set 'MBean Type' dropdown value to 'weblogic.management.runtime.ServerRuntimeMBean'. Click 'Next' 12. Set 'Instance' dropdown value to a WebLogic Server instance to be monitored. Click 'Next' 13. Select 'Enter an Attribute Expression' radio button, enter following value in 'Attribute Expression' field: HealthState.State 14. Set 'Operator' dropdown value to '>='. Set 'Value' field to '3'. Click 'Finish' 15. Repeat steps 9-14 for all WebLogic Server instances to be monitored. Click 'Finish' 16. Continuing from step 6 above, select the 'Notifications' tab from the bottom of page 17. Click 'New' button. Set 'Type' dropdown value to 'SMTP (E-Mail)'. Click 'Next'. Set the following values in the fields as shown: 'Notification Name' = 'ServerHealthNotification' 'Enable Notification' = selected 18. Click 'Next' 19. Select an existing 'Mail Session Name', or click 'Create a New Mail Session' button to create one (JNDI name and Java mail settings must be known) 20. In 'E-Mail Recipients' text area, add list of administrator email addresses, and customize 'E-Mail Subject' and 'E-Mail Body' fields as needed. Click 'Finish' 21. Return to the 'Watches' tab from the bottom of page. Select 'ServerHealthWatch'. Select 'Notifications' tab 22. Use shuttle list to set 'ServerHealthNotification' into the 'Chosen' table. Click 'Save'

a

Oracle WebLogic must notify administrative personnel as a group in the event of audit processing failure.

AU-5 - Low - CCI-000140 - V-235953 - SV-235953r628637_rule

RMF Control

AU-5

Severity

Low

CCI

CCI-000140

Version

WBLC-02-000086

Vuln IDs

V-235953
V-56255

Rule IDs

SV-235953r628637_rule
SV-70509

Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. To ensure flexibility and ease of use, application servers must be capable of notifying a group of administrative personnel upon detection of an application audit log processing failure.

Checks: C-39172r628635_chk

1. Access AC 2. From 'Domain Structure', select 'Diagnostics' -> 'Diagnostic Modules' 3. Select 'Module-HealthState' from 'Diagnostic System Modules' list 4. Select 'Configuration' tab -> 'Watches and Notifications' tab. Select the 'Watches' tab from the bottom of page 5. Ensure 'ServerHealthWatch' row has 'Enabled' column value set to 'true' 6. Select 'Configuration' tab -> 'Watches and Notifications' tab. Select the 'Notifications' tab from the bottom of page 7. Ensure 'ServerHealthNotification' row has 'Enable Notification' column value set to 'true' If 'ServerHealthNotification' row has 'Enable Notification' column value not set to 'true', this is a finding.

Fix: F-39135r628636_fix

1. Access AC 2. Utilize 'Change Center' to create a new change session 3. From 'Domain Structure', select 'Diagnostics' -> 'Diagnostic Modules' 4. If 'Module-HealthState' does not exist, click 'New' button. Enter 'Module-HealthState' in 'Name' field and click 'OK' button 5. Select 'Module-HealthState' from 'Diagnostic System Modules' list 6. Select 'Configuration' tab -> 'Watches and Notifications' tab. Select the 'Watches' tab from the bottom of page 7. Click 'New' button. Set the following values in the fields as shown: 'Watch Name' = 'ServerHealthWatch' 'Watch Type' = 'Collected Metrics' 'Enable Watch' = selected 8. Click 'Next' 9. Click 'Add Expressions' 10. Set 'MBean Server location' dropdown value to 'ServerRuntime'. Click 'Next' 11. Set 'MBean Type' dropdown value to 'weblogic.management.runtime.ServerRuntimeMBean'. Click 'Next' 12. Set 'Instance' dropdown value to a WebLogic Server instance to be monitored. Click 'Next' 13. Select 'Enter an Attribute Expression' radio button, enter following value in 'Attribute Expression' field: HealthState.State 14. Set 'Operator' dropdown value to '>='. Set 'Value' field to '3'. Click 'Finish' 15. Repeat steps 9-14 for all WebLogic Server instances to be monitored. Click 'Finish' 16. Continuing from step 6 above, select the 'Notifications' tab from the bottom of page 17. Click 'New' button. Set 'Type' dropdown value to 'SMTP (E-Mail)'. Click 'Next'. Set the following values in the fields as shown: 'Notification Name' = 'ServerHealthNotification' 'Enable Notification' = selected 18. Click 'Next' 19. Select an existing 'Mail Session Name', or click 'Create a New Mail Session' button to create one (JNDI name and Java mail settings must be known) 20. In 'E-Mail Recipients' text area, add list of administrator email addresses, and customize 'E-Mail Subject' and 'E-Mail Body' fields as needed. Click 'Finish' 21. Return to the 'Watches' tab from the bottom of page. Select 'ServerHealthWatch'. Select 'Notifications' tab 22. Use shuttle list to set 'ServerHealthNotification' into the 'Chosen' table. Click 'Save'

a

Oracle WebLogic must use internal system clocks to generate time stamps for audit records.

AU-8 - Low - CCI-000159 - V-235954 - SV-235954r628640_rule

RMF Control

AU-8

Severity

Low

CCI

CCI-000159

Version

WBLC-02-000093

Vuln IDs

V-235954
V-56257

Rule IDs

SV-235954r628640_rule
SV-70511

Without the use of an approved and synchronized time source, configured on the systems, events cannot be accurately correlated and analyzed to determine what is transpiring within the application server. If an event has been triggered on the network, and the application server is not configured with the correct time, the event may be seen as insignificant, when in reality the events are related and may have a larger impact across the network. Synchronization of system clocks is needed in order to correctly correlate the timing of events that occur across multiple systems. Determining the correct time a particular event occurred on a system, via time stamps, is critical when conducting forensic analysis and investigating system events. Application servers must utilize the internal system clock when generating time stamps and audit records.

Checks: C-39173r628638_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Security' -> 'Security Provider Configuration' 3. Beneath 'Audit Service' section, click 'Configure' button 4. Ensure the 'Timezone Settings' radio button is set to 'UTC' so audit logs will be time stamped in Coordinated Universal Time regardless of the time zone of the underlying physical or virtual machine 5. The time stamp will be recorded according to the operating system's set time If the 'Timezone Settings' radio button is not set to 'UTC', this is a finding.

Fix: F-39136r628639_fix

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Security' -> 'Security Provider Configuration' 3. Beneath 'Audit Service' section, click 'Configure' button 4. Set the 'Timezone Settings' radio button to 'UTC' so audit logs will be time stamped in Coordinated Universal Time regardless of the time zone of the underlying physical or virtual machine 5. The time stamp will be recorded according to the operating system's set time 6. Click 'Apply' and restart the servers in the WebLogic domain

a

Oracle WebLogic must synchronize with internal information system clocks which, in turn, are synchronized on an organization-defined frequency with an organization-defined authoritative time source.

AU-8 - Low - CCI-002046 - V-235955 - SV-235955r628643_rule

RMF Control

AU-8

Severity

Low

CCI

CCI-002046

Version

WBLC-02-000094

Vuln IDs

V-235955
V-56259

Rule IDs

SV-235955r628643_rule
SV-70513

Determining the correct time a particular application event occurred on a system is critical when conducting forensic analysis and investigating system events. Synchronization of system clocks is needed in order to correctly correlate the timing of events that occur across multiple systems. To meet that requirement the organization will define an authoritative time source and frequency to which each system will synchronize its internal clock. Application servers must defer accurate timekeeping services to the operating system upon which the application server is installed.

Checks: C-39174r628641_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Security' -> 'Security Provider Configuration' 3. Beneath 'Audit Service' section, click 'Configure' button 4. Ensure the 'Timezone Settings' radio button is set to 'UTC' so audit logs will be time stamped in Coordinated Universal Time regardless of the time zone of the underlying physical or virtual machine 5. The time stamp will be recorded according to the operating system's set time If the 'Timezone Settings' radio button is not set to 'UTC', this is a finding.

Fix: F-39137r628642_fix

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Security' -> 'Security Provider Configuration' 3. Beneath 'Audit Service' section, click 'Configure' button 4. Set the 'Timezone Settings' radio button to 'UTC' so audit logs will be time stamped in Coordinated Universal Time regardless of the time zone of the underlying physical or virtual machine 5. The time stamp will be recorded according to the operating system's set time 6. Click 'Apply' and restart the servers in the WebLogic domain

a

Oracle WebLogic must protect audit information from any type of unauthorized read access.

AU-9 - Low - CCI-000162 - V-235956 - SV-235956r628646_rule

RMF Control

AU-9

Severity

Low

CCI

CCI-000162

Version

WBLC-02-000095

Vuln IDs

V-235956
V-56261

Rule IDs

SV-235956r628646_rule
SV-70515

If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In addition, access to audit records provides information an attacker could potentially use to his or her advantage. Application servers contain admin interfaces that allow reading and manipulation of audit records. Therefore, these interfaces should not allow for unfettered access to those records. Application servers also write audit data to log files which are stored on the OS, so appropriate file permissions must also be used to restrict access. Audit information includes all information (e.g., audit records, audit settings, transaction logs, and audit reports) needed to successfully audit information system activity. Application servers must protect audit information from unauthorized read access.

Checks: C-39175r628644_chk

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Users and Groups' tab -> 'Users' tab 5. From 'Users' table, select a user that must not have audit read access 6. From users settings page, select 'Groups' tab 7. Ensure the 'Chosen' table does not contain any of the following roles - 'Admin', 'Deployer', 'Monitor', 'Operator' 8. Repeat steps 5-7 for all users that must not have audit read access If any users that should not have access to read audit information contain any of the roles of 'Admin', 'Deployer', 'Monitor' or 'Operator', this is a finding.

Fix: F-39138r628645_fix

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Users and Groups' tab -> 'Users' tab 5. From 'Users' table, select a user that must not have audit read access 6. From users settings page, select 'Groups' tab 7. From the 'Chosen' table, use the shuttle buttons to remove all of the following roles - 'Admin', 'Deployer', 'Monitor', 'Operator' 8. Click 'Save' 9. Repeat steps 5-8 for all users that must not have audit read access

b

Oracle WebLogic must protect audit tools from unauthorized access.

AU-9 - Medium - CCI-001493 - V-235957 - SV-235957r628649_rule

RMF Control

AU-9

Severity

Medium

CCI

CCI-001493

Version

WBLC-02-000098

Vuln IDs

V-235957
V-56263

Rule IDs

SV-235957r628649_rule
SV-70517

Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. It is, therefore, imperative that access to audit tools be controlled and protected from unauthorized access. Application servers provide a web and/or a command line-based management functionality for managing the application server audit capabilities. In addition, subsets of audit tool components may be stored on the file system as jar or xml configuration files. The application server must ensure that in addition to protecting any web based audit tools, any file system-based tools are protected as well.

Checks: C-39176r628647_chk

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Users and Groups' tab -> 'Users' tab 5. From 'Users' table, select a user that must not have audit tool configuration access 6. From users settings page, select 'Groups' tab 7. Ensure the 'Chosen' table does not contain the role - 'Admin' 8. Repeat steps 5-7 for all users that must not have audit tool configuration access If any users that should not have access to the audit tools contains the role of 'Admin', this is a finding.

Fix: F-39139r628648_fix

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Users and Groups' tab -> 'Users' tab 5. From 'Users' table, select a user that must not have audit tool configuration access 6. From users settings page, select 'Groups' tab 7. From the 'Chosen' table, use the shuttle buttons to remove the role - 'Admin' 8. Click 'Save' 9. Repeat steps 5-8 for all users that must not have audit tool configuration access

b

Oracle WebLogic must protect audit tools from unauthorized modification.

AU-9 - Medium - CCI-001494 - V-235958 - SV-235958r628652_rule

RMF Control

AU-9

Severity

Medium

CCI

CCI-001494

Version

WBLC-02-000099

Vuln IDs

V-235958
V-56265

Rule IDs

SV-235958r628652_rule
SV-70519

Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. It is, therefore, imperative that access to audit tools be controlled and protected from unauthorized modification. If an attacker were to modify audit tools, he could also manipulate logs to hide evidence of malicious activity. Application servers provide a web- and/or a command line-based management functionality for managing the application server audit capabilities. In addition, subsets of audit tool components may be stored on the file system as jar or xml configuration files. The application server must ensure that in addition to protecting any web-based audit tools, any file system-based tools are protected as well.

Checks: C-39177r628650_chk

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Users and Groups' tab -> 'Users' tab 5. From 'Users' table, select a user that must not have audit tool configuration access 6. From users settings page, select 'Groups' tab 7. Ensure the 'Chosen' table does not contain the role - 'Admin' 8. Repeat steps 5-7 for all users that must not have audit tool configuration access If any users that should not have access to the audit tools contains the role of 'Admin', this is a finding.

Fix: F-39140r628651_fix

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Users and Groups' tab -> 'Users' tab 5. From 'Users' table, select a user that must not have audit tool configuration access 6. From users settings page, select 'Groups' tab 7. From the 'Chosen' table, use the shuttle buttons to remove the role - 'Admin' 8. Click 'Save' 9. Repeat steps 5-8 for all users that must not have audit tool configuration access

b

Oracle WebLogic must protect audit tools from unauthorized deletion.

AU-9 - Medium - CCI-001495 - V-235959 - SV-235959r628655_rule

RMF Control

AU-9

Severity

Medium

CCI

CCI-001495

Version

WBLC-02-000100

Vuln IDs

V-235959
V-56267

Rule IDs

SV-235959r628655_rule
SV-70521

Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. It is, therefore, imperative that access to audit tools be controlled and protected from unauthorized modification. If an attacker were to delete audit tools the application server administrators would have no way of managing or viewing the logs. Application servers provide a web- and/or a command line-based management functionality for managing the application server audit capabilities. In addition, subsets of audit tool components may be stored on the file system as jar, class, or xml configuration files. The application server must ensure that in addition to protecting any web-based audit tools, any file system-based tools are protected from unauthorized deletion as well.

Checks: C-39178r628653_chk

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Users and Groups' tab -> 'Users' tab 5. From 'Users' table, select a user that must not have audit tool configuration access 6. From users settings page, select 'Groups' tab 7. Ensure the 'Chosen' table does not contain the role - 'Admin' 8. Repeat steps 5-7 for all users that must not have audit tool configuration access If any users that should not have access to the audit tools contains the role of 'Admin', this is a finding.

Fix: F-39141r628654_fix

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Users and Groups' tab -> 'Users' tab 5. From 'Users' table, select a user that must not have audit tool configuration access 6. From users settings page, select 'Groups' tab 7. From the 'Chosen' table, use the shuttle buttons to remove the role - 'Admin' 8. Click 'Save' 9. Repeat steps 5-8 for all users that must not have audit tool configuration access

b

Oracle WebLogic must limit privileges to change the software resident within software libraries (including privileged programs).

CM-5 - Medium - CCI-001499 - V-235960 - SV-235960r628658_rule

RMF Control

CM-5

Severity

Medium

CCI

CCI-001499

Version

WBLC-03-000125

Vuln IDs

V-235960
V-56269

Rule IDs

SV-235960r628658_rule
SV-70523

Application servers have the ability to specify that the hosted applications utilize shared libraries. The application server must have a capability to divide roles based upon duties wherein one project user (such as a developer) cannot modify the shared library code of another project user. The application server must also be able to specify that non-privileged users cannot modify any shared library code at all.

Checks: C-39179r628656_chk

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Users and Groups' tab -> 'Users' tab 5. From 'Users' table, select a user that must not have shared library modification access 6. From users settings page, select 'Groups' tab 7. Ensure the 'Chosen' table does not contain the roles - 'Admin', 'Deployer' 8. Repeat steps 5-7 for all users that must not have shared library modification access If any users that are not permitted to change the software resident within software libraries (including privileged programs) have the role of 'Admin' or 'Deployer', this is a finding.

Fix: F-39142r628657_fix

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Users and Groups' tab -> 'Users' tab 5. From 'Users' table, select a user that must not have shared library modification access 6. From users settings page, select 'Groups' tab 7. From the 'Chosen' table, use the shuttle buttons to remove the role - 'Admin', 'Deployer' 8. Click 'Save' 9. Repeat steps 5-8 for all users that must not have shared library modification access

b

Oracle WebLogic must adhere to the principles of least functionality by providing only essential capabilities.

CM-7 - Medium - CCI-000381 - V-235961 - SV-235961r628661_rule

RMF Control

CM-7

Severity

Medium

CCI

CCI-000381

Version

WBLC-03-000127

Vuln IDs

V-235961
V-56271

Rule IDs

SV-235961r628661_rule
SV-70525

Application servers provide a myriad of differing processes, features and functionalities. Some of these processes may be deemed to be unnecessary or too insecure to run on a production DoD system. Application servers must provide the capability to disable or deactivate functionality and services that are deemed to be non-essential to the server mission or can adversely impact server performance, for example, disabling dynamic JSP reloading on production application servers as a best practice.

Checks: C-39180r628659_chk

1. Access AC 2. From 'Domain Structure', select 'Deployments' 3. Select a deployment of type 'Web Application' from list of deployments 4. Select 'Configuration' tab -> 'General' tab 5. Ensure 'JSP Page Check' field value is set to '-1', which indicates JSP reloading is disabled within this deployment. Repeat steps 3-5 for all 'Web Application' type deployments 6. For every WebLogic resource within the domain, the 'Configuration' tab and associated subtabs provide the ability to disable or deactivate functionality and services that are deemed to be non-essential to the server mission or can adversely impact server performance If the 'JSP Page Check' field is not set to '-1' or other services or functionality deemed to be non-essential to the server mission is not set to '-1', this is a finding.

Fix: F-39143r628660_fix

1. Access AC 2. From 'Domain Structure', select 'Deployments' 3. Select a deployment of type 'Web Application' from list of deployments 4. Select 'Configuration' tab -> 'General' tab 5. Utilize 'Change Center' to create a new change session 6. Set 'JSP Page Check' field value to '-1', which indicates JSP reloading is disabled within this deployment. Click 'Save'. Repeat steps 3-6 for all 'Web Application' type deployments. 7. For every WebLogic resource within the domain, the 'Configuration' tab and associated subtabs provide the ability to disable or deactivate functionality and services that are deemed to be non-essential to the server mission or can adversely impact server performance

b

Oracle WebLogic must prohibit or restrict the use of unauthorized functions, ports, protocols, and/or services.

CM-7 - Medium - CCI-000382 - V-235962 - SV-235962r672376_rule

RMF Control

CM-7

Severity

Medium

CCI

CCI-000382

Version

WBLC-03-000128

Vuln IDs

V-235962
V-56273

Rule IDs

SV-235962r672376_rule
SV-70527

Application servers provide numerous processes, features, and functionalities that utilize TCP/IP ports. Some of these processes may be deemed to be unnecessary or too insecure to run on a production system. The application server must provide the capability to disable or deactivate network-related services that are deemed to be non-essential to the server mission, for example, disabling a protocol or feature that opens a listening port that is prohibited by DoD ports and protocols. For a list of approved ports and protocols reference the DoD ports and protocols web site at https://cyber.mil/ppsm.

Checks: C-39181r628662_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Monitoring' -> 'Port Usage' 3. In the results table, ensure values in the 'Port in Use' column match approved ports 4. In the results table, ensure values in the 'Protocol' column match approved protocols If any ports listed in the 'Port in Use' column is an unauthorized port or any protocols listed in the 'Protocol' column is an unauthorized protocol, this is a finding.

Fix: F-39144r628663_fix

1. Access AC 2. To change port or protocol values, from 'Domain Structure', select 'Environment' -> 'Servers' 3. From the list of servers, select one which needs modification 4. Utilize 'Change Center' to create a new change session 5. To modify port assignment, from 'Configuration' tab -> 'General' tab, reassign the port for this server by changing the 'SSL Listen Port' field and click 'Save' 6. To modify protocol configuration, select 'Protocols' tab 7. Use the subtabs 'HTTP', 'jCOM' and 'IIOP' to configure these protocols 8. Use the 'Channels' subtab to create/modify channels which configure other protocols 9. Repeat steps 3-8 for all servers requiring modification 10. Review the 'Port Usage' table in EM again to ensure port has been reassigned

a

Oracle WebLogic must utilize automated mechanisms to prevent program execution on the information system.

CM-6 - Low - CCI-000366 - V-235963 - SV-235963r628667_rule

RMF Control

CM-6

Severity

Low

CCI

CCI-000366

Version

WBLC-03-000129

Vuln IDs

V-235963
V-56275

Rule IDs

SV-235963r628667_rule
SV-70529

The application server must provide a capability to halt or otherwise disable the automatic execution of deployed applications until such time that the application is considered part of the established application server baseline. Deployment to the application server should not provide a means for automatic application start-up should the application server itself encounter a restart condition.

Checks: C-39182r628665_chk

1. Access AC 2. From 'Domain Structure', select the top-level domain 3. Select 'Configuration' tab -> 'General' tab 4. Ensure 'Production Mode' checkbox is selected If the 'Production Mode' checkbox is not selected, this is a finding.

Fix: F-39145r628666_fix

1. Access AC 2. From 'Domain Structure', select the top-level domain 3. Select 'Configuration' tab -> 'General' tab 4. Check 'Production Mode' checkbox. Click 'Save' 5. Restart all servers

c

Oracle WebLogic must uniquely identify and authenticate users (or processes acting on behalf of users).

IA-2 - High - CCI-000764 - V-235964 - SV-235964r628670_rule

RMF Control

IA-2

Severity

High

CCI

CCI-000764

Version

WBLC-05-000150

Vuln IDs

V-235964
V-56277

Rule IDs

SV-235964r628670_rule
SV-70531

To assure accountability and prevent unauthorized access, application server users must be uniquely identified and authenticated. The application server must uniquely identify and authenticate application server users or processes acting on behalf of users. This is typically accomplished via the use of a user store which is either local (OS-based) or centralized (LDAP) in nature.

Checks: C-39183r628668_chk

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Providers' tab -> 'Authentication' tab 5. Ensure the list of 'Authentication Providers' contains at least one non-Default Authentication Provider 6. If the Authentication Provider is perimeter-based, ensure the list contains at least one non-Default IdentityAsserter If the list of 'Authentication Providers' does not contain at least one non-Default Authentication Provider, this is a finding. If the Authentication Provider is perimeter-based and the list of 'Authentication Providers' does not contain at least one non-Default IdentityAsserter, this is a finding.

Fix: F-39146r628669_fix

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Providers' tab -> 'Authentication' tab 5. Utilize 'Change Center' to create a new change session 6. Click 'New'. Enter a value in 'Name' field and select a valid authentication provider type (e.g., LDAPAuthenticator) in the 'Type' dropdown. Click 'OK' 7. From the list, select the newly created authentication provider and select the 'Configuration' tab -> 'Provider Specific' tab 8. Set all provider specific values to configure the new authentication provider. Click 'Save' 9. Continuing from step 4, if the new authentication provider is perimeter-based, click 'New'. Enter a value in 'Name' field and select a valid authentication provider type (e.g., SAML2IdentityAsserter) in the 'Type' dropdown. Click 'OK' 10. From the list, select the newly created authentication identity asserter and select the 'Configuration' tab -> 'Provider Specific' tab 11. Set all provider-specific values to configure the new authentication identity asserter. Click 'Save'

c

Oracle WebLogic must authenticate users individually prior to using a group authenticator.

IA-2 - High - CCI-000770 - V-235965 - SV-235965r628673_rule

RMF Control

IA-2

Severity

High

CCI

CCI-000770

Version

WBLC-05-000153

Vuln IDs

V-235965
V-56279

Rule IDs

SV-235965r628673_rule
SV-70533

To assure individual accountability and prevent unauthorized access, application server users (and any processes acting on behalf of application server users) must be individually identified and authenticated. A group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does not uniquely identify individual users. Application servers must ensure that individual users are authenticated prior to authenticating via role or group authentication. This is to ensure that there is non-repudiation for actions taken.

Checks: C-39184r628671_chk

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Providers' tab -> 'Authentication' tab 5. Ensure the list of 'Authentication Providers' contains at least one non-Default Authentication Provider 6. If the Authentication Provider is perimeter-based, ensure the list contains at least one non-Default IdentityAsserter If the list of 'Authentication Providers' does not contain at least one non-Default Authentication Provider, this is a finding. If the Authentication Provider is perimeter-based and the list of 'Authentication Providers' does not contain at least one non-Default IdentityAsserter, this is a finding.

Fix: F-39147r628672_fix

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Providers' tab -> 'Authentication' tab 5. Utilize 'Change Center' to create a new change session 6. Click 'New'. Enter a value in 'Name' field and select a valid authentication provider type (e.g., LDAPAuthenticator) in the 'Type' dropdown. Click 'OK' 7. From the list, select the newly created authentication provider and select the 'Configuration' tab -> 'Provider Specific' tab 8. Set all provider specific values to configure the new authentication provider. Click 'Save' 9. Continuing from step 4, if the new authentication provider is perimeter-based, click 'New'. Enter a value in 'Name' field and select a valid authentication provider type (e.g., SAML2IdentityAsserter) in the 'Type' dropdown. Click 'OK' 10. From the list, select the newly created authentication identity asserter and select the 'Configuration' tab -> 'Provider Specific' tab 11. Set all provider specific values to configure the new authentication identity asserter. Click 'Save'

b

Oracle WebLogic must enforce minimum password length.

IA-5 - Medium - CCI-000205 - V-235966 - SV-235966r628676_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-000205

Version

WBLC-05-000160

Vuln IDs

V-235966
V-56281

Rule IDs

SV-235966r628676_rule
SV-70535

Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one of several factors that helps to determine strength and how long it takes to crack a password. The shorter the password is, the lower the number of possible combinations that need to be tested before the password is compromised. Application servers either provide a local user store, or they integrate with enterprise user stores like LDAP. When the application server provides the user store and enforces authentication, the application server must enforce minimum password length.

Checks: C-39185r628674_chk

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Providers' tab -> 'Password Validation' subtab 5. Select 'SystemPasswordValidator' 6. Select 'Configuration' tab -> 'Provider Specific' subtab 7. Ensure 'Minimum Password Length' field value is set to '15' If the 'Minimum Password Length' field is not set to '15', this is a finding.

Fix: F-39148r628675_fix

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Providers' tab -> 'Password Validation' subtab 5. Select 'SystemPasswordValidator' 6. Select 'Configuration' tab -> 'Provider Specific' subtab 7. Utilize 'Change Center' to create a new change session 8. Set 'Minimum Password Length' field value to '15'. Click 'Save'

b

Oracle WebLogic must enforce password complexity by the number of upper-case characters used.

IA-5 - Medium - CCI-000192 - V-235967 - SV-235967r628679_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-000192

Version

WBLC-05-000162

Vuln IDs

V-235967
V-56283

Rule IDs

SV-235967r628679_rule
SV-70537

Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Use of a complex password helps to increase the time and resources required to compromise the password. Application servers either provide a local user store, or they integrate with enterprise user stores like LDAP. When the application server provides the user store and enforces authentication, the application server must enforce the organization's password complexity requirements, which includes the requirement to use a specific number of upper-case characters.

Checks: C-39186r628677_chk

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Providers' tab -> 'Password Validation' subtab 5. Select 'SystemPasswordValidator' 6. Select 'Configuration' tab -> 'Provider Specific' subtab 7. Ensure 'Minimum Number of Upper Case Characters' field value is set to '1' or higher If the 'Minimum Number of Upper Case Characters' field value is not set to '1' or higher, this is a finding.

Fix: F-39149r628678_fix

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Providers' tab -> 'Password Validation' subtab 5. Select 'SystemPasswordValidator' 6. Select 'Configuration' tab -> 'Provider Specific' subtab 7. Utilize 'Change Center' to create a new change session 8. Set 'Minimum Number of Upper Case Characters' field value to '1' or higher. Click 'Save'

b

Oracle WebLogic must enforce password complexity by the number of lower-case characters used.

IA-5 - Medium - CCI-000193 - V-235968 - SV-235968r628682_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-000193

Version

WBLC-05-000163

Vuln IDs

V-235968
V-56285

Rule IDs

SV-235968r628682_rule
SV-70539

Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Use of a complex password helps to increase the time and resources required to compromise the password. Application servers either provide a local user store, or they integrate with enterprise user stores like LDAP. When the application server provides the user store and enforces authentication, the application server must enforce the organization's password complexity requirements, which include the requirement to use a specific number of lower-case characters.

Checks: C-39187r628680_chk

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Providers' tab -> 'Password Validation' subtab 5. Select 'SystemPasswordValidator' 6. Select 'Configuration' tab -> 'Provider Specific' subtab 7. Ensure 'Minimum Number of Lower Case Characters' field value is set to '1' or higher If the 'Minimum Number of Lower Case Characters' field value is not set to '1' or higher, this is a finding.

Fix: F-39150r628681_fix

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Providers' tab -> 'Password Validation' subtab 5. Select 'SystemPasswordValidator' 6. Select 'Configuration' tab -> 'Provider Specific' subtab 7. Utilize 'Change Center' to create a new change session 8. Set 'Minimum Number of Lower Case Characters' field value to '1' or higher. Click 'Save'

b

Oracle WebLogic must enforce password complexity by the number of numeric characters used.

IA-5 - Medium - CCI-000194 - V-235969 - SV-235969r628685_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-000194

Version

WBLC-05-000164

Vuln IDs

V-235969
V-56287

Rule IDs

SV-235969r628685_rule
SV-70541

Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Use of a complex password helps to increase the time and resources required to compromise the password. Application servers provide either a local user store or they integrate with enterprise user stores like LDAP. When the application server provides the user store and enforces authentication, the application server must enforce the organization's password complexity requirements that include the requirement to use a specific number of numeric characters when passwords are created or changed.

Checks: C-39188r628683_chk

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Providers' tab -> 'Password Validation' subtab 5. Select 'SystemPasswordValidator' 6. Select 'Configuration' tab -> 'Provider Specific' subtab 7. Ensure 'Minimum Number of Numeric Characters' field value is set to '1' or higher If the 'Minimum Number of Numeric Characters' field value is not set to '1' or higher, this is a finding.

Fix: F-39151r628684_fix

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Providers' tab -> 'Password Validation' subtab 5. Select 'SystemPasswordValidator' 6. Select 'Configuration' tab -> 'Provider Specific' subtab 7. Utilize 'Change Center' to create a new change session 8. Set 'Minimum Number of Numeric Characters' field value to '1' or higher. Click 'Save'

b

Oracle WebLogic must enforce password complexity by the number of special characters used.

IA-5 - Medium - CCI-001619 - V-235970 - SV-235970r628688_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-001619

Version

WBLC-05-000165

Vuln IDs

V-235970
V-56289

Rule IDs

SV-235970r628688_rule
SV-70543

Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Use of a complex password helps to increase the time and resources required to compromise the password. Application servers either provide a local user store, or they integrate with enterprise user stores like LDAP. When the application server provides the user store and enforces authentication, the application server must enforce the organization's password complexity requirements that include the requirement to use a specific number of special characters.

Checks: C-39189r628686_chk

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Providers' tab -> 'Password Validation' subtab 5. Select 'SystemPasswordValidator' 6. Select 'Configuration' tab -> 'Provider Specific' subtab 7. Ensure 'Minimum Number of Non-Alphanumeric Characters' field value is set to '1' or higher If the 'Minimum Number of Non-Alphanumeric Characters' field value is not set to '1' or higher, this is a finding.

Fix: F-39152r628687_fix

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Providers' tab -> 'Password Validation' subtab 5. Select 'SystemPasswordValidator' 6. Select 'Configuration' tab -> 'Provider Specific' subtab 7. Utilize 'Change Center' to create a new change session 8. Set 'Minimum Number of Non-Alphanumeric Characters' field value to '1' or higher. Click 'Save'

c

Oracle WebLogic must encrypt passwords during transmission.

IA-5 - High - CCI-000197 - V-235971 - SV-235971r628691_rule

RMF Control

IA-5

Severity

High

CCI

CCI-000197

Version

WBLC-05-000168

Vuln IDs

V-235971
V-56291

Rule IDs

SV-235971r628691_rule
SV-70545

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. Application servers have the capability to utilize either certificates (tokens) or user IDs and passwords in order to authenticate. When the application server transmits or receives passwords, the passwords must be encrypted.

Checks: C-39190r628689_chk

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Providers' tab -> 'Authentication' tab 5. Ensure the list of 'Authentication Providers' contains at least one non-Default Authentication Provider 6. If the Authentication Provider is perimeter-based, ensure the list contains at least one non-Default IdentityAsserter If the list of 'Authentication Providers' does not contain at least one non-Default Authentication Provider, this is a finding. If the Authentication Provider is perimeter-based and the list of 'Authentication Providers' does not contain at least one non-Default IdentityAsserter, this is a finding.

Fix: F-39153r628690_fix

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Providers' tab -> 'Authentication' tab 5. Utilize 'Change Center' to create a new change session 6. Click 'New'. Enter a value in 'Name' field and select a valid authentication provider type (e.g., LDAPAuthenticator) in the 'Type' dropdown. Click 'OK' 7. From the list, select the newly created authentication provider and select the 'Configuration' tab -> 'Provider Specific' tab 8. Set all provider-specific values to configure the new authentication provider. Click 'Save' 9. Continuing from step 4, if the new authentication provider is perimeter-based, click 'New'. Enter a value in 'Name' field and select a valid authentication provider type (e.g., SAML2IdentityAsserter) in the 'Type' dropdown. Click 'OK' 10. From the list, select the newly created authentication identity asserter and select the 'Configuration' tab -> 'Provider Specific' tab 11. Set all provider-specific values to configure the new authentication identity asserter. Click 'Save'

c

Oracle WebLogic must utilize encryption when using LDAP for authentication.

IA-5 - High - CCI-000197 - V-235972 - SV-235972r628694_rule

RMF Control

IA-5

Severity

High

CCI

CCI-000197

Version

WBLC-05-000169

Vuln IDs

V-235972
V-56293

Rule IDs

SV-235972r628694_rule
SV-70547

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. Application servers have the capability to utilize LDAP directories for authentication. If LDAP connections are not protected during transmission, sensitive authentication credentials can be stolen. When the application server utilizes LDAP, the LDAP traffic must be encrypted.

Checks: C-39191r628692_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Monitoring' -> 'Port Usage' 3. In the results table, ensure the 'Protocol' column does not contain the value 'LDAP' (only 'LDAPS') If LDAP is being used and the 'Protocol' column contains the value 'LDAP', this is a finding.

Fix: F-39154r628693_fix

1. Access AC 2. From 'Domain Structure', select 'Environment' -> 'Servers' 3. From the list of servers, select one which is assigned 'LDAP' protocol 4. Utilize 'Change Center' to create a new change session 5. From 'Configuration' tab -> 'General' tab, deselect the 'Listen Port Enabled' checkbox 6. Select the 'SSL Listen Port Enabled checkbox 7. Enter a valid port value in the 'SSL Listen Port' field and click 'Save' 8. Review the 'Port Usage' table in EM again to ensure the 'Protocol' column does not contain the value 'LDAP'

b

Oracle WebLogic, when utilizing PKI-based authentication, must validate certificates by constructing a certification path with status information to an accepted trust anchor.

IA-5 - Medium - CCI-000185 - V-235973 - SV-235973r628697_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-000185

Version

WBLC-05-000172

Vuln IDs

V-235973
V-56295

Rule IDs

SV-235973r628697_rule
SV-70549

A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can be, for example, a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes, certificate revocation lists or online certificate status protocol responses.

Checks: C-39192r628695_chk

1. Access AC 2. From 'Domain Structure', select 'Environment' -> 'Servers' 3. From the list of servers, select one which needs check for SSL configuration verification 4. From 'Configuration' tab -> 'General' tab, ensure 'Listen Port Enabled' checkbox is deselected 5. Ensure 'SSL Listen Port Enabled' checkbox is selected and a valid port number is in 'SSL Listen Port' field, e.g., 7002 6. Repeat steps 3-5 for all servers requiring SSL configuration checking If any servers utilizing PKI-based authentication does not have the 'SSL Listen Port Enabled' selected, this is a finding.

Fix: F-39155r628696_fix

1. Obtain an identity (private key and digital certificates) and trust (certificates of trusted certificate authorities) to configure on the server 2. Create Identity keystore and load private key and certificate using ImportPrivateKey java utility, example: $ java utils.ImportPrivateKey -certfile <cert_file> -keyfile <private_key_file> [-keyfilepass <private_key_password>] -keystore <keystore> -storepass <storepass> [-storetype <storetype>] -alias <alias> [-keypass <keypass>] 3. Access AC 4. Utilize 'Change Center' to create a new change session 5. From 'Domain Structure', select 'Environment' -> 'Servers' 6. From the list of servers, select one which needs SSL set up 7. From 'Configuration' tab -> 'General' tab, deselect 'Listen Port Enabled' checkbox 8. Select 'SSL Listen Port Enabled' checkbox and enter a valid port number in 'SSL Listen Port' field, e.g., 7002 9. From 'Configuration' tab -> 'Keystores' tab, click 'Change' button in 'Keystores' section 10. From dropdown, select 'Custom Identity and Java Standard Trust' and click 'Save' 11. Enter the fully qualified path to Identity keystore, from step 2, in 'Custom Identity Keystore' field 12. Enter 'JKS' in the 'Custom Identity Keystore Type' field 13. Enter the Identity keystore password in 'Custom Identity Keystore Passphrase' and 'Confirm Custom Identity Keystore Passphrase' fields 14. Enter the Java Standard Trust keystore (cacerts) password in 'Java Standard Trust Keystore Passphrase' and 'Confirm Java Standard Trust Keystore Passphrase' fields 15. Leave all other fields blank and click 'Save' 16. From 'Configuration' tab -> 'SSL' tab, enter values from step 2 into corresponding fields, as follows: - Enter <alias> into 'Private Key Alias' - Enter <private_key_password> into 'Private Key Passphrase' - Enter <private_key_password> into 'Confirm Private Key Passphrase' 17. Click 'Save', and from 'Change Center' click 'Activate Changes' to enable configuration changes 18. Repeat steps 4-17 for all servers requiring SSL configuration 19. From 'Domain Structure', select 'Environment' -> 'Servers', click 'Control' tab 20. Select checkbox for all servers configured in previous steps and click 'Restart SSL'

b

Oracle WebLogic must map the PKI-based authentication identity to the user account.

IA-5 - Medium - CCI-000187 - V-235974 - SV-235974r628700_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-000187

Version

WBLC-05-000174

Vuln IDs

V-235974
V-56297

Rule IDs

SV-235974r628700_rule
SV-70551

The cornerstone of the PKI is the private key used to encrypt or digitally sign information. The key by itself is a cryptographic value that does not contain specific user information. Application servers must provide the capability to utilize and meet requirements of the DoD Enterprise PKI infrastructure for application authentication.

Checks: C-39193r628698_chk

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Providers' tab -> 'Authentication' tab 5. Ensure the list of 'Authentication Providers' contains at least one non-Default Authentication Provider 6. If the Authentication Provider is perimeter-based, ensure the list contains at least one non-Default IdentityAsserter If PKI-based authentication is being used and the list of 'Authentication Providers' does not contain at least one non-Default Authentication Provider, this is a finding. If PKI-based authentication is being used and the Authentication Provider is perimeter-based and the list of 'Authentication Providers' does not contain at least one non-Default IdentityAsserter, this is a finding.

Fix: F-39156r628699_fix

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Providers' tab -> 'Authentication' tab 5. Utilize 'Change Center' to create a new change session 6. Click 'New'. Enter a value in 'Name' field and select a valid authentication provider type (e.g., LDAPAuthenticator) in the 'Type' dropdown. Click 'OK' 7. From the list, select the newly created authentication provider and select the 'Configuration' tab -> 'Provider Specific' tab 8. Set all provider specific values to configure the new authentication provider. Click 'Save' 9. Continuing from step 4, if the new authentication provider is perimeter-based, click 'New'. Enter a value in 'Name' field and select a valid authentication provider type (e.g., SAML2IdentityAsserter) in the 'Type' dropdown. Click 'OK' 10. From the list, select the newly created authentication identity asserter and select the 'Configuration' tab -> 'Provider Specific' tab 11. Set all provider specific values to configure the new authentication identity asserter. Click 'Save'

b

Oracle WebLogic must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.

IA-7 - Medium - CCI-000803 - V-235975 - SV-235975r628703_rule

RMF Control

IA-7

Severity

Medium

CCI

CCI-000803

Version

WBLC-05-000176

Vuln IDs

V-235975
V-56299

Rule IDs

SV-235975r628703_rule
SV-70553

Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIPS 140-2 is the current standard for validating cryptographic modules, and NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified hardware-based encryption modules. Application servers must provide FIPS-compliant encryption modules when storing encrypted data and configuration settings.

Checks: C-39194r628701_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Logs' -> 'View Log Messages' 3. Within the 'Search' panel, expand 'Selected Targets' 4. Click 'Target Log Files' icon for 'AdminServer' target 5. From the list of log files, select 'AdminServer.log' and click 'View Log File' button 6. Within the search criteria, enter the value 'FIPS' for the 'Message contains' field, and select the appropriate 'Start Date' and 'End Date' range. Click 'Search' 7. Check for the following log entry: "Changing the default Random Number Generator in RSA CryptoJ ... to FIPS186PRNG" or "Changing the default Random Number Generator in RSA CryptoJ from ECDRBG128 to HMACDRBG." If either of these log entries are found, this is not a finding. If a log entry cannot be found, navigate to the DOMAIN_HOME directory: 8. View the contents of the appropriate WebLogic server start script: On UNIX operating systems: startWebLogic.sh On Microsoft Windows operating systems: startWebLogic.cmd 9. Ensure the JAVA_OPTIONS variable is set: On UNIX operating systems: JAVA_OPTIONS=" -Djava.security.properties==/<mylocation>/java.security ${JAVA_OPTIONS}" On Microsoft Windows operating systems: set JAVA_OPTIONS= -Djava.security.properties==C:\<mylocation>\java.security %JAVA_OPTIONS% 10. Ensure the <mylocation> path specified above contains a valid java.security file (Refer to section 2.2.4 of the Overview document) 11. Ensure the PRE_CLASSPATH variable is set: On UNIX operating systems: PRE_CLASSPATH="%MW_HOME%\wlserver\server\lib\jcmFIPS.jar;%MW_HOME%\wlserver\server\lib\sslj.jar ${PRE_CLASSPATH}" On Microsoft Windows operating systems: set PRE_CLASSPATH= %MW_HOME%\wlserver\server\lib\jcmFIPS.jar;%MW_HOME%\wlserver\server\lib\sslj.jar;%PRE_CLASSPATH% If the java options are not set correctly, this is a finding.

Fix: F-39157r628702_fix

1. Shut down any running instances of WebLogic server 2. On disk, navigate to the DOMAIN_HOME directory 3. View the contents of the appropriate WebLogic server start script: On UNIX operating systems: startWebLogic.sh On Microsoft Windows operating systems: startWebLogic.cmd 4. Ensure the JAVA_OPTIONS variable is set: On UNIX operating systems: JAVA_OPTIONS=" -Djava.security.properties==/<mylocation>/java.security ${JAVA_OPTIONS}" On Microsoft Windows operating systems: set JAVA_OPTIONS= -Djava.security.properties==C:\<mylocation>\java.security %JAVA_OPTIONS% 5. Ensure the <mylocation> path specified above contains a valid java.security file (Refer to section 2.2.4 of the Overview document) 6. Ensure the PRE_CLASSPATH variable is set: On UNIX operating systems: PRE_CLASSPATH="%MW_HOME%\wlserver\server\lib\jcmFIPS.jar;%MW_HOME%\wlserver\server\lib\sslj.jar ${PRE_CLASSPATH}" On Microsoft Windows operating systems: set PRE_CLASSPATH= %MW_HOME%\wlserver\server\lib\jcmFIPS.jar;%MW_HOME%\wlserver\server\lib\sslj.jar;%PRE_CLASSPATH% 7. Refer to section 2.2.4 of the Overview document

b

Oracle WebLogic must utilize FIPS 140-2 approved encryption modules when authenticating users and processes.

IA-7 - Medium - CCI-000803 - V-235976 - SV-235976r628706_rule

RMF Control

IA-7

Severity

Medium

CCI

CCI-000803

Version

WBLC-05-000177

Vuln IDs

V-235976
V-56301

Rule IDs

SV-235976r628706_rule
SV-70555

Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIPS 140-2 is the current standard for validating cryptographic modules, and NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified hardware-based encryption modules. Application servers must provide FIPS-compliant encryption modules when authenticating users and processes.

Checks: C-39195r628704_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Logs' -> 'View Log Messages' 3. Within the 'Search' panel, expand 'Selected Targets' 4. Click 'Target Log Files' icon for 'AdminServer' target 5. From the list of log files, select 'AdminServer.log' and click 'View Log File' button 6. Within the search criteria, enter the value 'FIPS' for the 'Message contains' field, and select the appropriate 'Start Date' and 'End Date' range. Click 'Search' 7. Check for the following log entry: "Changing the default Random Number Generator in RSA CryptoJ ... to FIPS186PRNG" or "Changing the default Random Number Generator in RSA CryptoJ from ECDRBG128 to HMACDRBG." If either of these log entries are found, this is not a finding. If a log entry cannot be found, navigate to the DOMAIN_HOME directory: 8. View the contents of the appropriate WebLogic server start script: On UNIX operating systems: startWebLogic.sh On Microsoft Windows operating systems: startWebLogic.cmd 9. Ensure the JAVA_OPTIONS variable is set: On UNIX operating systems: JAVA_OPTIONS=" -Djava.security.properties==/<mylocation>/java.security ${JAVA_OPTIONS}" On Microsoft Windows operating systems: set JAVA_OPTIONS= -Djava.security.properties==C:\<mylocation>\java.security %JAVA_OPTIONS% 10. Ensure the <mylocation> path specified above contains a valid java.security file (Refer to section 2.2.4 of the Overview document) 11. Ensure the PRE_CLASSPATH variable is set: On UNIX operating systems: PRE_CLASSPATH="%MW_HOME%\wlserver\server\lib\jcmFIPS.jar;%MW_HOME%\wlserver\server\lib\sslj.jar ${PRE_CLASSPATH}" On Microsoft Windows operating systems: set PRE_CLASSPATH= %MW_HOME%\wlserver\server\lib\jcmFIPS.jar;%MW_HOME%\wlserver\server\lib\sslj.jar;%PRE_CLASSPATH% If the java options are not set correctly, this is a finding.

Fix: F-39158r628705_fix

1. Shut down any running instances of WebLogic server 2. On disk, navigate to the DOMAIN_HOME directory 3. View the contents of the appropriate WebLogic server start script: On UNIX operating systems: startWebLogic.sh On Microsoft Windows operating systems: startWebLogic.cmd 4. Ensure the JAVA_OPTIONS variable is set: On UNIX operating systems: JAVA_OPTIONS=" -Djava.security.properties==/<mylocation>/java.security ${JAVA_OPTIONS}" On Microsoft Windows operating systems: set JAVA_OPTIONS= -Djava.security.properties==C:\<mylocation>\java.security %JAVA_OPTIONS% 5. Ensure the <mylocation> path specified above contains a valid java.security file (Refer to section 2.2.4 of the Overview document) 6. Ensure the PRE_CLASSPATH variable is set: On UNIX operating systems: PRE_CLASSPATH="%MW_HOME%\wlserver\server\lib\jcmFIPS.jar;%MW_HOME%\wlserver\server\lib\sslj.jar ${PRE_CLASSPATH}" On Microsoft Windows operating systems: set PRE_CLASSPATH= %MW_HOME%\wlserver\server\lib\jcmFIPS.jar;%MW_HOME%\wlserver\server\lib\sslj.jar;%PRE_CLASSPATH% 7. Refer to section 2.2.4 of the Overview document

b

Oracle WebLogic must employ cryptographic encryption to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications.

SC-8 - Medium - CCI-002421 - V-235977 - SV-235977r628709_rule

RMF Control

SC-8

Severity

Medium

CCI

CCI-002421

Version

WBLC-06-000190

Vuln IDs

V-235977
V-56303

Rule IDs

SV-235977r628709_rule
SV-70557

Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Application servers provide an HTTP-oriented remote management capability that is used for managing the application server as well as uploading and deleting applications that are hosted on the application server. Application servers need to ensure the communication channels used to remotely access the system utilize cryptographic mechanisms such as TLS.

Checks: C-39196r628707_chk

1. Access AC 2. From 'Domain Structure', select 'Environment' -> 'Servers' 3. From the list of servers, select one which needs check for SSL configuration verification 4. From 'Configuration' tab -> 'General' tab, ensure 'Listen Port Enabled' checkbox is deselected 5. Ensure 'SSL Listen Port Enabled' checkbox is selected and a valid port number is in 'SSL Listen Port' field, e.g., 7002 6. Repeat steps 3-5 for all servers requiring SSL configuration checking If any of the servers requiring SSL have the 'Listen Port Enabled' selected or 'SSL Listen Port Enable' not selected, this is a finding.

Fix: F-39159r628708_fix

1. Obtain an identity (private key and digital certificates) and trust (certificates of trusted certificate authorities) to configure on the server 2. Create Identity keystore and load private key and certificate using ImportPrivateKey java utility, example: $ java utils.ImportPrivateKey -certfile <cert_file> -keyfile <private_key_file> [-keyfilepass <private_key_password>] -keystore <keystore> -storepass <storepass> [-storetype <storetype>] -alias <alias> [-keypass <keypass>] 3. Access AC 4. Utilize 'Change Center' to create a new change session 5. From 'Domain Structure', select 'Environment' -> 'Servers' 6. From the list of servers, select one which needs SSL set up 7. From 'Configuration' tab -> 'General' tab, deselect 'Listen Port Enabled' checkbox 8. Select 'SSL Listen Port Enabled' checkbox and enter a valid port number in 'SSL Listen Port' field, e.g., 7002 9. From 'Configuration' tab -> 'Keystores' tab, click 'Change' button in 'Keystores' section 10. From dropdown, select 'Custom Identity and Java Standard Trust' and click 'Save' 11. Enter the fully qualified path to Identity keystore, from step 2, in 'Custom Identity Keystore' field 12. Enter 'JKS' in the 'Custom Identity Keystore Type' field 13. Enter the Identity keystore password in 'Custom Identity Keystore Passphrase' and 'Confirm Custom Identity Keystore Passphrase' fields 14. Enter the Java Standard Trust keystore (cacerts) password in 'Java Standard Trust Keystore Passphrase' and 'Confirm Java Standard Trust Keystore Passphrase' fields 15. Leave all other fields blank and click 'Save' 16. From 'Configuration' tab -> 'SSL' tab, enter values from step 2 into corresponding fields, as follows: - Enter <alias> into 'Private Key Alias' - Enter <private_key_password> into 'Private Key Passphrase' - Enter <private_key_password> into 'Confirm Private Key Passphrase' 17. Click 'Save', and from 'Change Center' click 'Activate Changes' to enable configuration changes 18. Repeat steps 4-17 for all servers requiring SSL configuration 19. From 'Domain Structure', select 'Environment' -> 'Servers', click 'Control' tab 20. Select checkbox for all servers configured in previous steps and click 'Restart SSL'

b

Oracle WebLogic must employ strong identification and authentication techniques when establishing nonlocal maintenance and diagnostic sessions.

MA-4 - Medium - CCI-000877 - V-235978 - SV-235978r628712_rule

RMF Control

MA-4

Severity

Medium

CCI

CCI-000877

Version

WBLC-06-000191

Vuln IDs

V-235978
V-56305

Rule IDs

SV-235978r628712_rule
SV-70559

Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Application servers will typically utilize an HTTP interface for providing both local and remote maintenance and diagnostic sessions. In these instances, an acceptable strong identification and authentication technique consists of utilizing two-factor authentication via secured HTTPS connections. If the application server also provides maintenance and diagnostic access via a fat client or other client-based connection, then that client must also utilize two-factor authentication and use FIPS-approved encryption modules for establishing transport connections.

Checks: C-39197r628710_chk

1. Access AC 2. From 'Domain Structure', select 'Environment' -> 'Servers' 3. From the list of servers, select one which needs check for SSL configuration verification 4. From 'Configuration' tab -> 'General' tab, ensure 'Listen Port Enabled' checkbox is deselected 5. Ensure 'SSL Listen Port Enabled' checkbox is selected and a valid port number is in 'SSL Listen Port' field, e.g., 7002 6. Repeat steps 3-5 for all servers requiring SSL configuration checking If any of the servers requiring SSL have the 'Listen Port Enabled' selected or 'SSL Listen Port Enable' not selected, this is a finding.

Fix: F-39160r628711_fix

1. Obtain an identity (private key and digital certificates) and trust (certificates of trusted certificate authorities) to configure on the server 2. Create Identity keystore and load private key and certificate using ImportPrivateKey java utility, example: $ java utils.ImportPrivateKey -certfile <cert_file> -keyfile <private_key_file> [-keyfilepass <private_key_password>] -keystore <keystore> -storepass <storepass> [-storetype <storetype>] -alias <alias> [-keypass <keypass>] 3. Access AC 4. Utilize 'Change Center' to create a new change session 5. From 'Domain Structure', select 'Environment' -> 'Servers' 6. From the list of servers, select one which needs SSL set up 7. From 'Configuration' tab -> 'General' tab, deselect 'Listen Port Enabled' checkbox 8. Select 'SSL Listen Port Enabled' checkbox and enter a valid port number in 'SSL Listen Port' field, e.g., 7002 9. From 'Configuration' tab -> 'Keystores' tab, click 'Change' button in 'Keystores' section 10. From dropdown, select 'Custom Identity and Java Standard Trust' and click 'Save' 11. Enter the fully qualified path to Identity keystore, from step 2, in 'Custom Identity Keystore' field 12. Enter 'JKS' in the 'Custom Identity Keystore Type' field 13. Enter the Identity keystore password in 'Custom Identity Keystore Passphrase' and 'Confirm Custom Identity Keystore Passphrase' fields 14. Enter the Java Standard Trust keystore (cacerts) password in 'Java Standard Trust Keystore Passphrase' and 'Confirm Java Standard Trust Keystore Passphrase' fields 15. Leave all other fields blank and click 'Save' 16. From 'Configuration' tab -> 'SSL' tab, enter values from step 2 into corresponding fields, as follows: - Enter <alias> into 'Private Key Alias' - Enter <private_key_password> into 'Private Key Passphrase' - Enter <private_key_password> into 'Confirm Private Key Passphrase' 17. Click 'Save', and from 'Change Center' click 'Activate Changes' to enable configuration changes 18. Repeat steps 4-17 for all servers requiring SSL configuration 19. From 'Domain Structure', select 'Environment' -> 'Servers', click 'Control' tab 20. Select checkbox for all servers configured in previous steps and click 'Restart SSL'

a

Oracle WebLogic must terminate the network connection associated with a communications session at the end of the session or after a DoD-defined time period of inactivity.

SC-10 - Low - CCI-001133 - V-235979 - SV-235979r628715_rule

RMF Control

SC-10

Severity

Low

CCI

CCI-001133

Version

WBLC-08-000210

Vuln IDs

V-235979
V-56307

Rule IDs

SV-235979r628715_rule
SV-70561

If communications sessions remain open for extended periods of time even when unused, there is the potential for an adversary to hijack the session and use it to gain access to the device or networks to which it is attached. Terminating sessions after a certain period of inactivity is a method for mitigating the risk of this vulnerability. The application server must provide a mechanism for timing out or otherwise terminating inactive web sessions.

Checks: C-39198r628713_chk

1. Access AC 2. From 'Domain Structure', select 'Deployments' 3. Sort 'Deployments' table by 'Type' by click the column header 4. Select an 'Enterprise Application' or 'Web Application' to check the session timeout setting 5. Select 'Configuration' tab -> 'Application' tab for deployments of 'Enterprise Application' type Select 'Configuration' tab -> 'General' tab for deployments of 'Web Application' type 6. Ensure 'Session Timeout' field value is set to '900' (seconds) If the 'Session Timeout' field is not set '900', this is a finding.

Fix: F-39161r628714_fix

1. Access AC 2. From 'Domain Structure', select 'Deployments' 3. Sort 'Deployments' table by 'Type' by click the column header 4. Select an 'Enterprise Application' or 'Web Application' to check the session timeout setting 5. Select 'Configuration' tab -> 'Application' tab for deployments of 'Enterprise Application' type Select 'Configuration' tab -> 'General' tab for deployments of 'Web Application' type 6. Utilize 'Change Center' to create a new change session 7. Set value in 'Session Timeout' field value to '900' (seconds). Click 'Save' 8. Repeat steps 4-7 for each 'Enterprise Application' and 'Web Application' deployment

b

Oracle WebLogic must establish a trusted communications path between the user and organization-defined security functions within the information system.

SC-11 - Medium - CCI-001135 - V-235980 - SV-235980r628718_rule

RMF Control

SC-11

Severity

Medium

CCI

CCI-001135

Version

WBLC-08-000211

Vuln IDs

V-235980
V-56309

Rule IDs

SV-235980r628718_rule
SV-70563

Without a trusted communication path, the application server is vulnerable to a man-in-the-middle attack. Application server user interfaces are used for management of the application server so the communications path between client and server must be trusted or management of the server may be compromised.

Checks: C-39199r628716_chk

1. Access AC 2. From 'Domain Structure', select 'Environment' -> 'Servers' 3. From the list of servers, select one which needs check for SSL configuration verification 4. From 'Configuration' tab -> 'General' tab, ensure 'Listen Port Enabled' checkbox is deselected 5. Ensure 'SSL Listen Port Enabled' checkbox is selected and a valid port number is in 'SSL Listen Port' field, e.g., 7002 6. Repeat steps 3-5 for all servers requiring SSL configuration checking If any of the servers requiring SSL have the 'Listen Port Enabled' selected or 'SSL Listen Port Enable' not selected, this is a finding.

Fix: F-39162r628717_fix

1. Obtain an identity (private key and digital certificates) and trust (certificates of trusted certificate authorities) to configure on the server 2. Create Identity keystore and load private key and certificate using ImportPrivateKey java utility, example: $ java utils.ImportPrivateKey -certfile <cert_file> -keyfile <private_key_file> [-keyfilepass <private_key_password>] -keystore <keystore> -storepass <storepass> [-storetype <storetype>] -alias <alias> [-keypass <keypass>] 3. Access AC 4. Utilize 'Change Center' to create a new change session 5. From 'Domain Structure', select 'Environment' -> 'Servers' 6. From the list of servers, select one which needs SSL set up 7. From 'Configuration' tab -> 'General' tab, deselect 'Listen Port Enabled' checkbox 8. Select 'SSL Listen Port Enabled' checkbox and enter a valid port number in 'SSL Listen Port' field, e.g., 7002 9. From 'Configuration' tab -> 'Keystores' tab, click 'Change' button in 'Keystores' section 10. From dropdown, select 'Custom Identity and Java Standard Trust' and click 'Save' 11. Enter the fully qualified path to Identity keystore, from step 2, in 'Custom Identity Keystore' field 12. Enter 'JKS' in the 'Custom Identity Keystore Type' field 13. Enter the Identity keystore password in 'Custom Identity Keystore Passphrase' and 'Confirm Custom Identity Keystore Passphrase' fields 14. Enter the Java Standard Trust keystore (cacerts) password in 'Java Standard Trust Keystore Passphrase' and 'Confirm Java Standard Trust Keystore Passphrase' fields 15. Leave all other fields blank and click 'Save' 16. From 'Configuration' tab -> 'SSL' tab, enter values from step 2 into corresponding fields, as follows: - Enter <alias> into 'Private Key Alias' - Enter <privae_key_password> into 'Private Key Passphrase' - Enter <private_key_password> into 'Confirm Private Key Passphrase' 17. Click 'Save', and from 'Change Center' click 'Activate Changes' to enable configuration changes 18. Repeat steps 4-17 for all servers requiring SSL configuration 19. From 'Domain Structure', select 'Environment' -> 'Servers', click 'Control' tab 20. Select checkbox for all servers configured in previous steps and click 'Restart SSL'

b

Oracle WebLogic must utilize NSA-approved cryptography when protecting classified compartmentalized data.

CM-6 - Medium - CCI-000366 - V-235981 - SV-235981r628721_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

WBLC-08-000214

Vuln IDs

V-235981
V-56313

Rule IDs

SV-235981r628721_rule
SV-70567

Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. Encryption modules/algorithms are the mathematical procedures used for encrypting data. NSA has developed Type 1 algorithms for protecting classified information. The Committee on National Security Systems (CNSS) National Information Assurance Glossary (CNSS Instruction No. 4009) defines Type 1 products as: "Cryptographic equipment, assembly or component classified or certified by NSA for encrypting and decrypting classified and sensitive national security information when appropriately keyed. Developed using established NSA business processes and containing NSA-approved algorithms. Used to protect systems requiring the most stringent protection mechanisms." Although persons may have a security clearance, they may not have a "need to know" and are required to be separated from the information in question. The application server must employ NSA-approved cryptography to protect classified information from those individuals who have no "need to know" or when encryption of compartmentalized data is required by data classification.

Checks: C-39200r628719_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Logs' -> 'View Log Messages' 3. Within the 'Search' panel, expand 'Selected Targets' 4. Click 'Target Log Files' icon for 'AdminServer' target 5. From the list of log files, select 'AdminServer.log' and click 'View Log File' button 6. Within the search criteria, enter the value 'FIPS' for the 'Message contains' field, and select the appropriate 'Start Date' and 'End Date' range. Click 'Search' 7. Check for the following log entry: "Changing the default Random Number Generator in RSA CryptoJ ... to FIPS186PRNG" or "Changing the default Random Number Generator in RSA CryptoJ from ECDRBG128 to HMACDRBG." If either of these log entries are found, this is not a finding. If a log entry cannot be found, navigate to the DOMAIN_HOME directory: 8. View the contents of the appropriate WebLogic server start script: On UNIX operating systems: startWebLogic.sh On Microsoft Windows operating systems: startWebLogic.cmd 9. Ensure the JAVA_OPTIONS variable is set: On UNIX operating systems: JAVA_OPTIONS=" -Djava.security.properties==/<mylocation>/java.security ${JAVA_OPTIONS}" On Microsoft Windows operating systems: set JAVA_OPTIONS= -Djava.security.properties==C:\<mylocation>\java.security %JAVA_OPTIONS% 10. Ensure the <mylocation> path specified above contains a valid java.security file (Refer to section 2.2.4 of the Overview document) 11. Ensure the PRE_CLASSPATH variable is set: On UNIX operating systems: PRE_CLASSPATH="%MW_HOME%\wlserver\server\lib\jcmFIPS.jar;%MW_HOME%\wlserver\server\lib\sslj.jar ${PRE_CLASSPATH}" On Microsoft Windows operating systems: set PRE_CLASSPATH= %MW_HOME%\wlserver\server\lib\jcmFIPS.jar;%MW_HOME%\wlserver\server\lib\sslj.jar;%PRE_CLASSPATH% If the java options are not set correctly, this is a finding.

Fix: F-39163r628720_fix

1. Shut down any running instances of WebLogic server 2. On disk, navigate to the DOMAIN_HOME directory 3. View the contents of the appropriate WebLogic server start script: On UNIX operating systems: startWebLogic.sh On Microsoft Windows operating systems: startWebLogic.cmd 4. Ensure the JAVA_OPTIONS variable is set: On UNIX operating systems: JAVA_OPTIONS=" -Djava.security.properties==/<mylocation>/java.security ${JAVA_OPTIONS}" On Microsoft Windows operating systems: set JAVA_OPTIONS= -Djava.security.properties==C:\<mylocation>\java.security %JAVA_OPTIONS% 5. Ensure the <mylocation> path specified above contains a valid java.security file (Refer to section 2.2.4 of the Overview document) 6. Ensure the PRE_CLASSPATH variable is set: On UNIX operating systems: PRE_CLASSPATH="%MW_HOME%\wlserver\server\lib\jcmFIPS.jar;%MW_HOME%\wlserver\server\lib\sslj.jar ${PRE_CLASSPATH}" On Microsoft Windows operating systems: set PRE_CLASSPATH= %MW_HOME%\wlserver\server\lib\jcmFIPS.jar;%MW_HOME%\wlserver\server\lib\sslj.jar;%PRE_CLASSPATH% 7. Refer to section 2.2.4 of the Overview document

b

Oracle WebLogic must protect the integrity and availability of publicly available information and applications.

SC-5 - Medium - CCI-002385 - V-235982 - SV-235982r628724_rule

RMF Control

SC-5

Severity

Medium

CCI

CCI-002385

Version

WBLC-08-000218

Vuln IDs

V-235982
V-56315

Rule IDs

SV-235982r628724_rule
SV-70569

The purpose of this control is to ensure organizations explicitly address the protection needs for public information and applications, with such protection likely being implemented as part of other security controls. Application servers must protect the integrity of publicly available information.

Checks: C-39201r628722_chk

1. Access AC 2. From 'Domain Structure', select 'Deployments' 3. Select a deployed component which contains publicly available information and/or applications 4. Select 'Targets' tab 5. Ensure one or more of the selected targets for this deployment is a cluster of managed servers If the information requires clustering of managed server and the managed servers are not clustered, this is a finding.

Fix: F-39164r628723_fix

1. Access AC 2. From 'Domain Structure', select 'Deployments' 3. Select a deployed component which contains publicly available information and/or applications 4. Utilize 'Change Center' to create a new change session 5. Select 'Targets' tab 6. Select one or more clusters of managed servers as a target for this deployment. Click 'Save'.

b

Oracle WebLogic must separate hosted application functionality from Oracle WebLogic management functionality.

SC-2 - Medium - CCI-001082 - V-235983 - SV-235983r628727_rule

RMF Control

SC-2

Severity

Medium

CCI

CCI-001082

Version

WBLC-08-000222

Vuln IDs

V-235983
V-56317

Rule IDs

SV-235983r628727_rule
SV-70571

Application server management functionality includes functions necessary to administer the application server and requires privileged access via one of the accounts assigned to a management role. The separation of application server administration functionality from hosted application functionality is either physical or logical and is accomplished by using different computers, different central processing units, different instances of the operating system, network addresses, network ports, or combinations of these methods, as appropriate.

Checks: C-39202r628725_chk

1. Access AC 2. From 'Domain Structure', select 'Environment' -> 'Servers' 3. A single server in the list will be named 'Admin Server' and this is the server which hosts AS management functionality, such as the AdminConsole application 4. All remaining servers in the list are 'Managed Servers' and these are the individual or clustered servers which will host the actual applications 5. Ensure no applications are deployed on the Admin server, rather, only on the Managed servers If any applications are deployed on the Admin server, this is a finding.

Fix: F-39165r628726_fix

1. Access AC 2. From 'Domain Structure', select 'Environment' -> 'Servers' 3. A single server in the list will be named 'Admin Server' and this is the server which hosts AS management functionality, such as the AdminConsole application 4. All remaining servers in the list are 'Managed Servers' and these are the individual or clustered servers which will host the actual applications 5. Utilize 'Change Center' to create a new change session 6. Undeploy all applications that are not used for AS management from the Admin server, and redeploy onto the Managed servers 7. This can be done from 'Deployments' tab -> 'Targets' tab; select each application which must be redeployed , deselect 'Admin Server' and select one or more of the Managed servers 8. Click 'Save' and restart servers if necessary

b

Oracle WebLogic must ensure authentication of both client and server during the entire session.

SC-23 - Medium - CCI-001184 - V-235984 - SV-235984r628730_rule

RMF Control

SC-23

Severity

Medium

CCI

CCI-001184

Version

WBLC-08-000223

Vuln IDs

V-235984
V-56321

Rule IDs

SV-235984r628730_rule
SV-70575

This control focuses on communications protection at the session, versus packet level. At the application layer, session IDs are tokens generated by web applications to uniquely identify an application user's session. Web applications utilize session tokens or session IDs in order to establish application user identity. Proper use of session IDs addresses man-in-the-middle attacks, including session hijacking or insertion of false information into a session. Application servers must provide the capability to perform mutual authentication. Mutual authentication is when both the client and the server authenticate each other.

Checks: C-39203r628728_chk

1. Access AC 2. From 'Domain Structure', select 'Environment' -> 'Servers' 3. From the list of servers, select one which needs check for Mutual Authentication configuration verification 4. From 'Configuration' tab -> 'General' tab, ensure 'Listen Port Enabled' checkbox is deselected 5. Ensure 'SSL Listen Port Enabled' checkbox is selected and a valid port number is in 'SSL Listen Port' field, e.g., 7002 6. From 'Configuration' tab -> 'SSL' tab, click 'Advanced' link 7. Ensure 'Two Way Client Cert Behavior' field value is set to 'Client Certs Requested And Enforced' 8. Repeat steps 3-7 for all servers requiring Mutual Authentication configuration checking If any servers requiring Mutual Authentication do not have the 'SSL Listen Port Enabled' checkbox selected or the 'Two Way Client Cert Behavior' field value set to 'Client Certs Requested And Enforced', this is a finding.

Fix: F-39166r628729_fix

1. Obtain the certificate(s) for the trusted certificate authority that signed the certificates for the client(s) 2. Access EM 3. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Security' -> 'Keystore' 4. Locate the desired keystore in which to load the client certificate(s), select and click 'Manage' button 5. From 'Manage Certificates' page, click 'Import' 6. Complete 'Certificate Type', 'Alias' and 'Certificate Source' fields and click 'OK'. Ensure the imported certificate(s) appears in the list. 7. Access AC 8. Utilize 'Change Center' to create a new change session 9. From 'Domain Structure', select 'Environment' -> 'Servers' 10. From the list of servers, select one which needs Mutual Authentication set up 11. From 'Configuration' tab -> 'SSL' tab, click 'Advanced' link 12. Set 'Two Way Client Cert Behavior' field value is set to 'Client Certs Requested And Enforced' 13. Repeat steps 7-12 for all servers requiring SSL configuration 14. From 'Domain Structure', select 'Environment' -> 'Servers', click 'Control' tab 15. Select checkbox for all servers configured in previous steps and click 'Restart SSL'

b

Oracle WebLogic must terminate user sessions upon user logout or any other organization- or policy-defined session termination events such as idle time limit exceeded.

SC-23 - Medium - CCI-001185 - V-235985 - SV-235985r628733_rule

RMF Control

SC-23

Severity

Medium

CCI

CCI-001185

Version

WBLC-08-000224

Vuln IDs

V-235985
V-56323

Rule IDs

SV-235985r628733_rule
SV-70577

If communications sessions remain open for extended periods of time even when unused, there is the potential for an adversary to hijack the session and use it to gain access to the device or networks to which it is attached. Terminating sessions after a logout event or after a certain period of inactivity is a method for mitigating the risk of this vulnerability. When a user management session becomes idle, or when a user logs out of the management interface, the application server must terminate the session.

Checks: C-39204r628731_chk

1. Access AC 2. From 'Domain Structure', select 'Deployments' 3. Sort 'Deployments' table by 'Type' by click the column header 4. Select an 'Enterprise Application' or 'Web Application' to check the session timeout setting 5. Select 'Configuration' tab -> 'Application' tab for deployments of 'Enterprise Application' type Select 'Configuration' tab -> 'General' tab for deployments of 'Web Application' type 6. Ensure 'Session Timeout' field value is set to organization- or policy-defined session idle time limit If the 'Session Timeout' field value is not set to an organization- or policy-defined session idle time limit, this is a finding.

Fix: F-39167r628732_fix

1. Access AC 2. From 'Domain Structure', select 'Deployments' 3. Sort 'Deployments' table by 'Type' by click the column header 4. Select an 'Enterprise Application' or 'Web Application' to check the session timeout setting 5. Select 'Configuration' tab -> 'Application' tab for deployments of 'Enterprise Application' type Select 'Configuration' tab -> 'General' tab for deployments of 'Web Application' type 6. Utilize 'Change Center' to create a new change session 7. Set value in 'Session Timeout' field value to organization- or policy-defined session idle time limit. Click 'Save' 8. Repeat steps 4-7 for each 'Enterprise Application' and 'Web Application' deployment

b

Oracle WebLogic must be configured to perform complete application deployments.

SC-24 - Medium - CCI-001190 - V-235986 - SV-235986r628736_rule

RMF Control

SC-24

Severity

Medium

CCI

CCI-001190

Version

WBLC-08-000229

Vuln IDs

V-235986
V-56327

Rule IDs

SV-235986r628736_rule
SV-70581

Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. When an application is deployed to the application server, if the deployment process does not complete properly and without errors, there is the potential that some application files may not be deployed or may be corrupted and an application error may occur during runtime. The application server must be able to perform complete application deployments. A partial deployment can leave the server in an inconsistent state. Application servers may provide a transaction rollback function to address this issue.

Checks: C-39205r628734_chk

1. Access AC 2. From 'Domain Structure', select the top-level domain 3. Select 'Configuration' tab -> 'General' tab 4. Ensure 'Production Mode' checkbox is selected If the 'Production Mode' checkbox is not selected, this is a finding.

Fix: F-39168r628735_fix

1. Access AC 2. From 'Domain Structure', select the top-level domain 3. Select 'Configuration' tab -> 'General' tab 4. Check 'Production Mode' checkbox. Click 'Save' 5. Restart all servers

b

Oracle WebLogic must protect the confidentiality of applications and leverage transmission protection mechanisms, such as TLS and SSL VPN, when deploying applications.

SC-8 - Medium - CCI-002421 - V-235987 - SV-235987r628739_rule

RMF Control

SC-8

Severity

Medium

CCI

CCI-002421

Version

WBLC-08-000231

Vuln IDs

V-235987
V-56329

Rule IDs

SV-235987r628739_rule
SV-70583

Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPSEC tunnel. If the application server does not protect the application files that are created before and during the application deployment process, there is a risk that the application could be compromised prior to deployment.

Checks: C-39206r628737_chk

1. Access AC 2. From 'Domain Structure', select 'Environment' -> 'Servers' 3. From the list of servers, select the AdminServer 4. From 'Configuration' tab -> 'General' tab, ensure 'Listen Port Enabled' checkbox is deselected 5. Ensure 'SSL Listen Port Enabled' checkbox is selected and a valid port number is in 'SSL Listen Port' field, e.g., 7002 If the field 'SSL Listen Port Enabled' is not selected or 'Listen Port Enabled' is selected, this is a finding.

Fix: F-39169r628738_fix

1. Obtain an identity (private key and digital certificates) and trust (certificates of trusted certificate authorities) to configure on the server 2. Create Identity keystore and load private key and certificate using ImportPrivateKey java utility, example: $ java utils.ImportPrivateKey -certfile <cert_file> -keyfile <private_key_file> [-keyfilepass <private_key_password>] -keystore <keystore> -storepass <storepass> [-storetype <storetype>] -alias <alias> [-keypass <keypass>] 3. Access AC 4. Utilize 'Change Center' to create a new change session 5. From 'Domain Structure', select 'Environment' -> 'Servers' 6. From the list of servers, select one which needs SSL set up 7. From 'Configuration' tab -> 'General' tab, deselect 'Listen Port Enabled' checkbox 8. Select 'SSL Listen Port Enabled' checkbox and enter a valid port number in 'SSL Listen Port' field, e.g., 7002 9. From 'Configuration' tab -> 'Keystores' tab, click 'Change' button in 'Keystores' section 10. From dropdown, select 'Custom Identity and Java Standard Trust' and click 'Save' 11. Enter the fully qualified path to Identity keystore, from step 2, in 'Custom Identity Keystore' field 12. Enter 'JKS' in the 'Custom Identity Keystore Type' field 13. Enter the Identity keystore password in 'Custom Identity Keystore Passphrase' and 'Confirm Custom Identity Keystore Passphrase' fields 14. Enter the Java Standard Trust keystore (cacerts) password in 'Java Standard Trust Keystore Passphrase' and 'Confirm Java Standard Trust Keystore Passphrase' fields 15. Leave all other fields blank and click 'Save' 16. From 'Configuration' tab -> 'SSL' tab, enter values from step 2 into corresponding fields, as follows: - Enter <alias> into 'Private Key Alias' - Enter <private_key_password> into 'Private Key Passphrase' - Enter <private_key_password> into 'Confirm Private Key Passphrase' 17. Click 'Save', and from 'Change Center' click 'Activate Changes' to enable configuration changes 18. Repeat steps 4-17 for all servers requiring SSL configuration 19. From 'Domain Structure', select 'Environment' -> 'Servers', click 'Control' tab 20. Select checkbox for all servers configured in previous steps and click 'Restart SSL'

a

Oracle WebLogic must protect the integrity of applications during the processes of data aggregation, packaging, and transformation in preparation for deployment.

SC-8 - Low - CCI-002420 - V-235988 - SV-235988r628742_rule

RMF Control

SC-8

Severity

Low

CCI

CCI-002420

Version

WBLC-08-000235

Vuln IDs

V-235988
V-56333

Rule IDs

SV-235988r628742_rule
SV-70587

Information can be subjected to unauthorized changes (e.g., malicious and/or unintentional modification) at information aggregation or protocol transformation points. It is therefore imperative the application take steps to validate and assure the integrity of data while at these stages of processing. The application server must ensure the integrity of data that is pending transfer for deployment is maintained. If the application were to simply transmit aggregated, packaged, or transformed data without ensuring the data was not manipulated during these processes, then the integrity of the data and the application itself may be called into question.

Checks: C-39207r628740_chk

1. Access AC 2. From 'Domain Structure', select the top-level domain 3. Select 'Configuration' tab -> 'General' tab 4. Ensure 'Production Mode' checkbox is selected If the 'Production Mode' checkbox is not selected, this is a finding.

Fix: F-39170r628741_fix

1. Access AC 2. From 'Domain Structure', select the top-level domain 3. Select 'Configuration' tab -> 'General' tab 4. Check 'Production Mode' checkbox. Click 'Save' 5. Restart all servers

b

Oracle WebLogic must protect against or limit the effects of HTTP types of Denial of Service (DoS) attacks.

SC-5 - Medium - CCI-002385 - V-235989 - SV-235989r628745_rule

RMF Control

SC-5

Severity

Medium

CCI

CCI-002385

Version

WBLC-08-000236

Vuln IDs

V-235989
V-56337

Rule IDs

SV-235989r628745_rule
SV-70591

Employing increased capacity and bandwidth combined with service redundancy can reduce the susceptibility to some DoS attacks. When utilizing an application server in a high risk environment (such as a DMZ), the amount of access to the system from various sources usually increases, as does the system's risk of becoming more susceptible to DoS attacks. The application server must be able to be configured to withstand or minimize the risk of DoS attacks. This can be partially achieved if the application server provides configuration options that limit the number of allowed concurrent HTTP connections.

Checks: C-39208r628743_chk

1. Access AC 2. From 'Domain Structure', select 'Deployments' 3. Sort 'Deployments' table by 'Type' by click the column header 4. Select an 'Enterprise Application' or 'Web Application' to check the session timeout setting 5. Select 'Configuration' tab -> 'Application' tab for deployments of 'Enterprise Application' type Select 'Configuration' tab -> 'General' tab for deployments of 'Web Application' type 6. Ensure 'Maximum in-memory Session' field value is set to an integer value at or lower than an acceptable maximum number of HTTP sessions If a value is not set in the 'Maximum in-memory Session' field for all deployments, this is a finding.

Fix: F-39171r628744_fix

1. Access AC 2. From 'Domain Structure', select 'Deployments' 3. Sort 'Deployments' table by 'Type' by click the column header 4. Select an 'Enterprise Application' or 'Web Application' to check the session timeout setting 5. Select 'Configuration' tab -> 'Application' tab for deployments of 'Enterprise Application' type Select 'Configuration' tab -> 'General' tab for deployments of 'Web Application' type 6. Utilize 'Change Center' to create a new change session 7. Set value in 'Maximum in-memory Session' field value to an integer value at or lower than an acceptable maximum number of HTTP sessions. Click 'Save' 8. Repeat steps 4-7 for each 'Enterprise Application' and 'Web Application' deployment

b

Oracle WebLogic must limit the use of resources by priority and not impede the host from servicing processes designated as a higher-priority.

SC-5 - Medium - CCI-002385 - V-235990 - SV-235990r628748_rule

RMF Control

SC-5

Severity

Medium

CCI

CCI-002385

Version

WBLC-08-000237

Vuln IDs

V-235990
V-56341

Rule IDs

SV-235990r628748_rule
SV-70595

Priority protection helps the application server prevent a lower-priority application process from delaying or interfering with any higher-priority application processes. If the application server is not capable of managing application resource requests, the application server could become overwhelmed by a high volume of low-priority resource requests which can cause an availability issue. This requirement only applies to Mission Assurance Category 1 systems and does not apply to information systems with a Mission Assurance Category of 2 or 3.

Checks: C-39209r628746_chk

1. Access AC 2. From 'Domain Structure', select 'Environment' -> 'Work Managers' 3. Existing Work Managers will appear in the list If Work Managers are not created to allow prioritization of resources, this is a finding.

Fix: F-39172r628747_fix

1. Access AC 2. From 'Domain Structure', select 'Environment' -> 'Work Managers' 3. Utilize 'Change Center' to create a new change session 4. Click 'New', select 'Work Manager' radio option, click 'Next' 5. Type a unique name, click 'Next', select server(s) which to apply this work manager to, click 'Finish' 6. Select newly created work manager from table to configure 7. Set thread and capacity constraints for this work manager, target the server(s) to apply these constraints to, click 'Save' 8. Deploy applications requiring prioritization to the server(s) selected as target of the work manager in order to apply the priority conditions specified by the work manager to deployed applications

b

Oracle WebLogic must fail securely in the event of an operational failure.

SC-7 - Medium - CCI-001126 - V-235991 - SV-235991r628751_rule

RMF Control

SC-7

Severity

Medium

CCI

CCI-001126

Version

WBLC-08-000238

Vuln IDs

V-235991
V-56343

Rule IDs

SV-235991r628751_rule
SV-70597

Fail secure is a condition achieved by the application server in order to ensure that in the event of an operational failure, the system does not enter into an unsecure state where intended security properties no longer hold. An example of secure failure is when an application server is configured for secure LDAP (LDAPS) authentication. If the application server fails to make a successful LDAPS connection it does not try to use unencrypted LDAP instead.

Checks: C-39210r628749_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Monitoring' -> 'Port Usage' 3. In the results table, ensure values in the 'Protocol' column each end with 's' (secure) If the protocols are not secure, this is a finding.

Fix: F-39173r628750_fix

1. Access AC 2. From 'Domain Structure', select 'Environment' -> 'Servers' 3. From the list of servers, select one which is assigned a protocol which does not end in 's' (secure) 4. Utilize 'Change Center' to create a new change session 5. From 'Configuration' tab -> 'General' tab, deselect the 'Listen Port Enabled' checkbox 6. Select the 'SSL Listen Port Enabled checkbox 7. Enter a valid port value in the 'SSL Listen Port' field and click 'Save' 8. Review the 'Port Usage' table in EM again to ensure all values in the 'Protocol' column end with 's' (secure)

b

Oracle WebLogic must employ approved cryptographic mechanisms when transmitting sensitive data.

SC-8 - Medium - CCI-002421 - V-235992 - SV-235992r628754_rule

RMF Control

SC-8

Severity

Medium

CCI

CCI-002421

Version

WBLC-08-000239

Vuln IDs

V-235992
V-56347

Rule IDs

SV-235992r628754_rule
SV-70601

Preventing the disclosure of transmitted information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the network. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPSEC tunnel. If data in transit is unencrypted, it is vulnerable to disclosure. If approved cryptographic algorithms are not used, encryption strength cannot be assured. The application server must utilize approved encryption when transmitting sensitive data.

Checks: C-39211r628752_chk

1. Access AC 2. From 'Domain Structure', select 'Environment' -> 'Servers' 3. From the list of servers, select one which needs check for SSL configuration verification 4. From 'Configuration' tab -> 'General' tab, ensure 'Listen Port Enabled' checkbox is deselected 5. Ensure 'SSL Listen Port Enabled' checkbox is selected and a valid port number is in 'SSL Listen Port' field, e.g., 7002 6. Repeat steps 3-5 for all servers requiring SSL configuration checking If any of the servers requiring cryptographic mechanisms does not have 'SSL List Port Enabled', this is a finding.

Fix: F-39174r628753_fix

1. Obtain an identity (private key and digital certificates) and trust (certificates of trusted certificate authorities) to configure on the server 2. Create Identity keystore and load private key and certificate using ImportPrivateKey java utility, example: $ java utils.ImportPrivateKey -certfile <cert_file> -keyfile <private_key_file> [-keyfilepass <private_key_password>] -keystore <keystore> -storepass <storepass> [-storetype <storetype>] -alias <alias> [-keypass <keypass>] 3. Access AC 4. Utilize 'Change Center' to create a new change session 5. From 'Domain Structure', select 'Environment' -> 'Servers' 6. From the list of servers, select one which needs SSL set up 7. From 'Configuration' tab -> 'General' tab, deselect 'Listen Port Enabled' checkbox 8. Select 'SSL Listen Port Enabled' checkbox and enter a valid port number in 'SSL Listen Port' field, e.g., 7002 9. From 'Configuration' tab -> 'Keystores' tab, click 'Change' button in 'Keystores' section 10. From dropdown, select 'Custom Identity and Java Standard Trust' and click 'Save' 11. Enter the fully qualified path to Identity keystore, from step 2, in 'Custom Identity Keystore' field 12. Enter 'JKS' in the 'Custom Identity Keystore Type' field 13. Enter the Identity keystore password in 'Custom Identity Keystore Passphrase' and 'Confirm Custom Identity Keystore Passphrase' fields 14. Enter the Java Standard Trust keystore (cacerts) password in 'Java Standard Trust Keystore Passphrase' and 'Confirm Java Standard Trust Keystore Passphrase' fields 15. Leave all other fields blank and click 'Save' 16. From 'Configuration' tab -> 'SSL' tab, enter values from step 2 into corresponding fields, as follows: - Enter <alias> into 'Private Key Alias' - Enter <private_key_password> into 'Private Key Passphrase' - Enter <private_key_password> into 'Confirm Private Key Passphrase' 17. Click 'Save', and from 'Change Center' click 'Activate Changes' to enable configuration changes 18. Repeat steps 4-17 for all servers requiring SSL configuration 19. From 'Domain Structure', select 'Environment' -> 'Servers', click 'Control' tab 20. Select checkbox for all servers configured in previous steps and click 'Restart SSL'

a

Oracle WebLogic must identify potentially security-relevant error conditions.

SI-11 - Low - CCI-001312 - V-235993 - SV-235993r628757_rule

RMF Control

SI-11

Severity

Low

CCI

CCI-001312

Version

WBLC-09-000252

Vuln IDs

V-235993
V-56351

Rule IDs

SV-235993r628757_rule
SV-70605

The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the application server is able to identify and handle error conditions is guided by organizational policy and operational requirements. Adequate logging levels and system performance capabilities need to be balanced with data protection requirements. Application servers must have the capability to log at various levels which can provide log entries for potential security-related error events. An example is the capability for the application server to assign a criticality level to a failed login attempt error message, a security-related error message being of a higher criticality.

Checks: C-39212r628755_chk

1. Access EM 2. Expand the domain from the navigation tree, and select the AdminServer 3. Use the dropdown to select 'WebLogic Server' -> 'Logs' -> 'Log Configuration' 4. Select the 'Log Levels' tab, and within the table, expand 'Root Logger' node 5. Log levels for system-related events can be set here 6. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Security' -> 'Audit Policy' 7. Select 'Oracle Platform Security Services' from the 'Audit Component Name' dropdown 8. Log levels for security-related events can be set here If security-related events are not set properly, this is a finding.

Fix: F-39175r628756_fix

1. Access EM 2. Expand the domain from the navigation tree, and select the AdminServer 3. Use the dropdown to select 'WebLogic Server' -> 'Logs' -> 'Log Configuration' 4. Select the 'Log Levels' tab, and within the table, expand 'Root Logger' node 5. Log levels for system-related events can be set here 6. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Security' -> 'Audit Policy' 7. Select 'Oracle Platform Security Services' from the 'Audit Component Name' dropdown 8. Log levels for security-related events can be set here

b

Oracle WebLogic must only generate error messages that provide information necessary for corrective actions without revealing sensitive or potentially harmful information in error logs and administrative messages.

SI-11 - Medium - CCI-001312 - V-235994 - SV-235994r628760_rule

RMF Control

SI-11

Severity

Medium

CCI

CCI-001312

Version

WBLC-09-000253

Vuln IDs

V-235994
V-56377

Rule IDs

SV-235994r628760_rule
SV-70631

Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and content of error messages needs to be carefully considered by the organization and development team. The application server must not log sensitive information such as passwords, private keys, or other sensitive data. This requirement pertains to logs that are generated by the application server and application server processes, not the applications that may reside on the application server. Those errors are out of the scope of these requirements.

Checks: C-39213r628758_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Logs' -> 'View Log Messages' 3. Within the search criteria, click 'Add Fields' button 4. Notice the list of available fields do not contain sensitive data If sensitive or potentially harmful information, such as passwords, private keys or other sensitive data, is part of the error logs or administrative messages, this is a finding.

Fix: F-39176r628759_fix

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Logs' -> 'View Log Messages' 3. Within the search criteria, click 'Add Fields' button 4. Notice the list of available fields do not contain sensitive data

b

Oracle WebLogic must restrict error messages so only authorized personnel may view them.

SI-11 - Medium - CCI-001314 - V-235995 - SV-235995r628763_rule

RMF Control

SI-11

Severity

Medium

CCI

CCI-001314

Version

WBLC-09-000254

Vuln IDs

V-235995
V-56379

Rule IDs

SV-235995r628763_rule
SV-70633

If the application provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Application servers must protect the error messages that are created by the application server. All application server users' accounts are used for the management of the server and the applications residing on the application server. All accounts are assigned to a certain role with corresponding access rights. The application server must restrict access to error messages so only authorized personnel may view them. Error messages are usually written to logs contained on the file system. The application server will usually create new log files as needed and must take steps to ensure that the proper file permissions are utilized when the log files are created.

Checks: C-39214r628761_chk

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Users and Groups' tab -> 'Users' tab 5. From 'Users' table, select a user that must not have access to view error messages 6. From users settings page, select 'Groups' tab 7. Ensure the 'Chosen' table does not contain any of the following roles - 'Admin', 'Deployer', 'Monitor', 'Operator' 8. Repeat steps 5-7 for all users that must not have access to view error messages If any user that should not be able to view error messages has the roles of 'Admin', 'Deployer', 'Monitor' or 'Operator', this is a finding.

Fix: F-39177r628762_fix

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Users and Groups' tab -> 'Users' tab 5. From 'Users' table, select a user that must not have access to view error messages 6. From users settings page, select 'Groups' tab 7. From the 'Chosen' table, use the shuttle buttons to remove all of the following roles - 'Admin', 'Deployer', 'Monitor', 'Operator' 8. Click 'Save' 9. Repeat steps 5-8 for all users that must not have access to view error messages

b

Oracle WebLogic must provide system notifications to a list of response personnel who are identified by name and/or role.

AU-5 - Medium - CCI-000139 - V-235996 - SV-235996r628766_rule

RMF Control

AU-5

Severity

Medium

CCI

CCI-000139

Version

WBLC-09-000257

Vuln IDs

V-235996
V-56381

Rule IDs

SV-235996r628766_rule
SV-70635

Incident response applications are, by their nature, designed to monitor, detect, and alarm on defined events occurring on the system or on the network. A large part of their functionality is the accurate and timely notification of events. Application servers can act as a resource for incident responders by providing information and notifications needed for support personnel to respond to application server incidents. Notifications can be made more efficient by the utilization of groups containing the members who would be responding to a particular alarm or event.

Checks: C-39215r628764_chk

1. Access AC 2. From 'Domain Structure', select 'Diagnostics' -> 'Diagnostic Modules' 3. Select 'Module-HealthState' from 'Diagnostic System Modules' list 4. Select 'Configuration' tab -> 'Watches and Notifications' tab. Select the 'Watches' tab from the bottom of page 5. Ensure 'ServerHealthWatch' row has 'Enabled' column value set to 'true' 6. Select 'Configuration' tab -> 'Watches and Notifications' tab. Select the 'Notifications' tab from the bottom of page 7. Ensure 'ServerHealthNotification' row has 'Enable Notification' column value set to 'true' If 'ServerHealthNotification' is set to false, this is a finding.

Fix: F-39178r628765_fix

1. Access AC 2. Utilize 'Change Center' to create a new change session 3. From 'Domain Structure', select 'Diagnostics' -> 'Diagnostic Modules' 4. If 'Module-HealthState' does not exist, click 'New' button. Enter 'Module-HealthState' in 'Name' field and click 'OK' button 5. Select 'Module-HealthState' from 'Diagnostic System Modules' list 6. Select 'Configuration' tab -> 'Watches and Notifications' tab. Select the 'Watches' tab from the bottom of page 7. Click 'New' button. Set the following values in the fields as shown: 'Watch Name' = 'ServerHealthWatch' 'Watch Type' = 'Collected Metrics' 'Enable Watch' = selected 8. Click 'Next' 9. Click 'Add Expressions' 10. Set 'MBean Server location' dropdown value to 'ServerRuntime'. Click 'Next' 11. Set 'MBean Type' dropdown value to 'weblogic.management.runtime.ServerRuntimeMBean'. Click 'Next' 12. Set 'Instance' dropdown value to a WebLogic Server instance to be monitored. Click 'Next' 13. Select 'Enter an Attribute Expression' radio button, enter following value in 'Attribute Expression' field: HealthState.State 14. Set 'Operator' dropdown value to '>='. Set 'Value' field to '3'. Click 'Finish' 15. Repeat steps 9-14 for all WebLogic Server instances to be monitored. Click 'Finish' 16. Continuing from step 6 above, select the 'Notifications' tab from the bottom of page 17. Click 'New' button. Set 'Type' dropdown value to 'SMTP (E-Mail)'. Click 'Next'. Set the following values in the fields as shown: 'Notification Name' = 'ServerHealthNotification' 'Enable Notification' = selected 18. Click 'Next' 19. Select an existing 'Mail Session Name', or click 'Create a New Mail Session' button to create one (JNDI name and Java mail settings must be known) 20. In 'E-Mail Recipients' text area, add list of administrator email addresses, and customize 'E-Mail Subject' and 'E-Mail Body' fields as needed. Click 'Finish' 21. Return to the 'Watches' tab from the bottom of page. Select 'ServerHealthWatch'. Select 'Notifications' tab 22. Use shuttle list to set 'ServerHealthNotification' into the 'Chosen' table. Click 'Save'

b

Oracle WebLogic must be integrated with a tool to monitor audit subsystem failure notification information that is sent out (e.g., the recipients of the message and the nature of the failure).

CM-6 - Medium - CCI-000366 - V-235997 - SV-235997r628769_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

WBLC-10-000270

Vuln IDs

V-235997
V-56383

Rule IDs

SV-235997r628769_rule
SV-70637

It is critical that, when a system is at risk of failing to process audit logs, it detects and takes action to mitigate the failure. As part of the mitigation, the system must send a notification to designated individuals that auditing is failing, log the notification message and the individuals who received the notification. When the system is not capable of notification and notification logging, an external software package, such as Oracle Diagnostic Framework, must be used.

Checks: C-39216r628767_chk

Review the configuration of Oracle WebLogic to determine if a tool, such as Oracle Diagnostic Framework, is in place to monitor audit subsystem failure notification information that is sent out. If a tool is not in place to monitor audit subsystem failure notification information that is sent, this is a finding.

Fix: F-39179r628768_fix

Install a tool, such as Oracle Diagnostics Framework, to monitor audit subsystem failure notification information.

b

Oracle WebLogic must be managed through a centralized enterprise tool.

CM-6 - Medium - CCI-000366 - V-235998 - SV-235998r628772_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

WBLC-10-000271

Vuln IDs

V-235998
V-56385

Rule IDs

SV-235998r628772_rule
SV-70639

The application server can host multiple applications which require different functions to operate successfully but many of the functions are capabilities that are needed for all the hosted applications and should be managed through a common interface. Examples of enterprise wide functions are automated rollback of changes, failover and patching. These functions are often outside the domain of the application server and so the application server must be integrated with a tool, such as Oracle Enterprise Manager, which is specific built to handle these requirements.

Checks: C-39217r628770_chk

Review the Oracle WebLogic configuration to determine if a tool, such as Oracle Enterprise Manager, is in place to centrally manage enterprise functionality needed for Oracle WebLogic. If a tool is not in place to centrally manage enterprise functionality, this is a finding.

Fix: F-39180r628771_fix

Install a tool such as Oracle Enterprise Manager, to handle enterprise functionality such as automated failover, rollback and patching of Oracle WebLogic.

b

Oracle WebLogic must be integrated with a tool to implement multi-factor user authentication.

CM-6 - Medium - CCI-000366 - V-235999 - SV-235999r628775_rule

RMF Control

CM-6

Severity

Medium

CCI

CCI-000366

Version

WBLC-10-000272

Vuln IDs

V-235999
V-56387

Rule IDs

SV-235999r628775_rule
SV-70641

Multifactor authentication is defined as: using two or more factors to achieve authentication. Factors include: (i) something a user knows (e.g., password/PIN); (ii) something a user has (e.g., cryptographic identification device, token); or (iii) something a user is (e.g., biometric). A CAC meets this definition. Implementing a tool, such as Oracle Access Manager, will implement multi-factor authentication to the application server and tie the authenticated user to a user account (i.e. roles and privileges) assigned to the authenticated user.

Checks: C-39218r628773_chk

Review the WebLogic configuration to determine if a tool, such as Oracle Access Manager, is in place to implement multi-factor authentication for the users. If a tool is not in place to implement multi-factor authentication, this is a finding.

Fix: F-39181r628774_fix

Install a tool, such as Oracle Access Manager, to handle multi-factor authentication of users.

Oracle WebLogic Server 12c Security Technical Implementation Guide

Compare

View

Checks: C-39147r628560_chk

Fix: F-39110r628561_fix

Checks: C-39148r628563_chk

Fix: F-39111r628564_fix

Checks: C-39149r628566_chk

Fix: F-39112r628567_fix

Checks: C-39150r628569_chk

Fix: F-39113r628570_fix

Checks: C-39151r628572_chk

Fix: F-39114r628573_fix

Checks: C-39152r628575_chk

Fix: F-39115r628576_fix

Checks: C-39153r628578_chk

Fix: F-39116r628579_fix

Checks: C-39154r628581_chk

Fix: F-39117r628582_fix

Checks: C-39155r628584_chk

Fix: F-39118r628585_fix

Checks: C-39156r628587_chk

Fix: F-39119r628588_fix

Checks: C-39157r628590_chk

Fix: F-39120r628591_fix

Checks: C-39158r628593_chk

Fix: F-39121r628594_fix

Checks: C-39159r628596_chk

Fix: F-39122r628597_fix

Checks: C-39160r628599_chk

Fix: F-39123r628600_fix

Checks: C-39161r628602_chk

Fix: F-39124r628603_fix

Checks: C-39162r628605_chk

Fix: F-39125r628606_fix

Checks: C-39163r628608_chk

Fix: F-39126r628609_fix

Checks: C-39164r628611_chk

Fix: F-39127r628612_fix

Checks: C-39165r628614_chk

Fix: F-39128r628615_fix

Checks: C-39166r628617_chk

Fix: F-39129r628618_fix

Checks: C-39167r628620_chk

Fix: F-39130r628621_fix

Checks: C-39168r628623_chk

Fix: F-39131r628624_fix

Checks: C-39169r628626_chk

Fix: F-39132r628627_fix

Checks: C-39170r628629_chk

Fix: F-39133r628630_fix

Checks: C-39171r628632_chk

Fix: F-39134r628633_fix

Checks: C-39172r628635_chk

Fix: F-39135r628636_fix

Checks: C-39173r628638_chk

Fix: F-39136r628639_fix

Checks: C-39174r628641_chk

Fix: F-39137r628642_fix

Checks: C-39175r628644_chk

Fix: F-39138r628645_fix

Checks: C-39176r628647_chk

Fix: F-39139r628648_fix

Checks: C-39177r628650_chk

Fix: F-39140r628651_fix

Checks: C-39178r628653_chk

Fix: F-39141r628654_fix

Checks: C-39179r628656_chk

Fix: F-39142r628657_fix

Checks: C-39180r628659_chk

Fix: F-39143r628660_fix

Checks: C-39181r628662_chk

Fix: F-39144r628663_fix

Checks: C-39182r628665_chk

Fix: F-39145r628666_fix

Checks: C-39183r628668_chk

Fix: F-39146r628669_fix

Checks: C-39184r628671_chk

Fix: F-39147r628672_fix

Checks: C-39185r628674_chk