Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

Oracle WebLogic Server 12c Security Technical Implementation Guide

  • Version/Release: V2R1
  • Published: 2021-03-18
  • Released: 2021-04-23
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
Oracle WebLogic must utilize cryptography to protect the confidentiality of remote access management sessions.
AC-17 - Medium - CCI-000068 - V-235928 - SV-235928r628562_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000068
Version
WBLC-01-000009
Vuln IDs
  • V-235928
  • V-56205
Rule IDs
  • SV-235928r628562_rule
  • SV-70459
Remote management access is accomplished by leveraging common communication protocols and establishing a remote connection to the application server via a network for the purposes of managing the application server. If cryptography is not used, then the session data traversing the remote connection could be intercepted and compromised. Types of management interfaces utilized by an application server include web-based HTTPS interfaces as well as command line-based management interfaces. All application server management interfaces must utilize cryptographic encryption.
Checks: C-39147r628560_chk

1. Access AC 2. From 'Domain Structure', select 'Environment' -> 'Servers' 3. From the list of servers, select one which needs check for SSL configuration verification 4. From 'Configuration' tab -> 'General' tab, ensure 'Listen Port Enabled' checkbox is deselected 5. Ensure 'SSL Listen Port Enabled' checkbox is selected and a valid port number is in 'SSL Listen Port' field, e.g., 7002 6 Repeat steps 3-5 for all servers requiring SSL configuration checking If 'Listen Port Enabled' is selected, this is a finding. If 'SSL Listen Port Enabled' is not selected, this is a finding.

Fix: F-39110r628561_fix

1. Obtain an identity (private key and digital certificates) and trust (certificates of trusted certificate authorities) to configure on the server 2. Create Identity keystore and load private key and certificate using ImportPrivateKey java utility, example: $ java utils.ImportPrivateKey -certfile <cert_file> -keyfile <private_key_file> [-keyfilepass <private_key_password>] -keystore <keystore> -storepass <storepass> [-storetype <storetype>] -alias <alias> [-keypass <keypass>] 3. Access AC 4. Utilize 'Change Center' to create a new change session 5. From 'Domain Structure', select 'Environment' -> 'Servers' 6. From the list of servers, select one which needs SSL set up 7. From 'Configuration' tab -> 'General' tab, deselect 'Listen Port Enabled' checkbox 8. Select 'SSL Listen Port Enabled' checkbox and enter a valid port number in 'SSL Listen Port' field, e.g., 7002 9. From 'Configuration' tab -> 'Keystores' tab, click 'Change' button in 'Keystores' section 10. From dropdown, select 'Custom Identity and Java Standard Trust' and click 'Save' 11. Enter the fully qualified path to Identity keystore, from step 2, in 'Custom Identity Keystore' field 12. Enter 'JKS' in the 'Custom Identity Keystore Type' field 13. Enter the Identity keystore password in 'Custom Identity Keystore Passphrase' and 'Confirm Custom Identity Keystore Passphrase' fields 14. Enter the Java Standard Trust keystore (cacerts) password in 'Java Standard Trust Keystore Passphrase' and 'Confirm Java Standard Trust Keystore Passphrase' fields 15. Leave all other fields blank and click 'Save' 16. From 'Configuration' tab -> 'SSL' tab, enter values from step 2 into corresponding fields, as follows: - Enter <alias> into 'Private Key Alias' - Enter <private_key_password> into 'Private Key Passphrase' - Enter <private_key_password> into 'Confirm Private Key Passphrase' 17. Click 'Save', and from 'Change Center' click 'Activate Changes' to enable configuration changes 18. Repeat steps 4-17 for all servers requiring SSL configuration 19. From 'Domain Structure', select 'Environment' -> 'Servers', click 'Control' tab 20. Select checkbox for all servers configured in previous steps and click 'Restart SSL'

b
Oracle WebLogic must use cryptography to protect the integrity of the remote access session.
AC-17 - Medium - CCI-001453 - V-235929 - SV-235929r628565_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-001453
Version
WBLC-01-000010
Vuln IDs
  • V-235929
  • V-56207
Rule IDs
  • SV-235929r628565_rule
  • SV-70461
Encryption is critical for protection of remote access sessions. If encryption is not being used for integrity, malicious users may gain the ability to modify the application server configuration. The use of cryptography for ensuring integrity of remote access sessions mitigates that risk. Application servers utilize a web management interface and scripted commands when allowing remote access. Web access requires the use of SSL 3.0 or TLS 1.0 and scripted access requires using ssh or some other form of approved cryptography. Application servers must have a capability to enable a secure remote admin capability.
Checks: C-39148r628563_chk

1. Access AC 2. From 'Domain Structure', select 'Environment' -&gt; 'Servers' 3. From the list of servers, select one which needs check for SSL configuration verification 4. From 'Configuration' tab -&gt; 'General' tab, ensure 'Listen Port Enabled' checkbox is deselected 5. Ensure 'SSL Listen Port Enabled' checkbox is selected and a valid port number is in 'SSL Listen Port' field, e.g., 7002 6. Repeat steps 3-5 for all servers requiring SSL configuration checking If 'Listen Port Enabled' is selected, this is a finding. If 'SSL Listen Port Enabled' is not selected, this is a finding.

Fix: F-39111r628564_fix

1. Obtain an identity (private key and digital certificates) and trust (certificates of trusted certificate authorities) to configure on the server 2. Create Identity keystore and load private key and certificate using ImportPrivateKey java utility, example: $ java utils.ImportPrivateKey -certfile <cert_file> -keyfile <private_key_file> [-keyfilepass <private_key_password>] -keystore <keystore> -storepass <storepass> [-storetype <storetype>] -alias <alias> [-keypass <keypass>] 3. Access AC 4. Utilize 'Change Center' to create a new change session 5. From 'Domain Structure', select 'Environment' -> 'Servers' 6. From the list of servers, select one which needs SSL set up 7. From 'Configuration' tab -> 'General' tab, deselect 'Listen Port Enabled' checkbox 8. Select 'SSL Listen Port Enabled' checkbox and enter a valid port number in 'SSL Listen Port' field, e.g., 7002 9. From 'Configuration' tab -> 'Keystores' tab, click 'Change' button in 'Keystores' section 10. From dropdown, select 'Custom Identity and Java Standard Trust' and click 'Save' 11. Enter the fully qualified path to Identity keystore, from step 2, in 'Custom Identity Keystore' field 12. Enter 'JKS' in the 'Custom Identity Keystore Type' field 13. Enter the Identity keystore password in 'Custom Identity Keystore Passphrase' and 'Confirm Custom Identity Keystore Passphrase' fields 14. Enter the Java Standard Trust keystore (cacerts) password in 'Java Standard Trust Keystore Passphrase' and 'Confirm Java Standard Trust Keystore Passphrase' fields 15. Leave all other fields blank and click 'Save' 16. From 'Configuration' tab -> 'SSL' tab, enter values from step 2 into corresponding fields, as follows: - Enter <alias> into 'Private Key Alias' - Enter <private_key_password> into 'Private Key Passphrase' - Enter <private_key_password> into 'Confirm Private Key Passphrase' 17. Click 'Save', and from 'Change Center' click 'Activate Changes' to enable configuration changes 18. Repeat steps 4-17 for all servers requiring SSL configuration 19. From 'Domain Structure', select 'Environment' -> 'Servers', click 'Control' tab 20. Select checkbox for all servers configured in previous steps and click 'Restart SSL'

b
Oracle WebLogic must employ automated mechanisms to facilitate the monitoring and control of remote access methods.
AC-17 - Medium - CCI-000067 - V-235930 - SV-235930r628568_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000067
Version
WBLC-01-000011
Vuln IDs
  • V-235930
  • V-56209
Rule IDs
  • SV-235930r628568_rule
  • SV-70463
Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection. Application servers provide remote management access and need to provide the ability to facilitate the monitoring and control of remote user sessions. This includes the capability to directly trigger actions based on user activity or pass information to a separate application or entity that can then perform automated tasks based on the information. Examples of automated mechanisms include but are not limited to: automated monitoring of log activity associated with remote access or process monitoring tools. The application server must employ mechanisms that allow for monitoring and control of web-based and command line-based administrative remote sessions.
Checks: C-39149r628566_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -&gt; 'JDBC Data Sources' 3. From the list of data sources, select the one named 'opss-audit-DBDS', which connects to the IAU_APPEND schema of the audit database. Note the value in the 'JNDI name' field. 4. To verify, select 'Configuration' tab -&gt; 'Connection Pool' tab 5. Ensure the 'URL' and 'Properties' fields contain the correct connection values for the IAU_APPEND schema 6. To test, select 'Monitoring' tab, select a server from the list and click 'Test Data Source'. Ensure test was successful. Repeat for each server in the list. 7. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -&gt; 'Security' -&gt; 'Security Provider Configuration' 8. Beneath 'Audit Service' section, click 'Configure' button 9. Ensure 'Data Source JNDI Name' value matches the JNDI Name value from data source in step 3 above 10. Repeat steps 2-6 for data source named 'wls-wldf-storeDS' and WLS schema If the data is not being stored for access by an external monitoring tool, this is a finding.

Fix: F-39112r628567_fix

1. Access AC 2. From 'Domain Structure', select 'Services' -> 'Data Sources' 3. Utilize 'Change Center' to create a new change session 4. Click 'New' data source to create a new data source for the audit data store using schema IAU_APPEND 5. Enter database details and JNDI name, click through wizard 6. Select all servers and clusters available as targets to deploy this data source to 7. Finish creating the data source and record the JNDI name 8. Access EM 9. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Security' -> 'Security Provider Configuration' 10. Beneath 'Audit Service' section, click 'Configure' button 11. Set the values for the IAU_APPEND schema and save configuration 12. Repeat steps 2-7 for data source named 'wls-wldf-storeDS' and WLS schema

b
Oracle WebLogic must ensure remote sessions for accessing security functions and security-relevant information are audited.
AC-17 - Medium - CCI-000067 - V-235931 - SV-235931r628571_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000067
Version
WBLC-01-000013
Vuln IDs
  • V-235931
  • V-56211
Rule IDs
  • SV-235931r628571_rule
  • SV-70465
Auditing must be utilized in order to track system activity, assist in diagnosing system issues and provide evidence needed for forensic investigations post security incident. Remote access by administrators requires that the admin activity be audited. Application servers provide a web- and command line-based remote management capability for managing the application server. Application servers must ensure that all actions related to administrative functionality such as application server configuration are logged.
Checks: C-39150r628569_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -&gt; 'Security' -&gt; 'Audit Policy' 3. Select 'Oracle Platform Security Services' from the 'Audit Component Name' dropdown 4. Beneath 'Audit Policy Settings' section, ensure that the value 'Custom' is set in the 'Audit Level' dropdown 5. Beneath 'Audit Policy Settings' section, ensure that every checkbox is selected under the 'Select For Audit' column of the policy category table If all auditable events for the 'Oracle Platform Security Services' audit component are not selected, then this is a finding.

Fix: F-39113r628570_fix

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Security' -> 'Audit Policy' 3. Select 'Oracle Platform Security Services' from the 'Audit Component Name' dropdown 4. Beneath 'Audit Policy Settings' section, select 'Custom' from the 'Audit Level' dropdown 5. Once it is enabled, click the 'Audit All Events' button and ensure every checkbox is selected under the 'Select For Audit' column of the policy category table. Click 'Apply'

b
Oracle WebLogic must support the capability to disable network protocols deemed by the organization to be non-secure except for explicitly identified components in support of specific operational requirements.
CM-7 - Medium - CCI-000382 - V-235932 - SV-235932r672375_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
WBLC-01-000014
Vuln IDs
  • V-235932
  • V-56213
Rule IDs
  • SV-235932r672375_rule
  • SV-70467
Some networking protocols may not meet organizational security requirements to protect data and components. Application servers natively host a number of various features such as management interfaces, httpd servers, and message queues. These features all run on TCPIP ports. This creates the potential that the vendor may choose to utilize port numbers or network services that have been deemed unusable by the organization. The application server must have the capability to both reconfigure and disable the assigned ports without adversely impacting application server operation capabilities. For a list of approved ports and protocols, reference the DoD ports and protocols web site at https://cyber.mil/ppsm.
Checks: C-39151r628572_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -&gt; 'Monitoring' -&gt; 'Port Usage' 3. In the results table, ensure values in the 'Port in Use' column match approved ports 4. In the results table, ensure values in the 'Protocol' column match approved protocols If ports or protocols are in use that the organization deems nonsecure, this is a finding.

Fix: F-39114r628573_fix

1. Access AC 2. To change port or protocol values, from 'Domain Structure', select 'Environment' -> 'Servers' 3. From the list of servers, select one which needs modification 4. Utilize 'Change Center' to create a new change session 5. To modify port assignment, from 'Configuration' tab -> 'General' tab, reassign the port for this server by changing the 'SSL Listen Port' field and click 'Save' 6. To modify protocol configuration, select 'Protocols' tab 7. Use the subtabs 'HTTP', 'jCOM', and 'IIOP' to configure these protocols 8. Use the 'Channels' subtab to create/modify channels which configure other protocols 9. Repeat steps 3-8 for all servers requiring modification 10. Review the 'Port Usage' table in EM again to ensure port has been reassigned

b
Oracle WebLogic must automatically audit account creation.
AC-2 - Medium - CCI-000018 - V-235933 - SV-235933r628577_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-000018
Version
WBLC-01-000018
Vuln IDs
  • V-235933
  • V-56215
Rule IDs
  • SV-235933r628577_rule
  • SV-70469
Application servers require user accounts for server management purposes, and if the creation of new accounts is not logged, there is limited or no capability to track or alarm on account creation. This could result in the circumvention of the normal account creation process and introduce a persistent threat. Therefore, an audit trail that documents the creation of application user accounts must exist. An application server could possibly provide the capability to utilize either a local or centralized user registry. A centralized, enterprise user registry such as AD or LDAP is more likely to already contain provisions for automated account management, whereas a localized user registry will rely upon either the underlying OS or built-in application server user management capabilities. Either way, application servers must create a log entry when accounts are created.
Checks: C-39152r628575_chk

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Providers' tab -&gt; 'Auditing' tab 5. Ensure the list of 'Auditing Providers' contains at least one Auditing Provider 6. From 'Domain Structure', select the top-level domain link 7. Click 'Advanced' near the bottom of the page 8. Ensure 'Configuration Audit Type' is set to 'Change Log and Audit' If the 'Configuration Audit Type' is not set to 'Change Log and Audit', this is a finding.

Fix: F-39115r628576_fix

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Providers' tab -> 'Auditing' tab 5. Utilize 'Change Center' to create a new change session 6. Click 'New'. Enter a value in 'Name' field and select an auditing provider type (ex: DefaultAuditor) in the 'Type' dropdown. Click 'OK'. 7. From 'Domain Structure', select the top-level domain link 8. Click 'Advanced' near the bottom of the page 9. Set 'Configuration Audit Type' dropdown to 'Change Log and Audit' 10. Click 'Save', and from 'Change Center' click 'Activate Changes' to enable configuration changes

b
Oracle WebLogic must automatically audit account modification.
AC-2 - Medium - CCI-001403 - V-235934 - SV-235934r628580_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001403
Version
WBLC-01-000019
Vuln IDs
  • V-235934
  • V-56217
Rule IDs
  • SV-235934r628580_rule
  • SV-70471
Once an attacker establishes initial access to a system, they often attempt to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply modify an existing account. Application servers have the capability to contain user information in a local user store, or they can leverage a centralized authentication mechanism like LDAP. Either way, the mechanism used by the application server must automatically log when user accounts are modified.
Checks: C-39153r628578_chk

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Providers' tab -&gt; 'Auditing' tab 5. Ensure the list of 'Auditing Providers' contains at least one Auditing Provider 6. From 'Domain Structure', select the top-level domain link 7. Click 'Advanced' near the bottom of the page 8. Ensure 'Configuration Audit Type' is set to 'Change Log and Audit' If the 'Configuration Audit Type' is not set to 'Change Log and Audit', this is a finding.

Fix: F-39116r628579_fix

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Providers' tab -> 'Auditing' tab 5. Utilize 'Change Center' to create a new change session 6. Click 'New'. Enter a value in 'Name' field and select an auditing provider type (ex: DefaultAuditor) in the 'Type' dropdown. Click 'OK'. 7. From 'Domain Structure', select the top-level domain link 8. Click 'Advanced' near the bottom of the page 9. Set 'Configuration Audit Type' dropdown to 'Change Log and Audit' 10. Click 'Save', and from 'Change Center' click 'Activate Changes' to enable configuration changes

b
Oracle WebLogic must provide access logging that ensures users who are granted a privileged role (or roles) have their privileged activity logged.
AU-12 - Medium - CCI-000172 - V-235935 - SV-235935r628583_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
WBLC-01-000030
Vuln IDs
  • V-235935
  • V-56219
Rule IDs
  • SV-235935r628583_rule
  • SV-70473
In order to be able to provide a forensic history of activity, the application server must ensure users who are granted a privileged role or those who utilize a separate distinct account when accessing privileged functions or data have their actions logged. If privileged activity is not logged, no forensic logs can be used to establish accountability for privileged actions that occur on the system.
Checks: C-39154r628581_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -&gt; 'Security' -&gt; 'Audit Policy' 3. Select 'Oracle Platform Security Services' from the 'Audit Component Name' dropdown 4. Beneath 'Audit Policy Settings' section, ensure that the comma-delimited list of privileged users (e.g., WebLogic, etc.) is set in the 'Users to Always Audit' field If all privileged users are not listed in the 'Users to Always Audit' field, this is a finding.

Fix: F-39117r628582_fix

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Security' -> 'Audit Policy' 3. Select 'Oracle Platform Security Services' from the 'Audit Component Name' dropdown 4. Beneath 'Audit Policy Settings' section, enter the comma-delimited list of privileged users (e.g., WebLogic, etc.) in the 'Users to Always Audit' field. Click 'Apply'

b
Oracle WebLogic must limit the number of failed login attempts to an organization-defined number of consecutive invalid attempts that occur within an organization-defined time period.
AC-7 - Medium - CCI-000044 - V-235936 - SV-235936r628586_rule
RMF Control
AC-7
Severity
Medium
CCI
CCI-000044
Version
WBLC-01-000032
Vuln IDs
  • V-235936
  • V-56221
Rule IDs
  • SV-235936r628586_rule
  • SV-70475
Anytime an authentication method is exposed so as to allow for the login to an application, there is a risk that attempts will be made to obtain unauthorized access. By limiting the number of failed login attempts that occur within a particular time period, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account once the number of failed attempts has been exceeded.
Checks: C-39155r628584_chk

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Configuration' tab -&gt; 'User Lockout' tab 5. Ensure the following field values are set: 'Lockout Threshold' = 3 'Lockout Duration' = 15 'Lockout Reset Duration' = 15 If 'Lockout Threshold' is not set to 3 or 'Lockout Duration' is not set to 15 or 'Lockout Reset Duration' is not set to 15, this is a finding.

Fix: F-39118r628585_fix

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Configuration' tab -> 'User Lockout' tab 5. Utilize 'Change Center' to create a new change session 6. Set the following values in the fields as shown: 'Lockout Threshold' = 3 'Lockout Duration' = 15 'Lockout Reset Duration' = 15 7. Click 'Save', and from 'Change Center' click 'Activate Changes' to enable configuration changes

b
Oracle WebLogic must enforce the organization-defined time period during which the limit of consecutive invalid access attempts by a user is counted.
CM-6 - Medium - CCI-000366 - V-235937 - SV-235937r628589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WBLC-01-000033
Vuln IDs
  • V-235937
  • V-56223
Rule IDs
  • SV-235937r628589_rule
  • SV-70477
By limiting the number of failed login attempts, the risk of unauthorized system access via automated user password guessing, otherwise known as brute-forcing, is reduced. Best practice requires a time period be applied in which the number of failed attempts is counted (Example: 5 failed attempts within 5 minutes). Limits are imposed by locking the account. Application servers provide a management capability that allows a user to login via a web interface or a command shell. Application servers also utilize either a local user store or a centralized user store such as an LDAP server. As such, the authentication method employed by the application server must be able to limit the number of consecutive invalid access attempts within the specified time period regardless of access method or user store utilized.
Checks: C-39156r628587_chk

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Configuration' tab -&gt; 'User Lockout' tab 5. Ensure the following field values are set: 'Lockout Threshold' = 3 'Lockout Duration' = 15 'Lockout Reset Duration' = 15 If 'Lockout Threshold' is not set to 3 or 'Lockout Duration' is not set to 15 or 'Lockout Reset Duration' is not set to 15, this is a finding.

Fix: F-39119r628588_fix

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Configuration' tab -> 'User Lockout' tab 5. Utilize 'Change Center' to create a new change session 6. Set the following values in the fields as shown: 'Lockout Threshold' = 3 'Lockout Duration' = 15 'Lockout Reset Duration' = 15 7. Click 'Save', and from 'Change Center' click 'Activate Changes' to enable configuration changes

b
Oracle WebLogic must automatically lock accounts when the maximum number of unsuccessful login attempts is exceeded for an organization-defined time period or until the account is unlocked by an administrator.
CM-6 - Medium - CCI-000366 - V-235938 - SV-235938r628592_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WBLC-01-000034
Vuln IDs
  • V-235938
  • V-56225
Rule IDs
  • SV-235938r628592_rule
  • SV-70479
Anytime an authentication method is exposed so as to allow for the utilization of an application interface, there is a risk that attempts will be made to obtain unauthorized access. By locking the account when the pre-defined number of failed login attempts has been exceeded, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Specifying a time period in which the account is to remain locked serves to obstruct the operation of automated password guessing tools while allowing a valid user to reinitiate login attempts after the expiration of the time period without administrative assistance.
Checks: C-39157r628590_chk

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Configuration' tab -&gt; 'User Lockout' tab 5. Ensure the following field values are set: 'Lockout Threshold' = 3 'Lockout Duration' = 15 'Lockout Reset Duration' = 15 If 'Lockout Threshold' is not set to 3 or 'Lockout Duration' is not set to 15 or 'Lockout Reset Duration' is not set to 15, this is a finding.

Fix: F-39120r628591_fix

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Configuration' tab -> 'User Lockout' tab 5. Utilize 'Change Center' to create a new change session 6. Set the following values in the fields as shown: 'Lockout Threshold' = 3 'Lockout Duration' = 15 'Lockout Reset Duration' = 15 7. Click 'Save', and from 'Change Center' click 'Activate Changes' to enable configuration changes

b
Oracle WebLogic must protect against an individual falsely denying having performed a particular action.
AU-10 - Medium - CCI-000166 - V-235939 - SV-235939r628595_rule
RMF Control
AU-10
Severity
Medium
CCI
CCI-000166
Version
WBLC-02-000062
Vuln IDs
  • V-235939
  • V-56227
Rule IDs
  • SV-235939r628595_rule
  • SV-70481
Non-repudiation of actions taken is required in order to maintain application integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message. Non-repudiation protects individuals against later claims by an author of not having authored a particular document, a sender of not having transmitted a message, a receiver of not having received a message, or a signatory of not having signed a document. Typical application server actions requiring non-repudiation will be related to application deployment among developer/users and administrative actions taken by admin personnel.
Checks: C-39158r628593_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -&gt; 'Security' -&gt; 'Audit Policy' 3. Select 'Oracle Platform Security Services' from the 'Audit Component Name' dropdown 4. Beneath 'Audit Policy Settings' section, ensure that the value 'Custom' is set in the 'Audit Level' dropdown 5. Beneath 'Audit Policy Settings' section, ensure that every checkbox is selected under the 'Select For Audit' column of the policy category table 6. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -&gt; 'Logs' -&gt; 'View Log Messages' 7. Within the 'Search' panel, expand 'Selected Targets' 8. Click 'Target Log Files' icon for any of the managed server or 'Application Deployment' type targets (not AdminServer) 9. From the list of log files, select '&lt;server-name&gt;.log', 'access.log' or '&lt;server-name&gt;-diagnostic.log' and click 'View Log File' button 10. User or process associated with audit event will be displayed in 'User' column 11. If 'User' column does not appear, use 'View' button -&gt; 'Columns' list to add 'User' field, or select individual message in log message table and view the message detail (beneath the table) 12. Repeat steps 6-11 for each target If the user is not part of the audit events, this is a finding.

Fix: F-39121r628594_fix

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Security' -> 'Audit Policy' 3. Select 'Oracle Platform Security Services' from the 'Audit Component Name' dropdown 4. Beneath 'Audit Policy Settings' section, select 'Custom' from the 'Audit Level' dropdown 5. Once it is enabled, click the 'Audit All Events' button and ensure every checkbox is selected under the 'Select For Audit' column of the policy category table. Click 'Apply' 6. If managed server or deployments do not appear in the list of log files, the 'JRF Template' must be applied to the server/cluster 7. Access EM 8. Select the server or cluster from the navigation tree 9. If the 'Apply JRF Template' button appears, click this button and wait for the confirmation message that the template has been successfully applied 10. Again, select the server or cluster from the navigation tree 11. Click the 'Shut Down...' button, and click 'Shutdown' in the confirmation popup. Wait for server or cluster to shut down 12. Click the 'Start Up' button for the server or cluster to start up again

a
Oracle WebLogic must compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within an organization-defined level of tolerance.
AU-12 - Low - CCI-000174 - V-235940 - SV-235940r628598_rule
RMF Control
AU-12
Severity
Low
CCI
CCI-000174
Version
WBLC-02-000065
Vuln IDs
  • V-235940
  • V-56229
Rule IDs
  • SV-235940r628598_rule
  • SV-70483
Audit generation and audit records can be generated from various components within the application server. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records (e.g., auditable events, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked). The events occurring must be time-correlated in order to conduct accurate forensic analysis. In addition, the correlation must meet a certain tolerance criteria. For instance, DoD may define that the time stamps of different audited events must not differ by any amount greater than ten seconds. It is also acceptable for the application server to utilize an external auditing tool that provides this capability.
Checks: C-39159r628596_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -&gt; 'JDBC Data Sources' 3. From the list of data sources, select the one named 'opss-audit-DBDS', which connects to the IAU_APPEND schema of the audit database. Note the value in the 'JNDI name' field. 4. To verify, select 'Configuration' tab -&gt; 'Connection Pool' tab 5. Ensure the 'URL' and 'Properties' fields contain the correct connection values for the IAU_APPEND schema 6. To test, select 'Monitoring' tab, select a server from the list and click 'Test Data Source'. Ensure test was successful. Repeat for each server in the list 7. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -&gt; 'Security' -&gt; 'Security Provider Configuration' 8. Beneath 'Audit Service' section, click 'Configure' button 9. Ensure 'Data Source JNDI Name' value matches the JNDI Name value from data source in step 3 above 10. Repeat steps 2-6 for data source named 'wls-wldf-storeDS' and WLS schema 11. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -&gt; 'Logs' -&gt; 'View Log Messages' 12. Within the 'Search' panel, expand 'Selected Targets' 13. Use the list of targets to navigate and drill into the log files across the domain If any of the targets are not being logged, this is a finding.

Fix: F-39122r628597_fix

1. Access AC 2. From 'Domain Structure', select 'Services' -> 'Data Sources' 3. Utilize 'Change Center' to create a new change session 4. Click 'New' data source to create a new data source for the audit data store using schema IAU_APPEND 5. Enter database details and JNDI name, click through wizard 6. Select all servers and clusters available as targets to deploy this data source to 7. Finish creating the data source and record the JNDI name 8. Access EM 9. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Security' -> 'Security Provider Configuration' 10. Beneath 'Audit Service' section, click 'Configure' button 11. Set the values for the IAU_APPEND schema and save configuration 12. Repeat steps 2-7 for data source named 'wls-wldf-storeDS' and WLS schema

a
Oracle WebLogic must generate audit records for the DoD-selected list of auditable events.
AU-12 - Low - CCI-000172 - V-235941 - SV-235941r628601_rule
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
WBLC-02-000069
Vuln IDs
  • V-235941
  • V-56231
Rule IDs
  • SV-235941r628601_rule
  • SV-70485
Audit records can be generated from various components within the application server. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records (e.g., auditable events, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked). The DoD-required auditable events are events that assist in intrusion detection and forensic analysis. Failure to capture them increases the likelihood that an adversary can breach the system without detection.
Checks: C-39160r628599_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -&gt; 'Logs' -&gt; 'View Log Messages' 3. Within the 'Search' panel, expand 'Selected Targets' 4. Click 'Target Log Files' icon for 'AdminServer' target 5. From the list of log files, select 'access.log' and click 'View Log File' button 6. All HTTPD, JVM, AS process event and other logging of the AdminServer will be displayed 7. Repeat for each managed server If there are no events being logged for any of the managed servers or the AdminServer, this is a finding.

Fix: F-39123r628600_fix

1. Access AC 2. From 'Domain Structure', select 'Environment' -> 'Servers' 3. From the list of servers, select one which needs logging enabled 4. Utilize 'Change Center' to create a new change session 5. From 'Logging' tab -> 'HTTP' tab, select 'HTTP access log file enabled' checkbox. Click 'Save' 6. From 'Logging' tab -> 'General' tab, set the 'Log file name' field to 'logs/<server-name>.log. Click 'Save' 7. From 'Change Center' click 'Activate Changes' to enable configuration changes 8. Access EM 9. Expand the domain from the navigation tree, and select the server which needs JVM logging configured 10. Use the dropdown to select 'WebLogic Server' -> 'Logs' -> 'Log Configuration' 11. Select the 'Log Levels' tab, and within the table, expand 'Root Logger' node 12. Set 'Oracle Diagnostic Logging Level' value to 'WARNING' and click 'Apply'

a
Oracle WebLogic must produce process events and severity levels to establish what type of HTTPD-related events and severity levels occurred.
AU-3 - Low - CCI-000130 - V-235942 - SV-235942r628604_rule
RMF Control
AU-3
Severity
Low
CCI
CCI-000130
Version
WBLC-02-000073
Vuln IDs
  • V-235942
  • V-56233
Rule IDs
  • SV-235942r628604_rule
  • SV-70487
Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Application servers must log all relevant log data that pertains to application server functionality. Examples of relevant data include, but are not limited to Java Virtual Machine (JVM) activity, HTTPD/Web server activity and application server-related system process activity.
Checks: C-39161r628602_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -&gt; 'Logs' -&gt; 'View Log Messages' 3. Within the 'Search' panel, expand 'Selected Targets' 4. Click 'Target Log Files' icon for 'AdminServer' target 5. From the list of log files, select 'access.log' and click 'View Log File' button 6. All HTTPD logging of the AdminServer will be displayed 7. Repeat for each managed server If any managed server or the AdminServer does not have HTTPD events within the access.log file, this is a finding.

Fix: F-39124r628603_fix

1. Access AC 2. From 'Domain Structure', select 'Environment' -> 'Servers' 3. From the list of servers, select one which needs HTTPD logging enabled 4. Utilize 'Change Center' to create a new change session 5. From 'Logging' tab -> 'HTTP' tab, select 'HTTP access log file enabled' checkbox 6. Click 'Save', and from 'Change Center' click 'Activate Changes' to enable configuration changes

a
Oracle WebLogic must produce audit records containing sufficient information to establish what type of JVM-related events and severity levels occurred.
AU-3 - Low - CCI-000130 - V-235943 - SV-235943r628607_rule
RMF Control
AU-3
Severity
Low
CCI
CCI-000130
Version
WBLC-02-000074
Vuln IDs
  • V-235943
  • V-56235
Rule IDs
  • SV-235943r628607_rule
  • SV-70489
Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control, includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Application servers must log all relevant log data that pertains to application server functionality. Examples of relevant data include, but are not limited to, Java Virtual Machine (JVM) activity, HTTPD activity and application server-related system process activity.
Checks: C-39162r628605_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -&gt; 'Logs' -&gt; 'View Log Messages' 3. Within the 'Search' panel, expand 'Selected Targets' 4. Click 'Target Log Files' icon for 'AdminServer' target 5. From the list of log files, select '&lt;server-name&gt;-diagnostic.log' and click 'View Log File' button 6. All JVM logging of the AdminServer will be displayed 7. Repeat for each managed server If there are no JVM-related events for the managed servers or the AdminServer, this is a finding.

Fix: F-39125r628606_fix

1. Access EM 2. Expand the domain from the navigation tree, and select the server which needs JVM logging configured 3. Use the dropdown to select 'WebLogic Server' -> 'Logs' -> 'Log Configuration' 4. Select the 'Log Levels' tab, and within the table, expand 'Root Logger' node 5. Set 'Oracle Diagnostic Logging Level' value to 'WARNING' and click 'Apply'

a
Oracle WebLogic must produce process events and security levels to establish what type of Oracle WebLogic process events and severity levels occurred.
AU-3 - Low - CCI-000130 - V-235944 - SV-235944r628610_rule
RMF Control
AU-3
Severity
Low
CCI
CCI-000130
Version
WBLC-02-000075
Vuln IDs
  • V-235944
  • V-56237
Rule IDs
  • SV-235944r628610_rule
  • SV-70491
Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control, includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Application servers must log all relevant log data that pertains to application server functionality. Examples of relevant data include, but are not limited to, Java Virtual Machine (JVM) activity, HTTPD activity and application server-related system process activity.
Checks: C-39163r628608_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -&gt; 'Logs' -&gt; 'View Log Messages' 3. Within the 'Search' panel, expand 'Selected Targets' 4. Click 'Target Log Files' icon for 'AdminServer' target 5. From the list of log files, select '&lt;server-name&gt;.log' and click 'View Log File' button 6. All AS process logging of the AdminServer will be displayed 7. Repeat for each managed server If the managed servers or AdminServer does not have process events, this is a finding.

Fix: F-39126r628609_fix

1. Access AC 2. From 'Domain Structure', select 'Environment' -> 'Servers' 3. From the list of servers, select one which needs AS process logging configured 4. Utilize 'Change Center' to create a new change session 5. From 'Logging' tab -> 'General' tab, set the 'Log file name' field to 'logs/<server-name>.log 6. Click 'Save', and from 'Change Center' click 'Activate Changes' to enable configuration changes

a
Oracle WebLogic must produce audit records containing sufficient information to establish when (date and time) the events occurred.
AU-3 - Low - CCI-000131 - V-235945 - SV-235945r628613_rule
RMF Control
AU-3
Severity
Low
CCI
CCI-000131
Version
WBLC-02-000076
Vuln IDs
  • V-235945
  • V-56239
Rule IDs
  • SV-235945r628613_rule
  • SV-70493
Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. In addition to logging event information, application servers must also log the corresponding dates and times of these events. Examples of event data include, but are not limited to, Java Virtual Machine (JVM) activity, HTTPD activity and application server-related system process activity.
Checks: C-39164r628611_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -&gt; 'Logs' -&gt; 'View Log Messages' 3. Within the 'Search' panel, expand 'Selected Targets' 4. Click 'Target Log Files' icon for any of the managed server or 'Application Deployment' type targets (not AdminServer) 5. From the list of log files, select '&lt;server-name&gt;.log', 'access.log' or '&lt;server-name&gt;-diagnostic.log' and click 'View Log File' button 6. Time stamp of audit event will be displayed in 'Time' column 7. If 'Time' column does not appear, use 'View' button -&gt; 'Columns' list to add 'Time' field, or select individual message in log message table and view the message detail (beneath the table) 8. Repeat for each target If any of the targets generate audit records without date and time data, this is a finding.

Fix: F-39127r628612_fix

1. If managed server or deployments do not appear in the list of log files, the 'JRF Template' must be applied to the server/cluster 2. Access EM 3. Select the server or cluster from the navigation tree 4. If the 'Apply JRF Template' button appears, click this button and wait for the confirmation message that the template has been successfully applied 5. Again, select the server or cluster from the navigation tree 6. Click the 'Shut Down...' button, and click 'Shutdown' in the confirmation popup. Wait for server or cluster to shut down. 7. Click the 'Start Up' button for the server or cluster to start up again

a
Oracle WebLogic must produce audit records containing sufficient information to establish where the events occurred.
AU-3 - Low - CCI-000132 - V-235946 - SV-235946r628616_rule
RMF Control
AU-3
Severity
Low
CCI
CCI-000132
Version
WBLC-02-000077
Vuln IDs
  • V-235946
  • V-56241
Rule IDs
  • SV-235946r628616_rule
  • SV-70495
Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Without sufficient information establishing where the audit events occurred, investigation into the cause of events is severely hindered. In addition to logging relevant data, application servers must also log information to indicate the location of these events. Examples of relevant data include, but are not limited to, Java Virtual Machine (JVM) activity, HTTPD activity and application server-related system process activity.
Checks: C-39165r628614_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -&gt; 'Logs' -&gt; 'View Log Messages' 3. Within the 'Search' panel, expand 'Selected Targets' 4. Click 'Target Log Files' icon for any of the managed server or 'Application Deployment' type targets (not AdminServer) 5. From the list of log files, select '&lt;server-name&gt;.log', 'access.log' or '&lt;server-name&gt;-diagnostic.log' and click 'View Log File' button 6. Select any record which appears in the log message table 7. Location of audit event will be displayed in 'Component' and 'Module' fields of the message detail (beneath the table) 8. Repeat for each target If any of the targets generate audit records without sufficient information to establish where the event occurred, this is a finding.

Fix: F-39128r628615_fix

1. If managed server or deployments do not appear in the list of log files, the 'JRF Template' must be applied to the server/cluster 2. Access EM 3. Select the server or cluster from the navigation tree 4. If the 'Apply JRF Template' button appears, click this button and wait for the confirmation message that the template has been successfully applied 5. Again, select the server or cluster from the navigation tree 6. Click the 'Shut Down...' button, and click 'Shutdown' in the confirmation popup. Wait for server or cluster to shut down. 7. Click the 'Start Up' button for the server or cluster to start up again

a
Oracle WebLogic must produce audit records containing sufficient information to establish the sources of the events.
AU-3 - Low - CCI-000133 - V-235947 - SV-235947r628619_rule
RMF Control
AU-3
Severity
Low
CCI
CCI-000133
Version
WBLC-02-000078
Vuln IDs
  • V-235947
  • V-56243
Rule IDs
  • SV-235947r628619_rule
  • SV-70497
Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application specific events, success/fail indications, filenames involved, access control or flow control rules invoked. Without information establishing the source of activity, the value of audit records from a forensics perspective is questionable. Examples of activity sources include, but are not limited to, application process sources such as one process affecting another process, user-related activity, and activity resulting from remote network system access (IP addresses).
Checks: C-39166r628617_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -&gt; 'Logs' -&gt; 'View Log Messages' 3. Within the 'Search' panel, expand 'Selected Targets' 4. Click 'Target Log Files' icon for any of the managed server or 'Application Deployment' type targets (not AdminServer) 5. From the list of log files, select '&lt;server-name&gt;.log', 'access.log' or '&lt;server-name&gt;-diagnostic.log' and click 'View Log File' button 6. Select any record which appears in the log message table 7. Source of audit event will be displayed in 'Host', 'Host IP Address', 'Thread ID', 'REMOTE_HOST' fields of the message detail (beneath the table), depending on which logfile and target type is selected 8. Repeat for each target If any of the targets generate audit records without sufficient information to establish the source of the events, this is a finding.

Fix: F-39129r628618_fix

1. If managed server or deployments do not appear in the list of log files, the 'JRF Template' must be applied to the server/cluster 2. Access EM 3. Select the server or cluster from the navigation tree 4. If the 'Apply JRF Template' button appears, click this button and wait for the confirmation message that the template has been successfully applied 5. Again, select the server or cluster from the navigation tree 6. Click the 'Shut Down...' button, and click 'Shutdown' in the confirmation popup. Wait for server or cluster to shut down. 7. Click the 'Start Up' button for the server or cluster to start up again

a
Oracle WebLogic must produce audit records that contain sufficient information to establish the outcome (success or failure) of application server and application events.
AU-3 - Low - CCI-000134 - V-235948 - SV-235948r628622_rule
RMF Control
AU-3
Severity
Low
CCI
CCI-000134
Version
WBLC-02-000079
Vuln IDs
  • V-235948
  • V-56245
Rule IDs
  • SV-235948r628622_rule
  • SV-70499
Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application specific events, success/fail indications, filenames involved, access control or flow control rules invoked. Success and failure indicators ascertain the outcome of a particular application server event of function. As such, they also provide a means to measure the impact of an event and help authorized personnel to determine the appropriate response.
Checks: C-39167r628620_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -&gt; 'Logs' -&gt; 'View Log Messages' 3. Within the 'Search' panel, expand 'Selected Targets' 4. Click 'Target Log Files' icon for any of the managed server or 'Application Deployment' type targets (not AdminServer) 5. From the list of log files, select '&lt;server-name&gt;.log', 'access.log' or '&lt;server-name&gt;-diagnostic.log' and click 'View Log File' button 6. Outcome of audit event will be displayed in 'Message Type' column. 'Error' or 'Exception' indicates failures, others message types indicate success 7. If 'Message Type' column does not appear, use 'View' button -&gt; 'Columns' list to add 'Message Type' field, or select individual message in log message table and view the message detail (beneath the table) 8. Repeat for each target If any of the targets generate audit records without sufficient information to establish the outcome of the event, this is a finding.

Fix: F-39130r628621_fix

1. If managed server or deployments do not appear in the list of log files, the 'JRF Template' must be applied to the server/cluster 2. Access EM 3. Select the server or cluster from the navigation tree 4. If the 'Apply JRF Template' button appears, click this button and wait for the confirmation message that the template has been successfully applied 5. Again, select the server or cluster from the navigation tree 6. Click the 'Shut Down...' button, and click 'Shutdown' in the confirmation popup. Wait for server or cluster to shut down. 7. Click the 'Start Up' button for the server or cluster to start up again

b
Oracle WebLogic must produce audit records containing sufficient information to establish the identity of any user/subject or process associated with the event.
AU-3 - Medium - CCI-001487 - V-235949 - SV-235949r628625_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-001487
Version
WBLC-02-000080
Vuln IDs
  • V-235949
  • V-56247
Rule IDs
  • SV-235949r628625_rule
  • SV-70501
Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control, includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Application servers have differing levels of logging capabilities which can be specified by setting a verbosity level. The application server must, at a minimum, be capable of establishing the identity of any user or process that is associated with any particular event.
Checks: C-39168r628623_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -&gt; 'Logs' -&gt; 'View Log Messages' 3. Within the 'Search' panel, expand 'Selected Targets' 4. Click 'Target Log Files' icon for any of the managed server or 'Application Deployment' type targets (not AdminServer) 5. From the list of log files, select '&lt;server-name&gt;.log', 'access.log' or '&lt;server-name&gt;-diagnostic.log' and click 'View Log File' button 6. User or process associated with audit event will be displayed in 'User' column 7. If 'User' column does not appear, use 'View' button -&gt; 'Columns' list to add 'User' field, or select individual message in log message table and view the message detail (beneath the table) 8. Repeat for each target If any of the targets generate audit records without sufficient information to establish the identity of any user/subject or process, this is a finding.

Fix: F-39131r628624_fix

1. If managed server or deployments do not appear in the list of log files, the 'JRF Template' must be applied to the server/cluster 2. Access EM 3. Select the server or cluster from the navigation tree 4. If the 'Apply JRF Template' button appears, click this button and wait for the confirmation message that the template has been successfully applied 5. Again, select the server or cluster from the navigation tree 6. Click the 'Shut Down...' button, and click 'Shutdown' in the confirmation popup. Wait for server or cluster to shut down 7. Click the 'Start Up' button for the server or cluster to start up again

b
Oracle WebLogic must provide the ability to write specified audit record content to an audit log server.
AU-4 - Medium - CCI-001851 - V-235950 - SV-235950r628628_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001851
Version
WBLC-02-000081
Vuln IDs
  • V-235950
  • V-56249
Rule IDs
  • SV-235950r628628_rule
  • SV-70503
Information system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application specific events, success/fail indications, filenames involved, access control or flow control rules invoked. Centralized management of audit records and logs provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records. Application servers and their related components are required to be capable of writing logs to centralized audit log servers.
Checks: C-39169r628626_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -&gt; 'JDBC Data Sources' 3. From the list of data sources, select the one named 'opss-audit-DBDS', which connects to the IAU_APPEND schema of the audit database. Note the value in the 'JNDI name' field 4. To verify, select 'Configuration' tab -&gt; 'Connection Pool' tab 5. Ensure the 'URL' and 'Properties' fields contain the correct connection values for the IAU_APPEND schema 6. To test, select 'Monitoring' tab, select a server from the list and click 'Test Data Source'. Ensure test was successful. Repeat for each server in the list 7. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -&gt; 'Security' -&gt; 'Security Provider Configuration' 8. Beneath 'Audit Service' section, click 'Configure' button 9. Ensure 'Data Source JNDI Name' value matches the JNDI Name value from data source in step 3 above 10. Repeat steps 2-6 for data source named 'wls-wldf-storeDS' and WLS schema If the location for audit data is not an audit log server, this is a finding.

Fix: F-39132r628627_fix

1. Access AC 2. From 'Domain Structure', select 'Services' -> 'Data Sources' 3. Utilize 'Change Center' to create a new change session 4. Click 'New' data source to create a new data source for the audit data store using schema IAU_APPEND 5. Enter database details and JNDI name, click through wizard 6. Select all servers and clusters available as targets to deploy this data source to 7. Finish creating the data source and record the JNDI name 8. Access EM 9. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Security' -> 'Security Provider Configuration' 10. Beneath 'Audit Service' section, click 'Configure' button 11. Set the values for the IAU_APPEND schema and save configuration 12. Repeat steps 2-7 for data source named 'wls-wldf-storeDS' and WLS schema

a
Oracle WebLogic must provide a real-time alert when organization-defined audit failure events occur.
AU-5 - Low - CCI-000139 - V-235951 - SV-235951r628631_rule
RMF Control
AU-5
Severity
Low
CCI
CCI-000139
Version
WBLC-02-000083
Vuln IDs
  • V-235951
  • V-56251
Rule IDs
  • SV-235951r628631_rule
  • SV-70505
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Notification of the failure event will allow administrators to take actions so that logs are not lost.
Checks: C-39170r628629_chk

1. Access AC 2. From 'Domain Structure', select 'Diagnostics' -&gt; 'Diagnostic Modules' 3. Select 'Module-HealthState' from 'Diagnostic System Modules' list 4. Select 'Configuration' tab -&gt; 'Watches and Notifications' tab. Select the 'Watches' tab from the bottom of page 5. Ensure 'ServerHealthWatch' row has 'Enabled' column value set to 'true' 6. Select 'Configuration' tab -&gt; 'Watches and Notifications' tab. Select the 'Notifications' tab from the bottom of page 7. Ensure 'ServerHealthNotification' row has 'Enable Notification' column value set to 'true' If 'ServerHealthNotification' row has 'Enable Notification' column value is not set to 'true', this is a finding.

Fix: F-39133r628630_fix

1. Access AC 2. Utilize 'Change Center' to create a new change session 3. From 'Domain Structure', select 'Diagnostics' -> 'Diagnostic Modules' 4. If 'Module-HealthState' does not exist, click 'New' button. Enter 'Module-HealthState' in 'Name' field and click 'OK' button. 5. Select 'Module-HealthState' from 'Diagnostic System Modules' list 6. Select 'Configuration' tab -> 'Watches and Notifications' tab. Select the 'Watches' tab from the bottom of page 7. Click 'New' button. Set the following values in the fields as shown: 'Watch Name' = 'ServerHealthWatch' 'Watch Type' = 'Collected Metrics' 'Enable Watch' = selected 8. Click 'Next' 9. Click 'Add Expressions' 10. Set 'MBean Server location' dropdown value to 'ServerRuntime'. Click 'Next' 11. Set 'MBean Type' dropdown value to 'weblogic.management.runtime.ServerRuntimeMBean'. Click 'Next' 12. Set 'Instance' dropdown value to a WebLogic Server instance to be monitored. Click 'Next' 13. Select 'Enter an Attribute Expression' radio button, enter following value in 'Attribute Expression' field: HealthState.State 14. Set 'Operator' dropdown value to '>='. Set 'Value' field to '3'. Click 'Finish' 15. Repeat steps 9-14 for all WebLogic Server instances to be monitored. Click 'Finish' 16. Continuing from step 6 above, select the 'Notifications' tab from the bottom of page 17. Click 'New' button. Set 'Type' dropdown value to 'SMTP (E-Mail)'. Click 'Next'. Set the following values in the fields as shown: 'Notification Name' = 'ServerHealthNotification' 'Enable Notification' = selected 18. Click 'Next' 19. Select an existing 'Mail Session Name', or click 'Create a New Mail Session' button to create one (JNDI name and Java mail settings must be known) 20. In 'E-Mail Recipients' text area, add list of administrator email addresses, and customize 'E-Mail Subject' and 'E-Mail Body' fields as needed. Click 'Finish' 21. Return to the 'Watches' tab from the bottom of page. Select 'ServerHealthWatch' Select 'Notifications' tab 22. Use shuttle list to set 'ServerHealthNotification' into the 'Chosen' table. Click 'Save'

a
Oracle WebLogic must alert designated individual organizational officials in the event of an audit processing failure.
AU-5 - Low - CCI-000139 - V-235952 - SV-235952r628634_rule
RMF Control
AU-5
Severity
Low
CCI
CCI-000139
Version
WBLC-02-000084
Vuln IDs
  • V-235952
  • V-56253
Rule IDs
  • SV-235952r628634_rule
  • SV-70507
Audit processing failures include, but are not limited to, failures in the application server log capturing mechanisms or audit storage capacity being reached or exceeded. In some instances, it is preferred to send alarms to individuals rather than to an entire group. Application servers must be able to trigger an alarm and send that alert to designated individuals in the event there is an application server audit processing failure.
Checks: C-39171r628632_chk

1. Access AC 2. From 'Domain Structure', select 'Diagnostics' -&gt; 'Diagnostic Modules' 3. Select 'Module-HealthState' from 'Diagnostic System Modules' list 4. Select 'Configuration' tab -&gt; 'Watches and Notifications' tab. Select the 'Watches' tab from the bottom of page 5. Ensure 'ServerHealthWatch' row has 'Enabled' column value set to 'true' 6. Select 'Configuration' tab -&gt; 'Watches and Notifications' tab. Select the 'Notifications' tab from the bottom of page 7. Ensure 'ServerHealthNotification' row has 'Enable Notification' column value set to 'true' If 'ServerHealthNotification' row has 'Enable Notification' column value is not set to 'true', this is a finding.

Fix: F-39134r628633_fix

1. Access AC 2. Utilize 'Change Center' to create a new change session 3. From 'Domain Structure', select 'Diagnostics' -> 'Diagnostic Modules' 4. If 'Module-HealthState' does not exist, click 'New' button. Enter 'Module-HealthState' in 'Name' field and click 'OK' button 5. Select 'Module-HealthState' from 'Diagnostic System Modules' list 6. Select 'Configuration' tab -> 'Watches and Notifications' tab. Select the 'Watches' tab from the bottom of page 7. Click 'New' button. Set the following values in the fields as shown: 'Watch Name' = 'ServerHealthWatch' 'Watch Type' = 'Collected Metrics' 'Enable Watch' = selected 8. Click 'Next' 9. Click 'Add Expressions' 10. Set 'MBean Server location' dropdown value to 'ServerRuntime'. Click 'Next' 11. Set 'MBean Type' dropdown value to 'weblogic.management.runtime.ServerRuntimeMBean'. Click 'Next' 12. Set 'Instance' dropdown value to a WebLogic Server instance to be monitored. Click 'Next' 13. Select 'Enter an Attribute Expression' radio button, enter following value in 'Attribute Expression' field: HealthState.State 14. Set 'Operator' dropdown value to '>='. Set 'Value' field to '3'. Click 'Finish' 15. Repeat steps 9-14 for all WebLogic Server instances to be monitored. Click 'Finish' 16. Continuing from step 6 above, select the 'Notifications' tab from the bottom of page 17. Click 'New' button. Set 'Type' dropdown value to 'SMTP (E-Mail)'. Click 'Next'. Set the following values in the fields as shown: 'Notification Name' = 'ServerHealthNotification' 'Enable Notification' = selected 18. Click 'Next' 19. Select an existing 'Mail Session Name', or click 'Create a New Mail Session' button to create one (JNDI name and Java mail settings must be known) 20. In 'E-Mail Recipients' text area, add list of administrator email addresses, and customize 'E-Mail Subject' and 'E-Mail Body' fields as needed. Click 'Finish' 21. Return to the 'Watches' tab from the bottom of page. Select 'ServerHealthWatch'. Select 'Notifications' tab 22. Use shuttle list to set 'ServerHealthNotification' into the 'Chosen' table. Click 'Save'

a
Oracle WebLogic must notify administrative personnel as a group in the event of audit processing failure.
AU-5 - Low - CCI-000140 - V-235953 - SV-235953r628637_rule
RMF Control
AU-5
Severity
Low
CCI
CCI-000140
Version
WBLC-02-000086
Vuln IDs
  • V-235953
  • V-56255
Rule IDs
  • SV-235953r628637_rule
  • SV-70509
Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. To ensure flexibility and ease of use, application servers must be capable of notifying a group of administrative personnel upon detection of an application audit log processing failure.
Checks: C-39172r628635_chk

1. Access AC 2. From 'Domain Structure', select 'Diagnostics' -&gt; 'Diagnostic Modules' 3. Select 'Module-HealthState' from 'Diagnostic System Modules' list 4. Select 'Configuration' tab -&gt; 'Watches and Notifications' tab. Select the 'Watches' tab from the bottom of page 5. Ensure 'ServerHealthWatch' row has 'Enabled' column value set to 'true' 6. Select 'Configuration' tab -&gt; 'Watches and Notifications' tab. Select the 'Notifications' tab from the bottom of page 7. Ensure 'ServerHealthNotification' row has 'Enable Notification' column value set to 'true' If 'ServerHealthNotification' row has 'Enable Notification' column value not set to 'true', this is a finding.

Fix: F-39135r628636_fix

1. Access AC 2. Utilize 'Change Center' to create a new change session 3. From 'Domain Structure', select 'Diagnostics' -> 'Diagnostic Modules' 4. If 'Module-HealthState' does not exist, click 'New' button. Enter 'Module-HealthState' in 'Name' field and click 'OK' button 5. Select 'Module-HealthState' from 'Diagnostic System Modules' list 6. Select 'Configuration' tab -> 'Watches and Notifications' tab. Select the 'Watches' tab from the bottom of page 7. Click 'New' button. Set the following values in the fields as shown: 'Watch Name' = 'ServerHealthWatch' 'Watch Type' = 'Collected Metrics' 'Enable Watch' = selected 8. Click 'Next' 9. Click 'Add Expressions' 10. Set 'MBean Server location' dropdown value to 'ServerRuntime'. Click 'Next' 11. Set 'MBean Type' dropdown value to 'weblogic.management.runtime.ServerRuntimeMBean'. Click 'Next' 12. Set 'Instance' dropdown value to a WebLogic Server instance to be monitored. Click 'Next' 13. Select 'Enter an Attribute Expression' radio button, enter following value in 'Attribute Expression' field: HealthState.State 14. Set 'Operator' dropdown value to '>='. Set 'Value' field to '3'. Click 'Finish' 15. Repeat steps 9-14 for all WebLogic Server instances to be monitored. Click 'Finish' 16. Continuing from step 6 above, select the 'Notifications' tab from the bottom of page 17. Click 'New' button. Set 'Type' dropdown value to 'SMTP (E-Mail)'. Click 'Next'. Set the following values in the fields as shown: 'Notification Name' = 'ServerHealthNotification' 'Enable Notification' = selected 18. Click 'Next' 19. Select an existing 'Mail Session Name', or click 'Create a New Mail Session' button to create one (JNDI name and Java mail settings must be known) 20. In 'E-Mail Recipients' text area, add list of administrator email addresses, and customize 'E-Mail Subject' and 'E-Mail Body' fields as needed. Click 'Finish' 21. Return to the 'Watches' tab from the bottom of page. Select 'ServerHealthWatch'. Select 'Notifications' tab 22. Use shuttle list to set 'ServerHealthNotification' into the 'Chosen' table. Click 'Save'

a
Oracle WebLogic must use internal system clocks to generate time stamps for audit records.
AU-8 - Low - CCI-000159 - V-235954 - SV-235954r628640_rule
RMF Control
AU-8
Severity
Low
CCI
CCI-000159
Version
WBLC-02-000093
Vuln IDs
  • V-235954
  • V-56257
Rule IDs
  • SV-235954r628640_rule
  • SV-70511
Without the use of an approved and synchronized time source, configured on the systems, events cannot be accurately correlated and analyzed to determine what is transpiring within the application server. If an event has been triggered on the network, and the application server is not configured with the correct time, the event may be seen as insignificant, when in reality the events are related and may have a larger impact across the network. Synchronization of system clocks is needed in order to correctly correlate the timing of events that occur across multiple systems. Determining the correct time a particular event occurred on a system, via time stamps, is critical when conducting forensic analysis and investigating system events. Application servers must utilize the internal system clock when generating time stamps and audit records.
Checks: C-39173r628638_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -&gt; 'Security' -&gt; 'Security Provider Configuration' 3. Beneath 'Audit Service' section, click 'Configure' button 4. Ensure the 'Timezone Settings' radio button is set to 'UTC' so audit logs will be time stamped in Coordinated Universal Time regardless of the time zone of the underlying physical or virtual machine 5. The time stamp will be recorded according to the operating system's set time If the 'Timezone Settings' radio button is not set to 'UTC', this is a finding.

Fix: F-39136r628639_fix

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Security' -> 'Security Provider Configuration' 3. Beneath 'Audit Service' section, click 'Configure' button 4. Set the 'Timezone Settings' radio button to 'UTC' so audit logs will be time stamped in Coordinated Universal Time regardless of the time zone of the underlying physical or virtual machine 5. The time stamp will be recorded according to the operating system's set time 6. Click 'Apply' and restart the servers in the WebLogic domain

a
Oracle WebLogic must synchronize with internal information system clocks which, in turn, are synchronized on an organization-defined frequency with an organization-defined authoritative time source.
AU-8 - Low - CCI-002046 - V-235955 - SV-235955r628643_rule
RMF Control
AU-8
Severity
Low
CCI
CCI-002046
Version
WBLC-02-000094
Vuln IDs
  • V-235955
  • V-56259
Rule IDs
  • SV-235955r628643_rule
  • SV-70513
Determining the correct time a particular application event occurred on a system is critical when conducting forensic analysis and investigating system events. Synchronization of system clocks is needed in order to correctly correlate the timing of events that occur across multiple systems. To meet that requirement the organization will define an authoritative time source and frequency to which each system will synchronize its internal clock. Application servers must defer accurate timekeeping services to the operating system upon which the application server is installed.
Checks: C-39174r628641_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -&gt; 'Security' -&gt; 'Security Provider Configuration' 3. Beneath 'Audit Service' section, click 'Configure' button 4. Ensure the 'Timezone Settings' radio button is set to 'UTC' so audit logs will be time stamped in Coordinated Universal Time regardless of the time zone of the underlying physical or virtual machine 5. The time stamp will be recorded according to the operating system's set time If the 'Timezone Settings' radio button is not set to 'UTC', this is a finding.

Fix: F-39137r628642_fix

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Security' -> 'Security Provider Configuration' 3. Beneath 'Audit Service' section, click 'Configure' button 4. Set the 'Timezone Settings' radio button to 'UTC' so audit logs will be time stamped in Coordinated Universal Time regardless of the time zone of the underlying physical or virtual machine 5. The time stamp will be recorded according to the operating system's set time 6. Click 'Apply' and restart the servers in the WebLogic domain

a
Oracle WebLogic must protect audit information from any type of unauthorized read access.
AU-9 - Low - CCI-000162 - V-235956 - SV-235956r628646_rule
RMF Control
AU-9
Severity
Low
CCI
CCI-000162
Version
WBLC-02-000095
Vuln IDs
  • V-235956
  • V-56261
Rule IDs
  • SV-235956r628646_rule
  • SV-70515
If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In addition, access to audit records provides information an attacker could potentially use to his or her advantage. Application servers contain admin interfaces that allow reading and manipulation of audit records. Therefore, these interfaces should not allow for unfettered access to those records. Application servers also write audit data to log files which are stored on the OS, so appropriate file permissions must also be used to restrict access. Audit information includes all information (e.g., audit records, audit settings, transaction logs, and audit reports) needed to successfully audit information system activity. Application servers must protect audit information from unauthorized read access.
Checks: C-39175r628644_chk

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Users and Groups' tab -&gt; 'Users' tab 5. From 'Users' table, select a user that must not have audit read access 6. From users settings page, select 'Groups' tab 7. Ensure the 'Chosen' table does not contain any of the following roles - 'Admin', 'Deployer', 'Monitor', 'Operator' 8. Repeat steps 5-7 for all users that must not have audit read access If any users that should not have access to read audit information contain any of the roles of 'Admin', 'Deployer', 'Monitor' or 'Operator', this is a finding.

Fix: F-39138r628645_fix

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Users and Groups' tab -> 'Users' tab 5. From 'Users' table, select a user that must not have audit read access 6. From users settings page, select 'Groups' tab 7. From the 'Chosen' table, use the shuttle buttons to remove all of the following roles - 'Admin', 'Deployer', 'Monitor', 'Operator' 8. Click 'Save' 9. Repeat steps 5-8 for all users that must not have audit read access

b
Oracle WebLogic must protect audit tools from unauthorized access.
AU-9 - Medium - CCI-001493 - V-235957 - SV-235957r628649_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-001493
Version
WBLC-02-000098
Vuln IDs
  • V-235957
  • V-56263
Rule IDs
  • SV-235957r628649_rule
  • SV-70517
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. It is, therefore, imperative that access to audit tools be controlled and protected from unauthorized access. Application servers provide a web and/or a command line-based management functionality for managing the application server audit capabilities. In addition, subsets of audit tool components may be stored on the file system as jar or xml configuration files. The application server must ensure that in addition to protecting any web based audit tools, any file system-based tools are protected as well.
Checks: C-39176r628647_chk

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Users and Groups' tab -&gt; 'Users' tab 5. From 'Users' table, select a user that must not have audit tool configuration access 6. From users settings page, select 'Groups' tab 7. Ensure the 'Chosen' table does not contain the role - 'Admin' 8. Repeat steps 5-7 for all users that must not have audit tool configuration access If any users that should not have access to the audit tools contains the role of 'Admin', this is a finding.

Fix: F-39139r628648_fix

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Users and Groups' tab -> 'Users' tab 5. From 'Users' table, select a user that must not have audit tool configuration access 6. From users settings page, select 'Groups' tab 7. From the 'Chosen' table, use the shuttle buttons to remove the role - 'Admin' 8. Click 'Save' 9. Repeat steps 5-8 for all users that must not have audit tool configuration access

b
Oracle WebLogic must protect audit tools from unauthorized modification.
AU-9 - Medium - CCI-001494 - V-235958 - SV-235958r628652_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-001494
Version
WBLC-02-000099
Vuln IDs
  • V-235958
  • V-56265
Rule IDs
  • SV-235958r628652_rule
  • SV-70519
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. It is, therefore, imperative that access to audit tools be controlled and protected from unauthorized modification. If an attacker were to modify audit tools, he could also manipulate logs to hide evidence of malicious activity. Application servers provide a web- and/or a command line-based management functionality for managing the application server audit capabilities. In addition, subsets of audit tool components may be stored on the file system as jar or xml configuration files. The application server must ensure that in addition to protecting any web-based audit tools, any file system-based tools are protected as well.
Checks: C-39177r628650_chk

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Users and Groups' tab -&gt; 'Users' tab 5. From 'Users' table, select a user that must not have audit tool configuration access 6. From users settings page, select 'Groups' tab 7. Ensure the 'Chosen' table does not contain the role - 'Admin' 8. Repeat steps 5-7 for all users that must not have audit tool configuration access If any users that should not have access to the audit tools contains the role of 'Admin', this is a finding.

Fix: F-39140r628651_fix

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Users and Groups' tab -> 'Users' tab 5. From 'Users' table, select a user that must not have audit tool configuration access 6. From users settings page, select 'Groups' tab 7. From the 'Chosen' table, use the shuttle buttons to remove the role - 'Admin' 8. Click 'Save' 9. Repeat steps 5-8 for all users that must not have audit tool configuration access

b
Oracle WebLogic must protect audit tools from unauthorized deletion.
AU-9 - Medium - CCI-001495 - V-235959 - SV-235959r628655_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-001495
Version
WBLC-02-000100
Vuln IDs
  • V-235959
  • V-56267
Rule IDs
  • SV-235959r628655_rule
  • SV-70521
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. It is, therefore, imperative that access to audit tools be controlled and protected from unauthorized modification. If an attacker were to delete audit tools the application server administrators would have no way of managing or viewing the logs. Application servers provide a web- and/or a command line-based management functionality for managing the application server audit capabilities. In addition, subsets of audit tool components may be stored on the file system as jar, class, or xml configuration files. The application server must ensure that in addition to protecting any web-based audit tools, any file system-based tools are protected from unauthorized deletion as well.
Checks: C-39178r628653_chk

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Users and Groups' tab -&gt; 'Users' tab 5. From 'Users' table, select a user that must not have audit tool configuration access 6. From users settings page, select 'Groups' tab 7. Ensure the 'Chosen' table does not contain the role - 'Admin' 8. Repeat steps 5-7 for all users that must not have audit tool configuration access If any users that should not have access to the audit tools contains the role of 'Admin', this is a finding.

Fix: F-39141r628654_fix

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Users and Groups' tab -> 'Users' tab 5. From 'Users' table, select a user that must not have audit tool configuration access 6. From users settings page, select 'Groups' tab 7. From the 'Chosen' table, use the shuttle buttons to remove the role - 'Admin' 8. Click 'Save' 9. Repeat steps 5-8 for all users that must not have audit tool configuration access

b
Oracle WebLogic must limit privileges to change the software resident within software libraries (including privileged programs).
CM-5 - Medium - CCI-001499 - V-235960 - SV-235960r628658_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
WBLC-03-000125
Vuln IDs
  • V-235960
  • V-56269
Rule IDs
  • SV-235960r628658_rule
  • SV-70523
Application servers have the ability to specify that the hosted applications utilize shared libraries. The application server must have a capability to divide roles based upon duties wherein one project user (such as a developer) cannot modify the shared library code of another project user. The application server must also be able to specify that non-privileged users cannot modify any shared library code at all.
Checks: C-39179r628656_chk

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Users and Groups' tab -&gt; 'Users' tab 5. From 'Users' table, select a user that must not have shared library modification access 6. From users settings page, select 'Groups' tab 7. Ensure the 'Chosen' table does not contain the roles - 'Admin', 'Deployer' 8. Repeat steps 5-7 for all users that must not have shared library modification access If any users that are not permitted to change the software resident within software libraries (including privileged programs) have the role of 'Admin' or 'Deployer', this is a finding.

Fix: F-39142r628657_fix

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Users and Groups' tab -> 'Users' tab 5. From 'Users' table, select a user that must not have shared library modification access 6. From users settings page, select 'Groups' tab 7. From the 'Chosen' table, use the shuttle buttons to remove the role - 'Admin', 'Deployer' 8. Click 'Save' 9. Repeat steps 5-8 for all users that must not have shared library modification access

b
Oracle WebLogic must adhere to the principles of least functionality by providing only essential capabilities.
CM-7 - Medium - CCI-000381 - V-235961 - SV-235961r628661_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
WBLC-03-000127
Vuln IDs
  • V-235961
  • V-56271
Rule IDs
  • SV-235961r628661_rule
  • SV-70525
Application servers provide a myriad of differing processes, features and functionalities. Some of these processes may be deemed to be unnecessary or too insecure to run on a production DoD system. Application servers must provide the capability to disable or deactivate functionality and services that are deemed to be non-essential to the server mission or can adversely impact server performance, for example, disabling dynamic JSP reloading on production application servers as a best practice.
Checks: C-39180r628659_chk

1. Access AC 2. From 'Domain Structure', select 'Deployments' 3. Select a deployment of type 'Web Application' from list of deployments 4. Select 'Configuration' tab -&gt; 'General' tab 5. Ensure 'JSP Page Check' field value is set to '-1', which indicates JSP reloading is disabled within this deployment. Repeat steps 3-5 for all 'Web Application' type deployments 6. For every WebLogic resource within the domain, the 'Configuration' tab and associated subtabs provide the ability to disable or deactivate functionality and services that are deemed to be non-essential to the server mission or can adversely impact server performance If the 'JSP Page Check' field is not set to '-1' or other services or functionality deemed to be non-essential to the server mission is not set to '-1', this is a finding.

Fix: F-39143r628660_fix

1. Access AC 2. From 'Domain Structure', select 'Deployments' 3. Select a deployment of type 'Web Application' from list of deployments 4. Select 'Configuration' tab -> 'General' tab 5. Utilize 'Change Center' to create a new change session 6. Set 'JSP Page Check' field value to '-1', which indicates JSP reloading is disabled within this deployment. Click 'Save'. Repeat steps 3-6 for all 'Web Application' type deployments. 7. For every WebLogic resource within the domain, the 'Configuration' tab and associated subtabs provide the ability to disable or deactivate functionality and services that are deemed to be non-essential to the server mission or can adversely impact server performance

b
Oracle WebLogic must prohibit or restrict the use of unauthorized functions, ports, protocols, and/or services.
CM-7 - Medium - CCI-000382 - V-235962 - SV-235962r672376_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
WBLC-03-000128
Vuln IDs
  • V-235962
  • V-56273
Rule IDs
  • SV-235962r672376_rule
  • SV-70527
Application servers provide numerous processes, features, and functionalities that utilize TCP/IP ports. Some of these processes may be deemed to be unnecessary or too insecure to run on a production system. The application server must provide the capability to disable or deactivate network-related services that are deemed to be non-essential to the server mission, for example, disabling a protocol or feature that opens a listening port that is prohibited by DoD ports and protocols. For a list of approved ports and protocols reference the DoD ports and protocols web site at https://cyber.mil/ppsm.
Checks: C-39181r628662_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -&gt; 'Monitoring' -&gt; 'Port Usage' 3. In the results table, ensure values in the 'Port in Use' column match approved ports 4. In the results table, ensure values in the 'Protocol' column match approved protocols If any ports listed in the 'Port in Use' column is an unauthorized port or any protocols listed in the 'Protocol' column is an unauthorized protocol, this is a finding.

Fix: F-39144r628663_fix

1. Access AC 2. To change port or protocol values, from 'Domain Structure', select 'Environment' -> 'Servers' 3. From the list of servers, select one which needs modification 4. Utilize 'Change Center' to create a new change session 5. To modify port assignment, from 'Configuration' tab -> 'General' tab, reassign the port for this server by changing the 'SSL Listen Port' field and click 'Save' 6. To modify protocol configuration, select 'Protocols' tab 7. Use the subtabs 'HTTP', 'jCOM' and 'IIOP' to configure these protocols 8. Use the 'Channels' subtab to create/modify channels which configure other protocols 9. Repeat steps 3-8 for all servers requiring modification 10. Review the 'Port Usage' table in EM again to ensure port has been reassigned

a
Oracle WebLogic must utilize automated mechanisms to prevent program execution on the information system.
CM-6 - Low - CCI-000366 - V-235963 - SV-235963r628667_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
WBLC-03-000129
Vuln IDs
  • V-235963
  • V-56275
Rule IDs
  • SV-235963r628667_rule
  • SV-70529
The application server must provide a capability to halt or otherwise disable the automatic execution of deployed applications until such time that the application is considered part of the established application server baseline. Deployment to the application server should not provide a means for automatic application start-up should the application server itself encounter a restart condition.
Checks: C-39182r628665_chk

1. Access AC 2. From 'Domain Structure', select the top-level domain 3. Select 'Configuration' tab -&gt; 'General' tab 4. Ensure 'Production Mode' checkbox is selected If the 'Production Mode' checkbox is not selected, this is a finding.

Fix: F-39145r628666_fix

1. Access AC 2. From 'Domain Structure', select the top-level domain 3. Select 'Configuration' tab -> 'General' tab 4. Check 'Production Mode' checkbox. Click 'Save' 5. Restart all servers

c
Oracle WebLogic must uniquely identify and authenticate users (or processes acting on behalf of users).
IA-2 - High - CCI-000764 - V-235964 - SV-235964r628670_rule
RMF Control
IA-2
Severity
High
CCI
CCI-000764
Version
WBLC-05-000150
Vuln IDs
  • V-235964
  • V-56277
Rule IDs
  • SV-235964r628670_rule
  • SV-70531
To assure accountability and prevent unauthorized access, application server users must be uniquely identified and authenticated. The application server must uniquely identify and authenticate application server users or processes acting on behalf of users. This is typically accomplished via the use of a user store which is either local (OS-based) or centralized (LDAP) in nature.
Checks: C-39183r628668_chk

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Providers' tab -&gt; 'Authentication' tab 5. Ensure the list of 'Authentication Providers' contains at least one non-Default Authentication Provider 6. If the Authentication Provider is perimeter-based, ensure the list contains at least one non-Default IdentityAsserter If the list of 'Authentication Providers' does not contain at least one non-Default Authentication Provider, this is a finding. If the Authentication Provider is perimeter-based and the list of 'Authentication Providers' does not contain at least one non-Default IdentityAsserter, this is a finding.

Fix: F-39146r628669_fix

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Providers' tab -> 'Authentication' tab 5. Utilize 'Change Center' to create a new change session 6. Click 'New'. Enter a value in 'Name' field and select a valid authentication provider type (e.g., LDAPAuthenticator) in the 'Type' dropdown. Click 'OK' 7. From the list, select the newly created authentication provider and select the 'Configuration' tab -> 'Provider Specific' tab 8. Set all provider specific values to configure the new authentication provider. Click 'Save' 9. Continuing from step 4, if the new authentication provider is perimeter-based, click 'New'. Enter a value in 'Name' field and select a valid authentication provider type (e.g., SAML2IdentityAsserter) in the 'Type' dropdown. Click 'OK' 10. From the list, select the newly created authentication identity asserter and select the 'Configuration' tab -> 'Provider Specific' tab 11. Set all provider-specific values to configure the new authentication identity asserter. Click 'Save'

c
Oracle WebLogic must authenticate users individually prior to using a group authenticator.
IA-2 - High - CCI-000770 - V-235965 - SV-235965r628673_rule
RMF Control
IA-2
Severity
High
CCI
CCI-000770
Version
WBLC-05-000153
Vuln IDs
  • V-235965
  • V-56279
Rule IDs
  • SV-235965r628673_rule
  • SV-70533
To assure individual accountability and prevent unauthorized access, application server users (and any processes acting on behalf of application server users) must be individually identified and authenticated. A group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does not uniquely identify individual users. Application servers must ensure that individual users are authenticated prior to authenticating via role or group authentication. This is to ensure that there is non-repudiation for actions taken.
Checks: C-39184r628671_chk

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Providers' tab -&gt; 'Authentication' tab 5. Ensure the list of 'Authentication Providers' contains at least one non-Default Authentication Provider 6. If the Authentication Provider is perimeter-based, ensure the list contains at least one non-Default IdentityAsserter If the list of 'Authentication Providers' does not contain at least one non-Default Authentication Provider, this is a finding. If the Authentication Provider is perimeter-based and the list of 'Authentication Providers' does not contain at least one non-Default IdentityAsserter, this is a finding.

Fix: F-39147r628672_fix

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Providers' tab -> 'Authentication' tab 5. Utilize 'Change Center' to create a new change session 6. Click 'New'. Enter a value in 'Name' field and select a valid authentication provider type (e.g., LDAPAuthenticator) in the 'Type' dropdown. Click 'OK' 7. From the list, select the newly created authentication provider and select the 'Configuration' tab -> 'Provider Specific' tab 8. Set all provider specific values to configure the new authentication provider. Click 'Save' 9. Continuing from step 4, if the new authentication provider is perimeter-based, click 'New'. Enter a value in 'Name' field and select a valid authentication provider type (e.g., SAML2IdentityAsserter) in the 'Type' dropdown. Click 'OK' 10. From the list, select the newly created authentication identity asserter and select the 'Configuration' tab -> 'Provider Specific' tab 11. Set all provider specific values to configure the new authentication identity asserter. Click 'Save'

b
Oracle WebLogic must enforce minimum password length.
IA-5 - Medium - CCI-000205 - V-235966 - SV-235966r628676_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000205
Version
WBLC-05-000160
Vuln IDs
  • V-235966
  • V-56281
Rule IDs
  • SV-235966r628676_rule
  • SV-70535
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one of several factors that helps to determine strength and how long it takes to crack a password. The shorter the password is, the lower the number of possible combinations that need to be tested before the password is compromised. Application servers either provide a local user store, or they integrate with enterprise user stores like LDAP. When the application server provides the user store and enforces authentication, the application server must enforce minimum password length.
Checks: C-39185r628674_chk

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Providers' tab -&gt; 'Password Validation' subtab 5. Select 'SystemPasswordValidator' 6. Select 'Configuration' tab -&gt; 'Provider Specific' subtab 7. Ensure 'Minimum Password Length' field value is set to '15' If the 'Minimum Password Length' field is not set to '15', this is a finding.

Fix: F-39148r628675_fix

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Providers' tab -> 'Password Validation' subtab 5. Select 'SystemPasswordValidator' 6. Select 'Configuration' tab -> 'Provider Specific' subtab 7. Utilize 'Change Center' to create a new change session 8. Set 'Minimum Password Length' field value to '15'. Click 'Save'

b
Oracle WebLogic must enforce password complexity by the number of upper-case characters used.
IA-5 - Medium - CCI-000192 - V-235967 - SV-235967r628679_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000192
Version
WBLC-05-000162
Vuln IDs
  • V-235967
  • V-56283
Rule IDs
  • SV-235967r628679_rule
  • SV-70537
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Use of a complex password helps to increase the time and resources required to compromise the password. Application servers either provide a local user store, or they integrate with enterprise user stores like LDAP. When the application server provides the user store and enforces authentication, the application server must enforce the organization's password complexity requirements, which includes the requirement to use a specific number of upper-case characters.
Checks: C-39186r628677_chk

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Providers' tab -&gt; 'Password Validation' subtab 5. Select 'SystemPasswordValidator' 6. Select 'Configuration' tab -&gt; 'Provider Specific' subtab 7. Ensure 'Minimum Number of Upper Case Characters' field value is set to '1' or higher If the 'Minimum Number of Upper Case Characters' field value is not set to '1' or higher, this is a finding.

Fix: F-39149r628678_fix

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Providers' tab -> 'Password Validation' subtab 5. Select 'SystemPasswordValidator' 6. Select 'Configuration' tab -> 'Provider Specific' subtab 7. Utilize 'Change Center' to create a new change session 8. Set 'Minimum Number of Upper Case Characters' field value to '1' or higher. Click 'Save'

b
Oracle WebLogic must enforce password complexity by the number of lower-case characters used.
IA-5 - Medium - CCI-000193 - V-235968 - SV-235968r628682_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000193
Version
WBLC-05-000163
Vuln IDs
  • V-235968
  • V-56285
Rule IDs
  • SV-235968r628682_rule
  • SV-70539
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Use of a complex password helps to increase the time and resources required to compromise the password. Application servers either provide a local user store, or they integrate with enterprise user stores like LDAP. When the application server provides the user store and enforces authentication, the application server must enforce the organization's password complexity requirements, which include the requirement to use a specific number of lower-case characters.
Checks: C-39187r628680_chk

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Providers' tab -&gt; 'Password Validation' subtab 5. Select 'SystemPasswordValidator' 6. Select 'Configuration' tab -&gt; 'Provider Specific' subtab 7. Ensure 'Minimum Number of Lower Case Characters' field value is set to '1' or higher If the 'Minimum Number of Lower Case Characters' field value is not set to '1' or higher, this is a finding.

Fix: F-39150r628681_fix

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Providers' tab -> 'Password Validation' subtab 5. Select 'SystemPasswordValidator' 6. Select 'Configuration' tab -> 'Provider Specific' subtab 7. Utilize 'Change Center' to create a new change session 8. Set 'Minimum Number of Lower Case Characters' field value to '1' or higher. Click 'Save'

b
Oracle WebLogic must enforce password complexity by the number of numeric characters used.
IA-5 - Medium - CCI-000194 - V-235969 - SV-235969r628685_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000194
Version
WBLC-05-000164
Vuln IDs
  • V-235969
  • V-56287
Rule IDs
  • SV-235969r628685_rule
  • SV-70541
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Use of a complex password helps to increase the time and resources required to compromise the password. Application servers provide either a local user store or they integrate with enterprise user stores like LDAP. When the application server provides the user store and enforces authentication, the application server must enforce the organization's password complexity requirements that include the requirement to use a specific number of numeric characters when passwords are created or changed.
Checks: C-39188r628683_chk

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Providers' tab -&gt; 'Password Validation' subtab 5. Select 'SystemPasswordValidator' 6. Select 'Configuration' tab -&gt; 'Provider Specific' subtab 7. Ensure 'Minimum Number of Numeric Characters' field value is set to '1' or higher If the 'Minimum Number of Numeric Characters' field value is not set to '1' or higher, this is a finding.

Fix: F-39151r628684_fix

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Providers' tab -> 'Password Validation' subtab 5. Select 'SystemPasswordValidator' 6. Select 'Configuration' tab -> 'Provider Specific' subtab 7. Utilize 'Change Center' to create a new change session 8. Set 'Minimum Number of Numeric Characters' field value to '1' or higher. Click 'Save'

b
Oracle WebLogic must enforce password complexity by the number of special characters used.
IA-5 - Medium - CCI-001619 - V-235970 - SV-235970r628688_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-001619
Version
WBLC-05-000165
Vuln IDs
  • V-235970
  • V-56289
Rule IDs
  • SV-235970r628688_rule
  • SV-70543
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Use of a complex password helps to increase the time and resources required to compromise the password. Application servers either provide a local user store, or they integrate with enterprise user stores like LDAP. When the application server provides the user store and enforces authentication, the application server must enforce the organization's password complexity requirements that include the requirement to use a specific number of special characters.
Checks: C-39189r628686_chk

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Providers' tab -&gt; 'Password Validation' subtab 5. Select 'SystemPasswordValidator' 6. Select 'Configuration' tab -&gt; 'Provider Specific' subtab 7. Ensure 'Minimum Number of Non-Alphanumeric Characters' field value is set to '1' or higher If the 'Minimum Number of Non-Alphanumeric Characters' field value is not set to '1' or higher, this is a finding.

Fix: F-39152r628687_fix

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Providers' tab -> 'Password Validation' subtab 5. Select 'SystemPasswordValidator' 6. Select 'Configuration' tab -> 'Provider Specific' subtab 7. Utilize 'Change Center' to create a new change session 8. Set 'Minimum Number of Non-Alphanumeric Characters' field value to '1' or higher. Click 'Save'

c
Oracle WebLogic must encrypt passwords during transmission.
IA-5 - High - CCI-000197 - V-235971 - SV-235971r628691_rule
RMF Control
IA-5
Severity
High
CCI
CCI-000197
Version
WBLC-05-000168
Vuln IDs
  • V-235971
  • V-56291
Rule IDs
  • SV-235971r628691_rule
  • SV-70545
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. Application servers have the capability to utilize either certificates (tokens) or user IDs and passwords in order to authenticate. When the application server transmits or receives passwords, the passwords must be encrypted.
Checks: C-39190r628689_chk

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Providers' tab -&gt; 'Authentication' tab 5. Ensure the list of 'Authentication Providers' contains at least one non-Default Authentication Provider 6. If the Authentication Provider is perimeter-based, ensure the list contains at least one non-Default IdentityAsserter If the list of 'Authentication Providers' does not contain at least one non-Default Authentication Provider, this is a finding. If the Authentication Provider is perimeter-based and the list of 'Authentication Providers' does not contain at least one non-Default IdentityAsserter, this is a finding.

Fix: F-39153r628690_fix

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Providers' tab -> 'Authentication' tab 5. Utilize 'Change Center' to create a new change session 6. Click 'New'. Enter a value in 'Name' field and select a valid authentication provider type (e.g., LDAPAuthenticator) in the 'Type' dropdown. Click 'OK' 7. From the list, select the newly created authentication provider and select the 'Configuration' tab -> 'Provider Specific' tab 8. Set all provider-specific values to configure the new authentication provider. Click 'Save' 9. Continuing from step 4, if the new authentication provider is perimeter-based, click 'New'. Enter a value in 'Name' field and select a valid authentication provider type (e.g., SAML2IdentityAsserter) in the 'Type' dropdown. Click 'OK' 10. From the list, select the newly created authentication identity asserter and select the 'Configuration' tab -> 'Provider Specific' tab 11. Set all provider-specific values to configure the new authentication identity asserter. Click 'Save'

c
Oracle WebLogic must utilize encryption when using LDAP for authentication.
IA-5 - High - CCI-000197 - V-235972 - SV-235972r628694_rule
RMF Control
IA-5
Severity
High
CCI
CCI-000197
Version
WBLC-05-000169
Vuln IDs
  • V-235972
  • V-56293
Rule IDs
  • SV-235972r628694_rule
  • SV-70547
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. Application servers have the capability to utilize LDAP directories for authentication. If LDAP connections are not protected during transmission, sensitive authentication credentials can be stolen. When the application server utilizes LDAP, the LDAP traffic must be encrypted.
Checks: C-39191r628692_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -&gt; 'Monitoring' -&gt; 'Port Usage' 3. In the results table, ensure the 'Protocol' column does not contain the value 'LDAP' (only 'LDAPS') If LDAP is being used and the 'Protocol' column contains the value 'LDAP', this is a finding.

Fix: F-39154r628693_fix

1. Access AC 2. From 'Domain Structure', select 'Environment' -> 'Servers' 3. From the list of servers, select one which is assigned 'LDAP' protocol 4. Utilize 'Change Center' to create a new change session 5. From 'Configuration' tab -> 'General' tab, deselect the 'Listen Port Enabled' checkbox 6. Select the 'SSL Listen Port Enabled checkbox 7. Enter a valid port value in the 'SSL Listen Port' field and click 'Save' 8. Review the 'Port Usage' table in EM again to ensure the 'Protocol' column does not contain the value 'LDAP'

b
Oracle WebLogic, when utilizing PKI-based authentication, must validate certificates by constructing a certification path with status information to an accepted trust anchor.
IA-5 - Medium - CCI-000185 - V-235973 - SV-235973r628697_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000185
Version
WBLC-05-000172
Vuln IDs
  • V-235973
  • V-56295
Rule IDs
  • SV-235973r628697_rule
  • SV-70549
A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can be, for example, a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes, certificate revocation lists or online certificate status protocol responses.
Checks: C-39192r628695_chk

1. Access AC 2. From 'Domain Structure', select 'Environment' -&gt; 'Servers' 3. From the list of servers, select one which needs check for SSL configuration verification 4. From 'Configuration' tab -&gt; 'General' tab, ensure 'Listen Port Enabled' checkbox is deselected 5. Ensure 'SSL Listen Port Enabled' checkbox is selected and a valid port number is in 'SSL Listen Port' field, e.g., 7002 6. Repeat steps 3-5 for all servers requiring SSL configuration checking If any servers utilizing PKI-based authentication does not have the 'SSL Listen Port Enabled' selected, this is a finding.

Fix: F-39155r628696_fix

1. Obtain an identity (private key and digital certificates) and trust (certificates of trusted certificate authorities) to configure on the server 2. Create Identity keystore and load private key and certificate using ImportPrivateKey java utility, example: $ java utils.ImportPrivateKey -certfile <cert_file> -keyfile <private_key_file> [-keyfilepass <private_key_password>] -keystore <keystore> -storepass <storepass> [-storetype <storetype>] -alias <alias> [-keypass <keypass>] 3. Access AC 4. Utilize 'Change Center' to create a new change session 5. From 'Domain Structure', select 'Environment' -> 'Servers' 6. From the list of servers, select one which needs SSL set up 7. From 'Configuration' tab -> 'General' tab, deselect 'Listen Port Enabled' checkbox 8. Select 'SSL Listen Port Enabled' checkbox and enter a valid port number in 'SSL Listen Port' field, e.g., 7002 9. From 'Configuration' tab -> 'Keystores' tab, click 'Change' button in 'Keystores' section 10. From dropdown, select 'Custom Identity and Java Standard Trust' and click 'Save' 11. Enter the fully qualified path to Identity keystore, from step 2, in 'Custom Identity Keystore' field 12. Enter 'JKS' in the 'Custom Identity Keystore Type' field 13. Enter the Identity keystore password in 'Custom Identity Keystore Passphrase' and 'Confirm Custom Identity Keystore Passphrase' fields 14. Enter the Java Standard Trust keystore (cacerts) password in 'Java Standard Trust Keystore Passphrase' and 'Confirm Java Standard Trust Keystore Passphrase' fields 15. Leave all other fields blank and click 'Save' 16. From 'Configuration' tab -> 'SSL' tab, enter values from step 2 into corresponding fields, as follows: - Enter <alias> into 'Private Key Alias' - Enter <private_key_password> into 'Private Key Passphrase' - Enter <private_key_password> into 'Confirm Private Key Passphrase' 17. Click 'Save', and from 'Change Center' click 'Activate Changes' to enable configuration changes 18. Repeat steps 4-17 for all servers requiring SSL configuration 19. From 'Domain Structure', select 'Environment' -> 'Servers', click 'Control' tab 20. Select checkbox for all servers configured in previous steps and click 'Restart SSL'

b
Oracle WebLogic must map the PKI-based authentication identity to the user account.
IA-5 - Medium - CCI-000187 - V-235974 - SV-235974r628700_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000187
Version
WBLC-05-000174
Vuln IDs
  • V-235974
  • V-56297
Rule IDs
  • SV-235974r628700_rule
  • SV-70551
The cornerstone of the PKI is the private key used to encrypt or digitally sign information. The key by itself is a cryptographic value that does not contain specific user information. Application servers must provide the capability to utilize and meet requirements of the DoD Enterprise PKI infrastructure for application authentication.
Checks: C-39193r628698_chk

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Providers' tab -&gt; 'Authentication' tab 5. Ensure the list of 'Authentication Providers' contains at least one non-Default Authentication Provider 6. If the Authentication Provider is perimeter-based, ensure the list contains at least one non-Default IdentityAsserter If PKI-based authentication is being used and the list of 'Authentication Providers' does not contain at least one non-Default Authentication Provider, this is a finding. If PKI-based authentication is being used and the Authentication Provider is perimeter-based and the list of 'Authentication Providers' does not contain at least one non-Default IdentityAsserter, this is a finding.

Fix: F-39156r628699_fix

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Providers' tab -> 'Authentication' tab 5. Utilize 'Change Center' to create a new change session 6. Click 'New'. Enter a value in 'Name' field and select a valid authentication provider type (e.g., LDAPAuthenticator) in the 'Type' dropdown. Click 'OK' 7. From the list, select the newly created authentication provider and select the 'Configuration' tab -> 'Provider Specific' tab 8. Set all provider specific values to configure the new authentication provider. Click 'Save' 9. Continuing from step 4, if the new authentication provider is perimeter-based, click 'New'. Enter a value in 'Name' field and select a valid authentication provider type (e.g., SAML2IdentityAsserter) in the 'Type' dropdown. Click 'OK' 10. From the list, select the newly created authentication identity asserter and select the 'Configuration' tab -> 'Provider Specific' tab 11. Set all provider specific values to configure the new authentication identity asserter. Click 'Save'

b
Oracle WebLogic must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.
IA-7 - Medium - CCI-000803 - V-235975 - SV-235975r628703_rule
RMF Control
IA-7
Severity
Medium
CCI
CCI-000803
Version
WBLC-05-000176
Vuln IDs
  • V-235975
  • V-56299
Rule IDs
  • SV-235975r628703_rule
  • SV-70553
Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIPS 140-2 is the current standard for validating cryptographic modules, and NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified hardware-based encryption modules. Application servers must provide FIPS-compliant encryption modules when storing encrypted data and configuration settings.
Checks: C-39194r628701_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -&gt; 'Logs' -&gt; 'View Log Messages' 3. Within the 'Search' panel, expand 'Selected Targets' 4. Click 'Target Log Files' icon for 'AdminServer' target 5. From the list of log files, select 'AdminServer.log' and click 'View Log File' button 6. Within the search criteria, enter the value 'FIPS' for the 'Message contains' field, and select the appropriate 'Start Date' and 'End Date' range. Click 'Search' 7. Check for the following log entry: "Changing the default Random Number Generator in RSA CryptoJ ... to FIPS186PRNG" or "Changing the default Random Number Generator in RSA CryptoJ from ECDRBG128 to HMACDRBG." If either of these log entries are found, this is not a finding. If a log entry cannot be found, navigate to the DOMAIN_HOME directory: 8. View the contents of the appropriate WebLogic server start script: On UNIX operating systems: startWebLogic.sh On Microsoft Windows operating systems: startWebLogic.cmd 9. Ensure the JAVA_OPTIONS variable is set: On UNIX operating systems: JAVA_OPTIONS=" -Djava.security.properties==/&lt;mylocation&gt;/java.security ${JAVA_OPTIONS}" On Microsoft Windows operating systems: set JAVA_OPTIONS= -Djava.security.properties==C:\&lt;mylocation&gt;\java.security %JAVA_OPTIONS% 10. Ensure the &lt;mylocation&gt; path specified above contains a valid java.security file (Refer to section 2.2.4 of the Overview document) 11. Ensure the PRE_CLASSPATH variable is set: On UNIX operating systems: PRE_CLASSPATH="%MW_HOME%\wlserver\server\lib\jcmFIPS.jar;%MW_HOME%\wlserver\server\lib\sslj.jar ${PRE_CLASSPATH}" On Microsoft Windows operating systems: set PRE_CLASSPATH= %MW_HOME%\wlserver\server\lib\jcmFIPS.jar;%MW_HOME%\wlserver\server\lib\sslj.jar;%PRE_CLASSPATH% If the java options are not set correctly, this is a finding.

Fix: F-39157r628702_fix

1. Shut down any running instances of WebLogic server 2. On disk, navigate to the DOMAIN_HOME directory 3. View the contents of the appropriate WebLogic server start script: On UNIX operating systems: startWebLogic.sh On Microsoft Windows operating systems: startWebLogic.cmd 4. Ensure the JAVA_OPTIONS variable is set: On UNIX operating systems: JAVA_OPTIONS=" -Djava.security.properties==/<mylocation>/java.security ${JAVA_OPTIONS}" On Microsoft Windows operating systems: set JAVA_OPTIONS= -Djava.security.properties==C:\<mylocation>\java.security %JAVA_OPTIONS% 5. Ensure the <mylocation> path specified above contains a valid java.security file (Refer to section 2.2.4 of the Overview document) 6. Ensure the PRE_CLASSPATH variable is set: On UNIX operating systems: PRE_CLASSPATH="%MW_HOME%\wlserver\server\lib\jcmFIPS.jar;%MW_HOME%\wlserver\server\lib\sslj.jar ${PRE_CLASSPATH}" On Microsoft Windows operating systems: set PRE_CLASSPATH= %MW_HOME%\wlserver\server\lib\jcmFIPS.jar;%MW_HOME%\wlserver\server\lib\sslj.jar;%PRE_CLASSPATH% 7. Refer to section 2.2.4 of the Overview document

b
Oracle WebLogic must utilize FIPS 140-2 approved encryption modules when authenticating users and processes.
IA-7 - Medium - CCI-000803 - V-235976 - SV-235976r628706_rule
RMF Control
IA-7
Severity
Medium
CCI
CCI-000803
Version
WBLC-05-000177
Vuln IDs
  • V-235976
  • V-56301
Rule IDs
  • SV-235976r628706_rule
  • SV-70555
Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIPS 140-2 is the current standard for validating cryptographic modules, and NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified hardware-based encryption modules. Application servers must provide FIPS-compliant encryption modules when authenticating users and processes.
Checks: C-39195r628704_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -&gt; 'Logs' -&gt; 'View Log Messages' 3. Within the 'Search' panel, expand 'Selected Targets' 4. Click 'Target Log Files' icon for 'AdminServer' target 5. From the list of log files, select 'AdminServer.log' and click 'View Log File' button 6. Within the search criteria, enter the value 'FIPS' for the 'Message contains' field, and select the appropriate 'Start Date' and 'End Date' range. Click 'Search' 7. Check for the following log entry: "Changing the default Random Number Generator in RSA CryptoJ ... to FIPS186PRNG" or "Changing the default Random Number Generator in RSA CryptoJ from ECDRBG128 to HMACDRBG." If either of these log entries are found, this is not a finding. If a log entry cannot be found, navigate to the DOMAIN_HOME directory: 8. View the contents of the appropriate WebLogic server start script: On UNIX operating systems: startWebLogic.sh On Microsoft Windows operating systems: startWebLogic.cmd 9. Ensure the JAVA_OPTIONS variable is set: On UNIX operating systems: JAVA_OPTIONS=" -Djava.security.properties==/&lt;mylocation&gt;/java.security ${JAVA_OPTIONS}" On Microsoft Windows operating systems: set JAVA_OPTIONS= -Djava.security.properties==C:\&lt;mylocation&gt;\java.security %JAVA_OPTIONS% 10. Ensure the &lt;mylocation&gt; path specified above contains a valid java.security file (Refer to section 2.2.4 of the Overview document) 11. Ensure the PRE_CLASSPATH variable is set: On UNIX operating systems: PRE_CLASSPATH="%MW_HOME%\wlserver\server\lib\jcmFIPS.jar;%MW_HOME%\wlserver\server\lib\sslj.jar ${PRE_CLASSPATH}" On Microsoft Windows operating systems: set PRE_CLASSPATH= %MW_HOME%\wlserver\server\lib\jcmFIPS.jar;%MW_HOME%\wlserver\server\lib\sslj.jar;%PRE_CLASSPATH% If the java options are not set correctly, this is a finding.

Fix: F-39158r628705_fix

1. Shut down any running instances of WebLogic server 2. On disk, navigate to the DOMAIN_HOME directory 3. View the contents of the appropriate WebLogic server start script: On UNIX operating systems: startWebLogic.sh On Microsoft Windows operating systems: startWebLogic.cmd 4. Ensure the JAVA_OPTIONS variable is set: On UNIX operating systems: JAVA_OPTIONS=" -Djava.security.properties==/<mylocation>/java.security ${JAVA_OPTIONS}" On Microsoft Windows operating systems: set JAVA_OPTIONS= -Djava.security.properties==C:\<mylocation>\java.security %JAVA_OPTIONS% 5. Ensure the <mylocation> path specified above contains a valid java.security file (Refer to section 2.2.4 of the Overview document) 6. Ensure the PRE_CLASSPATH variable is set: On UNIX operating systems: PRE_CLASSPATH="%MW_HOME%\wlserver\server\lib\jcmFIPS.jar;%MW_HOME%\wlserver\server\lib\sslj.jar ${PRE_CLASSPATH}" On Microsoft Windows operating systems: set PRE_CLASSPATH= %MW_HOME%\wlserver\server\lib\jcmFIPS.jar;%MW_HOME%\wlserver\server\lib\sslj.jar;%PRE_CLASSPATH% 7. Refer to section 2.2.4 of the Overview document

b
Oracle WebLogic must employ cryptographic encryption to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications.
SC-8 - Medium - CCI-002421 - V-235977 - SV-235977r628709_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002421
Version
WBLC-06-000190
Vuln IDs
  • V-235977
  • V-56303
Rule IDs
  • SV-235977r628709_rule
  • SV-70557
Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Application servers provide an HTTP-oriented remote management capability that is used for managing the application server as well as uploading and deleting applications that are hosted on the application server. Application servers need to ensure the communication channels used to remotely access the system utilize cryptographic mechanisms such as TLS.
Checks: C-39196r628707_chk

1. Access AC 2. From 'Domain Structure', select 'Environment' -&gt; 'Servers' 3. From the list of servers, select one which needs check for SSL configuration verification 4. From 'Configuration' tab -&gt; 'General' tab, ensure 'Listen Port Enabled' checkbox is deselected 5. Ensure 'SSL Listen Port Enabled' checkbox is selected and a valid port number is in 'SSL Listen Port' field, e.g., 7002 6. Repeat steps 3-5 for all servers requiring SSL configuration checking If any of the servers requiring SSL have the 'Listen Port Enabled' selected or 'SSL Listen Port Enable' not selected, this is a finding.

Fix: F-39159r628708_fix

1. Obtain an identity (private key and digital certificates) and trust (certificates of trusted certificate authorities) to configure on the server 2. Create Identity keystore and load private key and certificate using ImportPrivateKey java utility, example: $ java utils.ImportPrivateKey -certfile <cert_file> -keyfile <private_key_file> [-keyfilepass <private_key_password>] -keystore <keystore> -storepass <storepass> [-storetype <storetype>] -alias <alias> [-keypass <keypass>] 3. Access AC 4. Utilize 'Change Center' to create a new change session 5. From 'Domain Structure', select 'Environment' -> 'Servers' 6. From the list of servers, select one which needs SSL set up 7. From 'Configuration' tab -> 'General' tab, deselect 'Listen Port Enabled' checkbox 8. Select 'SSL Listen Port Enabled' checkbox and enter a valid port number in 'SSL Listen Port' field, e.g., 7002 9. From 'Configuration' tab -> 'Keystores' tab, click 'Change' button in 'Keystores' section 10. From dropdown, select 'Custom Identity and Java Standard Trust' and click 'Save' 11. Enter the fully qualified path to Identity keystore, from step 2, in 'Custom Identity Keystore' field 12. Enter 'JKS' in the 'Custom Identity Keystore Type' field 13. Enter the Identity keystore password in 'Custom Identity Keystore Passphrase' and 'Confirm Custom Identity Keystore Passphrase' fields 14. Enter the Java Standard Trust keystore (cacerts) password in 'Java Standard Trust Keystore Passphrase' and 'Confirm Java Standard Trust Keystore Passphrase' fields 15. Leave all other fields blank and click 'Save' 16. From 'Configuration' tab -> 'SSL' tab, enter values from step 2 into corresponding fields, as follows: - Enter <alias> into 'Private Key Alias' - Enter <private_key_password> into 'Private Key Passphrase' - Enter <private_key_password> into 'Confirm Private Key Passphrase' 17. Click 'Save', and from 'Change Center' click 'Activate Changes' to enable configuration changes 18. Repeat steps 4-17 for all servers requiring SSL configuration 19. From 'Domain Structure', select 'Environment' -> 'Servers', click 'Control' tab 20. Select checkbox for all servers configured in previous steps and click 'Restart SSL'

b
Oracle WebLogic must employ strong identification and authentication techniques when establishing nonlocal maintenance and diagnostic sessions.
MA-4 - Medium - CCI-000877 - V-235978 - SV-235978r628712_rule
RMF Control
MA-4
Severity
Medium
CCI
CCI-000877
Version
WBLC-06-000191
Vuln IDs
  • V-235978
  • V-56305
Rule IDs
  • SV-235978r628712_rule
  • SV-70559
Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Application servers will typically utilize an HTTP interface for providing both local and remote maintenance and diagnostic sessions. In these instances, an acceptable strong identification and authentication technique consists of utilizing two-factor authentication via secured HTTPS connections. If the application server also provides maintenance and diagnostic access via a fat client or other client-based connection, then that client must also utilize two-factor authentication and use FIPS-approved encryption modules for establishing transport connections.
Checks: C-39197r628710_chk

1. Access AC 2. From 'Domain Structure', select 'Environment' -&gt; 'Servers' 3. From the list of servers, select one which needs check for SSL configuration verification 4. From 'Configuration' tab -&gt; 'General' tab, ensure 'Listen Port Enabled' checkbox is deselected 5. Ensure 'SSL Listen Port Enabled' checkbox is selected and a valid port number is in 'SSL Listen Port' field, e.g., 7002 6. Repeat steps 3-5 for all servers requiring SSL configuration checking If any of the servers requiring SSL have the 'Listen Port Enabled' selected or 'SSL Listen Port Enable' not selected, this is a finding.

Fix: F-39160r628711_fix

1. Obtain an identity (private key and digital certificates) and trust (certificates of trusted certificate authorities) to configure on the server 2. Create Identity keystore and load private key and certificate using ImportPrivateKey java utility, example: $ java utils.ImportPrivateKey -certfile <cert_file> -keyfile <private_key_file> [-keyfilepass <private_key_password>] -keystore <keystore> -storepass <storepass> [-storetype <storetype>] -alias <alias> [-keypass <keypass>] 3. Access AC 4. Utilize 'Change Center' to create a new change session 5. From 'Domain Structure', select 'Environment' -> 'Servers' 6. From the list of servers, select one which needs SSL set up 7. From 'Configuration' tab -> 'General' tab, deselect 'Listen Port Enabled' checkbox 8. Select 'SSL Listen Port Enabled' checkbox and enter a valid port number in 'SSL Listen Port' field, e.g., 7002 9. From 'Configuration' tab -> 'Keystores' tab, click 'Change' button in 'Keystores' section 10. From dropdown, select 'Custom Identity and Java Standard Trust' and click 'Save' 11. Enter the fully qualified path to Identity keystore, from step 2, in 'Custom Identity Keystore' field 12. Enter 'JKS' in the 'Custom Identity Keystore Type' field 13. Enter the Identity keystore password in 'Custom Identity Keystore Passphrase' and 'Confirm Custom Identity Keystore Passphrase' fields 14. Enter the Java Standard Trust keystore (cacerts) password in 'Java Standard Trust Keystore Passphrase' and 'Confirm Java Standard Trust Keystore Passphrase' fields 15. Leave all other fields blank and click 'Save' 16. From 'Configuration' tab -> 'SSL' tab, enter values from step 2 into corresponding fields, as follows: - Enter <alias> into 'Private Key Alias' - Enter <private_key_password> into 'Private Key Passphrase' - Enter <private_key_password> into 'Confirm Private Key Passphrase' 17. Click 'Save', and from 'Change Center' click 'Activate Changes' to enable configuration changes 18. Repeat steps 4-17 for all servers requiring SSL configuration 19. From 'Domain Structure', select 'Environment' -> 'Servers', click 'Control' tab 20. Select checkbox for all servers configured in previous steps and click 'Restart SSL'

a
Oracle WebLogic must terminate the network connection associated with a communications session at the end of the session or after a DoD-defined time period of inactivity.
SC-10 - Low - CCI-001133 - V-235979 - SV-235979r628715_rule
RMF Control
SC-10
Severity
Low
CCI
CCI-001133
Version
WBLC-08-000210
Vuln IDs
  • V-235979
  • V-56307
Rule IDs
  • SV-235979r628715_rule
  • SV-70561
If communications sessions remain open for extended periods of time even when unused, there is the potential for an adversary to hijack the session and use it to gain access to the device or networks to which it is attached. Terminating sessions after a certain period of inactivity is a method for mitigating the risk of this vulnerability. The application server must provide a mechanism for timing out or otherwise terminating inactive web sessions.
Checks: C-39198r628713_chk

1. Access AC 2. From 'Domain Structure', select 'Deployments' 3. Sort 'Deployments' table by 'Type' by click the column header 4. Select an 'Enterprise Application' or 'Web Application' to check the session timeout setting 5. Select 'Configuration' tab -&gt; 'Application' tab for deployments of 'Enterprise Application' type Select 'Configuration' tab -&gt; 'General' tab for deployments of 'Web Application' type 6. Ensure 'Session Timeout' field value is set to '900' (seconds) If the 'Session Timeout' field is not set '900', this is a finding.

Fix: F-39161r628714_fix

1. Access AC 2. From 'Domain Structure', select 'Deployments' 3. Sort 'Deployments' table by 'Type' by click the column header 4. Select an 'Enterprise Application' or 'Web Application' to check the session timeout setting 5. Select 'Configuration' tab -> 'Application' tab for deployments of 'Enterprise Application' type Select 'Configuration' tab -> 'General' tab for deployments of 'Web Application' type 6. Utilize 'Change Center' to create a new change session 7. Set value in 'Session Timeout' field value to '900' (seconds). Click 'Save' 8. Repeat steps 4-7 for each 'Enterprise Application' and 'Web Application' deployment

b
Oracle WebLogic must establish a trusted communications path between the user and organization-defined security functions within the information system.
SC-11 - Medium - CCI-001135 - V-235980 - SV-235980r628718_rule
RMF Control
SC-11
Severity
Medium
CCI
CCI-001135
Version
WBLC-08-000211
Vuln IDs
  • V-235980
  • V-56309
Rule IDs
  • SV-235980r628718_rule
  • SV-70563
Without a trusted communication path, the application server is vulnerable to a man-in-the-middle attack. Application server user interfaces are used for management of the application server so the communications path between client and server must be trusted or management of the server may be compromised.
Checks: C-39199r628716_chk

1. Access AC 2. From 'Domain Structure', select 'Environment' -&gt; 'Servers' 3. From the list of servers, select one which needs check for SSL configuration verification 4. From 'Configuration' tab -&gt; 'General' tab, ensure 'Listen Port Enabled' checkbox is deselected 5. Ensure 'SSL Listen Port Enabled' checkbox is selected and a valid port number is in 'SSL Listen Port' field, e.g., 7002 6. Repeat steps 3-5 for all servers requiring SSL configuration checking If any of the servers requiring SSL have the 'Listen Port Enabled' selected or 'SSL Listen Port Enable' not selected, this is a finding.

Fix: F-39162r628717_fix

1. Obtain an identity (private key and digital certificates) and trust (certificates of trusted certificate authorities) to configure on the server 2. Create Identity keystore and load private key and certificate using ImportPrivateKey java utility, example: $ java utils.ImportPrivateKey -certfile <cert_file> -keyfile <private_key_file> [-keyfilepass <private_key_password>] -keystore <keystore> -storepass <storepass> [-storetype <storetype>] -alias <alias> [-keypass <keypass>] 3. Access AC 4. Utilize 'Change Center' to create a new change session 5. From 'Domain Structure', select 'Environment' -> 'Servers' 6. From the list of servers, select one which needs SSL set up 7. From 'Configuration' tab -> 'General' tab, deselect 'Listen Port Enabled' checkbox 8. Select 'SSL Listen Port Enabled' checkbox and enter a valid port number in 'SSL Listen Port' field, e.g., 7002 9. From 'Configuration' tab -> 'Keystores' tab, click 'Change' button in 'Keystores' section 10. From dropdown, select 'Custom Identity and Java Standard Trust' and click 'Save' 11. Enter the fully qualified path to Identity keystore, from step 2, in 'Custom Identity Keystore' field 12. Enter 'JKS' in the 'Custom Identity Keystore Type' field 13. Enter the Identity keystore password in 'Custom Identity Keystore Passphrase' and 'Confirm Custom Identity Keystore Passphrase' fields 14. Enter the Java Standard Trust keystore (cacerts) password in 'Java Standard Trust Keystore Passphrase' and 'Confirm Java Standard Trust Keystore Passphrase' fields 15. Leave all other fields blank and click 'Save' 16. From 'Configuration' tab -> 'SSL' tab, enter values from step 2 into corresponding fields, as follows: - Enter <alias> into 'Private Key Alias' - Enter <privae_key_password> into 'Private Key Passphrase' - Enter <private_key_password> into 'Confirm Private Key Passphrase' 17. Click 'Save', and from 'Change Center' click 'Activate Changes' to enable configuration changes 18. Repeat steps 4-17 for all servers requiring SSL configuration 19. From 'Domain Structure', select 'Environment' -> 'Servers', click 'Control' tab 20. Select checkbox for all servers configured in previous steps and click 'Restart SSL'

b
Oracle WebLogic must utilize NSA-approved cryptography when protecting classified compartmentalized data.
CM-6 - Medium - CCI-000366 - V-235981 - SV-235981r628721_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WBLC-08-000214
Vuln IDs
  • V-235981
  • V-56313
Rule IDs
  • SV-235981r628721_rule
  • SV-70567
Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. Encryption modules/algorithms are the mathematical procedures used for encrypting data. NSA has developed Type 1 algorithms for protecting classified information. The Committee on National Security Systems (CNSS) National Information Assurance Glossary (CNSS Instruction No. 4009) defines Type 1 products as: "Cryptographic equipment, assembly or component classified or certified by NSA for encrypting and decrypting classified and sensitive national security information when appropriately keyed. Developed using established NSA business processes and containing NSA-approved algorithms. Used to protect systems requiring the most stringent protection mechanisms." Although persons may have a security clearance, they may not have a "need to know" and are required to be separated from the information in question. The application server must employ NSA-approved cryptography to protect classified information from those individuals who have no "need to know" or when encryption of compartmentalized data is required by data classification.
Checks: C-39200r628719_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -&gt; 'Logs' -&gt; 'View Log Messages' 3. Within the 'Search' panel, expand 'Selected Targets' 4. Click 'Target Log Files' icon for 'AdminServer' target 5. From the list of log files, select 'AdminServer.log' and click 'View Log File' button 6. Within the search criteria, enter the value 'FIPS' for the 'Message contains' field, and select the appropriate 'Start Date' and 'End Date' range. Click 'Search' 7. Check for the following log entry: "Changing the default Random Number Generator in RSA CryptoJ ... to FIPS186PRNG" or "Changing the default Random Number Generator in RSA CryptoJ from ECDRBG128 to HMACDRBG." If either of these log entries are found, this is not a finding. If a log entry cannot be found, navigate to the DOMAIN_HOME directory: 8. View the contents of the appropriate WebLogic server start script: On UNIX operating systems: startWebLogic.sh On Microsoft Windows operating systems: startWebLogic.cmd 9. Ensure the JAVA_OPTIONS variable is set: On UNIX operating systems: JAVA_OPTIONS=" -Djava.security.properties==/&lt;mylocation&gt;/java.security ${JAVA_OPTIONS}" On Microsoft Windows operating systems: set JAVA_OPTIONS= -Djava.security.properties==C:\&lt;mylocation&gt;\java.security %JAVA_OPTIONS% 10. Ensure the &lt;mylocation&gt; path specified above contains a valid java.security file (Refer to section 2.2.4 of the Overview document) 11. Ensure the PRE_CLASSPATH variable is set: On UNIX operating systems: PRE_CLASSPATH="%MW_HOME%\wlserver\server\lib\jcmFIPS.jar;%MW_HOME%\wlserver\server\lib\sslj.jar ${PRE_CLASSPATH}" On Microsoft Windows operating systems: set PRE_CLASSPATH= %MW_HOME%\wlserver\server\lib\jcmFIPS.jar;%MW_HOME%\wlserver\server\lib\sslj.jar;%PRE_CLASSPATH% If the java options are not set correctly, this is a finding.

Fix: F-39163r628720_fix

1. Shut down any running instances of WebLogic server 2. On disk, navigate to the DOMAIN_HOME directory 3. View the contents of the appropriate WebLogic server start script: On UNIX operating systems: startWebLogic.sh On Microsoft Windows operating systems: startWebLogic.cmd 4. Ensure the JAVA_OPTIONS variable is set: On UNIX operating systems: JAVA_OPTIONS=" -Djava.security.properties==/<mylocation>/java.security ${JAVA_OPTIONS}" On Microsoft Windows operating systems: set JAVA_OPTIONS= -Djava.security.properties==C:\<mylocation>\java.security %JAVA_OPTIONS% 5. Ensure the <mylocation> path specified above contains a valid java.security file (Refer to section 2.2.4 of the Overview document) 6. Ensure the PRE_CLASSPATH variable is set: On UNIX operating systems: PRE_CLASSPATH="%MW_HOME%\wlserver\server\lib\jcmFIPS.jar;%MW_HOME%\wlserver\server\lib\sslj.jar ${PRE_CLASSPATH}" On Microsoft Windows operating systems: set PRE_CLASSPATH= %MW_HOME%\wlserver\server\lib\jcmFIPS.jar;%MW_HOME%\wlserver\server\lib\sslj.jar;%PRE_CLASSPATH% 7. Refer to section 2.2.4 of the Overview document

b
Oracle WebLogic must protect the integrity and availability of publicly available information and applications.
SC-5 - Medium - CCI-002385 - V-235982 - SV-235982r628724_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
WBLC-08-000218
Vuln IDs
  • V-235982
  • V-56315
Rule IDs
  • SV-235982r628724_rule
  • SV-70569
The purpose of this control is to ensure organizations explicitly address the protection needs for public information and applications, with such protection likely being implemented as part of other security controls. Application servers must protect the integrity of publicly available information.
Checks: C-39201r628722_chk

1. Access AC 2. From 'Domain Structure', select 'Deployments' 3. Select a deployed component which contains publicly available information and/or applications 4. Select 'Targets' tab 5. Ensure one or more of the selected targets for this deployment is a cluster of managed servers If the information requires clustering of managed server and the managed servers are not clustered, this is a finding.

Fix: F-39164r628723_fix

1. Access AC 2. From 'Domain Structure', select 'Deployments' 3. Select a deployed component which contains publicly available information and/or applications 4. Utilize 'Change Center' to create a new change session 5. Select 'Targets' tab 6. Select one or more clusters of managed servers as a target for this deployment. Click 'Save'.

b
Oracle WebLogic must separate hosted application functionality from Oracle WebLogic management functionality.
SC-2 - Medium - CCI-001082 - V-235983 - SV-235983r628727_rule
RMF Control
SC-2
Severity
Medium
CCI
CCI-001082
Version
WBLC-08-000222
Vuln IDs
  • V-235983
  • V-56317
Rule IDs
  • SV-235983r628727_rule
  • SV-70571
Application server management functionality includes functions necessary to administer the application server and requires privileged access via one of the accounts assigned to a management role. The separation of application server administration functionality from hosted application functionality is either physical or logical and is accomplished by using different computers, different central processing units, different instances of the operating system, network addresses, network ports, or combinations of these methods, as appropriate.
Checks: C-39202r628725_chk

1. Access AC 2. From 'Domain Structure', select 'Environment' -&gt; 'Servers' 3. A single server in the list will be named 'Admin Server' and this is the server which hosts AS management functionality, such as the AdminConsole application 4. All remaining servers in the list are 'Managed Servers' and these are the individual or clustered servers which will host the actual applications 5. Ensure no applications are deployed on the Admin server, rather, only on the Managed servers If any applications are deployed on the Admin server, this is a finding.

Fix: F-39165r628726_fix

1. Access AC 2. From 'Domain Structure', select 'Environment' -> 'Servers' 3. A single server in the list will be named 'Admin Server' and this is the server which hosts AS management functionality, such as the AdminConsole application 4. All remaining servers in the list are 'Managed Servers' and these are the individual or clustered servers which will host the actual applications 5. Utilize 'Change Center' to create a new change session 6. Undeploy all applications that are not used for AS management from the Admin server, and redeploy onto the Managed servers 7. This can be done from 'Deployments' tab -> 'Targets' tab; select each application which must be redeployed , deselect 'Admin Server' and select one or more of the Managed servers 8. Click 'Save' and restart servers if necessary

b
Oracle WebLogic must ensure authentication of both client and server during the entire session.
SC-23 - Medium - CCI-001184 - V-235984 - SV-235984r628730_rule
RMF Control
SC-23
Severity
Medium
CCI
CCI-001184
Version
WBLC-08-000223
Vuln IDs
  • V-235984
  • V-56321
Rule IDs
  • SV-235984r628730_rule
  • SV-70575
This control focuses on communications protection at the session, versus packet level. At the application layer, session IDs are tokens generated by web applications to uniquely identify an application user's session. Web applications utilize session tokens or session IDs in order to establish application user identity. Proper use of session IDs addresses man-in-the-middle attacks, including session hijacking or insertion of false information into a session. Application servers must provide the capability to perform mutual authentication. Mutual authentication is when both the client and the server authenticate each other.
Checks: C-39203r628728_chk

1. Access AC 2. From 'Domain Structure', select 'Environment' -&gt; 'Servers' 3. From the list of servers, select one which needs check for Mutual Authentication configuration verification 4. From 'Configuration' tab -&gt; 'General' tab, ensure 'Listen Port Enabled' checkbox is deselected 5. Ensure 'SSL Listen Port Enabled' checkbox is selected and a valid port number is in 'SSL Listen Port' field, e.g., 7002 6. From 'Configuration' tab -&gt; 'SSL' tab, click 'Advanced' link 7. Ensure 'Two Way Client Cert Behavior' field value is set to 'Client Certs Requested And Enforced' 8. Repeat steps 3-7 for all servers requiring Mutual Authentication configuration checking If any servers requiring Mutual Authentication do not have the 'SSL Listen Port Enabled' checkbox selected or the 'Two Way Client Cert Behavior' field value set to 'Client Certs Requested And Enforced', this is a finding.

Fix: F-39166r628729_fix

1. Obtain the certificate(s) for the trusted certificate authority that signed the certificates for the client(s) 2. Access EM 3. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Security' -> 'Keystore' 4. Locate the desired keystore in which to load the client certificate(s), select and click 'Manage' button 5. From 'Manage Certificates' page, click 'Import' 6. Complete 'Certificate Type', 'Alias' and 'Certificate Source' fields and click 'OK'. Ensure the imported certificate(s) appears in the list. 7. Access AC 8. Utilize 'Change Center' to create a new change session 9. From 'Domain Structure', select 'Environment' -> 'Servers' 10. From the list of servers, select one which needs Mutual Authentication set up 11. From 'Configuration' tab -> 'SSL' tab, click 'Advanced' link 12. Set 'Two Way Client Cert Behavior' field value is set to 'Client Certs Requested And Enforced' 13. Repeat steps 7-12 for all servers requiring SSL configuration 14. From 'Domain Structure', select 'Environment' -> 'Servers', click 'Control' tab 15. Select checkbox for all servers configured in previous steps and click 'Restart SSL'

b
Oracle WebLogic must terminate user sessions upon user logout or any other organization- or policy-defined session termination events such as idle time limit exceeded.
SC-23 - Medium - CCI-001185 - V-235985 - SV-235985r628733_rule
RMF Control
SC-23
Severity
Medium
CCI
CCI-001185
Version
WBLC-08-000224
Vuln IDs
  • V-235985
  • V-56323
Rule IDs
  • SV-235985r628733_rule
  • SV-70577
If communications sessions remain open for extended periods of time even when unused, there is the potential for an adversary to hijack the session and use it to gain access to the device or networks to which it is attached. Terminating sessions after a logout event or after a certain period of inactivity is a method for mitigating the risk of this vulnerability. When a user management session becomes idle, or when a user logs out of the management interface, the application server must terminate the session.
Checks: C-39204r628731_chk

1. Access AC 2. From 'Domain Structure', select 'Deployments' 3. Sort 'Deployments' table by 'Type' by click the column header 4. Select an 'Enterprise Application' or 'Web Application' to check the session timeout setting 5. Select 'Configuration' tab -&gt; 'Application' tab for deployments of 'Enterprise Application' type Select 'Configuration' tab -&gt; 'General' tab for deployments of 'Web Application' type 6. Ensure 'Session Timeout' field value is set to organization- or policy-defined session idle time limit If the 'Session Timeout' field value is not set to an organization- or policy-defined session idle time limit, this is a finding.

Fix: F-39167r628732_fix

1. Access AC 2. From 'Domain Structure', select 'Deployments' 3. Sort 'Deployments' table by 'Type' by click the column header 4. Select an 'Enterprise Application' or 'Web Application' to check the session timeout setting 5. Select 'Configuration' tab -> 'Application' tab for deployments of 'Enterprise Application' type Select 'Configuration' tab -> 'General' tab for deployments of 'Web Application' type 6. Utilize 'Change Center' to create a new change session 7. Set value in 'Session Timeout' field value to organization- or policy-defined session idle time limit. Click 'Save' 8. Repeat steps 4-7 for each 'Enterprise Application' and 'Web Application' deployment

b
Oracle WebLogic must be configured to perform complete application deployments.
SC-24 - Medium - CCI-001190 - V-235986 - SV-235986r628736_rule
RMF Control
SC-24
Severity
Medium
CCI
CCI-001190
Version
WBLC-08-000229
Vuln IDs
  • V-235986
  • V-56327
Rule IDs
  • SV-235986r628736_rule
  • SV-70581
Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. When an application is deployed to the application server, if the deployment process does not complete properly and without errors, there is the potential that some application files may not be deployed or may be corrupted and an application error may occur during runtime. The application server must be able to perform complete application deployments. A partial deployment can leave the server in an inconsistent state. Application servers may provide a transaction rollback function to address this issue.
Checks: C-39205r628734_chk

1. Access AC 2. From 'Domain Structure', select the top-level domain 3. Select 'Configuration' tab -&gt; 'General' tab 4. Ensure 'Production Mode' checkbox is selected If the 'Production Mode' checkbox is not selected, this is a finding.

Fix: F-39168r628735_fix

1. Access AC 2. From 'Domain Structure', select the top-level domain 3. Select 'Configuration' tab -> 'General' tab 4. Check 'Production Mode' checkbox. Click 'Save' 5. Restart all servers

b
Oracle WebLogic must protect the confidentiality of applications and leverage transmission protection mechanisms, such as TLS and SSL VPN, when deploying applications.
SC-8 - Medium - CCI-002421 - V-235987 - SV-235987r628739_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002421
Version
WBLC-08-000231
Vuln IDs
  • V-235987
  • V-56329
Rule IDs
  • SV-235987r628739_rule
  • SV-70583
Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPSEC tunnel. If the application server does not protect the application files that are created before and during the application deployment process, there is a risk that the application could be compromised prior to deployment.
Checks: C-39206r628737_chk

1. Access AC 2. From 'Domain Structure', select 'Environment' -&gt; 'Servers' 3. From the list of servers, select the AdminServer 4. From 'Configuration' tab -&gt; 'General' tab, ensure 'Listen Port Enabled' checkbox is deselected 5. Ensure 'SSL Listen Port Enabled' checkbox is selected and a valid port number is in 'SSL Listen Port' field, e.g., 7002 If the field 'SSL Listen Port Enabled' is not selected or 'Listen Port Enabled' is selected, this is a finding.

Fix: F-39169r628738_fix

1. Obtain an identity (private key and digital certificates) and trust (certificates of trusted certificate authorities) to configure on the server 2. Create Identity keystore and load private key and certificate using ImportPrivateKey java utility, example: $ java utils.ImportPrivateKey -certfile <cert_file> -keyfile <private_key_file> [-keyfilepass <private_key_password>] -keystore <keystore> -storepass <storepass> [-storetype <storetype>] -alias <alias> [-keypass <keypass>] 3. Access AC 4. Utilize 'Change Center' to create a new change session 5. From 'Domain Structure', select 'Environment' -> 'Servers' 6. From the list of servers, select one which needs SSL set up 7. From 'Configuration' tab -> 'General' tab, deselect 'Listen Port Enabled' checkbox 8. Select 'SSL Listen Port Enabled' checkbox and enter a valid port number in 'SSL Listen Port' field, e.g., 7002 9. From 'Configuration' tab -> 'Keystores' tab, click 'Change' button in 'Keystores' section 10. From dropdown, select 'Custom Identity and Java Standard Trust' and click 'Save' 11. Enter the fully qualified path to Identity keystore, from step 2, in 'Custom Identity Keystore' field 12. Enter 'JKS' in the 'Custom Identity Keystore Type' field 13. Enter the Identity keystore password in 'Custom Identity Keystore Passphrase' and 'Confirm Custom Identity Keystore Passphrase' fields 14. Enter the Java Standard Trust keystore (cacerts) password in 'Java Standard Trust Keystore Passphrase' and 'Confirm Java Standard Trust Keystore Passphrase' fields 15. Leave all other fields blank and click 'Save' 16. From 'Configuration' tab -> 'SSL' tab, enter values from step 2 into corresponding fields, as follows: - Enter <alias> into 'Private Key Alias' - Enter <private_key_password> into 'Private Key Passphrase' - Enter <private_key_password> into 'Confirm Private Key Passphrase' 17. Click 'Save', and from 'Change Center' click 'Activate Changes' to enable configuration changes 18. Repeat steps 4-17 for all servers requiring SSL configuration 19. From 'Domain Structure', select 'Environment' -> 'Servers', click 'Control' tab 20. Select checkbox for all servers configured in previous steps and click 'Restart SSL'

a
Oracle WebLogic must protect the integrity of applications during the processes of data aggregation, packaging, and transformation in preparation for deployment.
SC-8 - Low - CCI-002420 - V-235988 - SV-235988r628742_rule
RMF Control
SC-8
Severity
Low
CCI
CCI-002420
Version
WBLC-08-000235
Vuln IDs
  • V-235988
  • V-56333
Rule IDs
  • SV-235988r628742_rule
  • SV-70587
Information can be subjected to unauthorized changes (e.g., malicious and/or unintentional modification) at information aggregation or protocol transformation points. It is therefore imperative the application take steps to validate and assure the integrity of data while at these stages of processing. The application server must ensure the integrity of data that is pending transfer for deployment is maintained. If the application were to simply transmit aggregated, packaged, or transformed data without ensuring the data was not manipulated during these processes, then the integrity of the data and the application itself may be called into question.
Checks: C-39207r628740_chk

1. Access AC 2. From 'Domain Structure', select the top-level domain 3. Select 'Configuration' tab -&gt; 'General' tab 4. Ensure 'Production Mode' checkbox is selected If the 'Production Mode' checkbox is not selected, this is a finding.

Fix: F-39170r628741_fix

1. Access AC 2. From 'Domain Structure', select the top-level domain 3. Select 'Configuration' tab -> 'General' tab 4. Check 'Production Mode' checkbox. Click 'Save' 5. Restart all servers

b
Oracle WebLogic must protect against or limit the effects of HTTP types of Denial of Service (DoS) attacks.
SC-5 - Medium - CCI-002385 - V-235989 - SV-235989r628745_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
WBLC-08-000236
Vuln IDs
  • V-235989
  • V-56337
Rule IDs
  • SV-235989r628745_rule
  • SV-70591
Employing increased capacity and bandwidth combined with service redundancy can reduce the susceptibility to some DoS attacks. When utilizing an application server in a high risk environment (such as a DMZ), the amount of access to the system from various sources usually increases, as does the system's risk of becoming more susceptible to DoS attacks. The application server must be able to be configured to withstand or minimize the risk of DoS attacks. This can be partially achieved if the application server provides configuration options that limit the number of allowed concurrent HTTP connections.
Checks: C-39208r628743_chk

1. Access AC 2. From 'Domain Structure', select 'Deployments' 3. Sort 'Deployments' table by 'Type' by click the column header 4. Select an 'Enterprise Application' or 'Web Application' to check the session timeout setting 5. Select 'Configuration' tab -&gt; 'Application' tab for deployments of 'Enterprise Application' type Select 'Configuration' tab -&gt; 'General' tab for deployments of 'Web Application' type 6. Ensure 'Maximum in-memory Session' field value is set to an integer value at or lower than an acceptable maximum number of HTTP sessions If a value is not set in the 'Maximum in-memory Session' field for all deployments, this is a finding.

Fix: F-39171r628744_fix

1. Access AC 2. From 'Domain Structure', select 'Deployments' 3. Sort 'Deployments' table by 'Type' by click the column header 4. Select an 'Enterprise Application' or 'Web Application' to check the session timeout setting 5. Select 'Configuration' tab -> 'Application' tab for deployments of 'Enterprise Application' type Select 'Configuration' tab -> 'General' tab for deployments of 'Web Application' type 6. Utilize 'Change Center' to create a new change session 7. Set value in 'Maximum in-memory Session' field value to an integer value at or lower than an acceptable maximum number of HTTP sessions. Click 'Save' 8. Repeat steps 4-7 for each 'Enterprise Application' and 'Web Application' deployment

b
Oracle WebLogic must limit the use of resources by priority and not impede the host from servicing processes designated as a higher-priority.
SC-5 - Medium - CCI-002385 - V-235990 - SV-235990r628748_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
WBLC-08-000237
Vuln IDs
  • V-235990
  • V-56341
Rule IDs
  • SV-235990r628748_rule
  • SV-70595
Priority protection helps the application server prevent a lower-priority application process from delaying or interfering with any higher-priority application processes. If the application server is not capable of managing application resource requests, the application server could become overwhelmed by a high volume of low-priority resource requests which can cause an availability issue. This requirement only applies to Mission Assurance Category 1 systems and does not apply to information systems with a Mission Assurance Category of 2 or 3.
Checks: C-39209r628746_chk

1. Access AC 2. From 'Domain Structure', select 'Environment' -&gt; 'Work Managers' 3. Existing Work Managers will appear in the list If Work Managers are not created to allow prioritization of resources, this is a finding.

Fix: F-39172r628747_fix

1. Access AC 2. From 'Domain Structure', select 'Environment' -> 'Work Managers' 3. Utilize 'Change Center' to create a new change session 4. Click 'New', select 'Work Manager' radio option, click 'Next' 5. Type a unique name, click 'Next', select server(s) which to apply this work manager to, click 'Finish' 6. Select newly created work manager from table to configure 7. Set thread and capacity constraints for this work manager, target the server(s) to apply these constraints to, click 'Save' 8. Deploy applications requiring prioritization to the server(s) selected as target of the work manager in order to apply the priority conditions specified by the work manager to deployed applications

b
Oracle WebLogic must fail securely in the event of an operational failure.
SC-7 - Medium - CCI-001126 - V-235991 - SV-235991r628751_rule
RMF Control
SC-7
Severity
Medium
CCI
CCI-001126
Version
WBLC-08-000238
Vuln IDs
  • V-235991
  • V-56343
Rule IDs
  • SV-235991r628751_rule
  • SV-70597
Fail secure is a condition achieved by the application server in order to ensure that in the event of an operational failure, the system does not enter into an unsecure state where intended security properties no longer hold. An example of secure failure is when an application server is configured for secure LDAP (LDAPS) authentication. If the application server fails to make a successful LDAPS connection it does not try to use unencrypted LDAP instead.
Checks: C-39210r628749_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -&gt; 'Monitoring' -&gt; 'Port Usage' 3. In the results table, ensure values in the 'Protocol' column each end with 's' (secure) If the protocols are not secure, this is a finding.

Fix: F-39173r628750_fix

1. Access AC 2. From 'Domain Structure', select 'Environment' -> 'Servers' 3. From the list of servers, select one which is assigned a protocol which does not end in 's' (secure) 4. Utilize 'Change Center' to create a new change session 5. From 'Configuration' tab -> 'General' tab, deselect the 'Listen Port Enabled' checkbox 6. Select the 'SSL Listen Port Enabled checkbox 7. Enter a valid port value in the 'SSL Listen Port' field and click 'Save' 8. Review the 'Port Usage' table in EM again to ensure all values in the 'Protocol' column end with 's' (secure)

b
Oracle WebLogic must employ approved cryptographic mechanisms when transmitting sensitive data.
SC-8 - Medium - CCI-002421 - V-235992 - SV-235992r628754_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002421
Version
WBLC-08-000239
Vuln IDs
  • V-235992
  • V-56347
Rule IDs
  • SV-235992r628754_rule
  • SV-70601
Preventing the disclosure of transmitted information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the network. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPSEC tunnel. If data in transit is unencrypted, it is vulnerable to disclosure. If approved cryptographic algorithms are not used, encryption strength cannot be assured. The application server must utilize approved encryption when transmitting sensitive data.
Checks: C-39211r628752_chk

1. Access AC 2. From 'Domain Structure', select 'Environment' -&gt; 'Servers' 3. From the list of servers, select one which needs check for SSL configuration verification 4. From 'Configuration' tab -&gt; 'General' tab, ensure 'Listen Port Enabled' checkbox is deselected 5. Ensure 'SSL Listen Port Enabled' checkbox is selected and a valid port number is in 'SSL Listen Port' field, e.g., 7002 6. Repeat steps 3-5 for all servers requiring SSL configuration checking If any of the servers requiring cryptographic mechanisms does not have 'SSL List Port Enabled', this is a finding.

Fix: F-39174r628753_fix

1. Obtain an identity (private key and digital certificates) and trust (certificates of trusted certificate authorities) to configure on the server 2. Create Identity keystore and load private key and certificate using ImportPrivateKey java utility, example: $ java utils.ImportPrivateKey -certfile <cert_file> -keyfile <private_key_file> [-keyfilepass <private_key_password>] -keystore <keystore> -storepass <storepass> [-storetype <storetype>] -alias <alias> [-keypass <keypass>] 3. Access AC 4. Utilize 'Change Center' to create a new change session 5. From 'Domain Structure', select 'Environment' -> 'Servers' 6. From the list of servers, select one which needs SSL set up 7. From 'Configuration' tab -> 'General' tab, deselect 'Listen Port Enabled' checkbox 8. Select 'SSL Listen Port Enabled' checkbox and enter a valid port number in 'SSL Listen Port' field, e.g., 7002 9. From 'Configuration' tab -> 'Keystores' tab, click 'Change' button in 'Keystores' section 10. From dropdown, select 'Custom Identity and Java Standard Trust' and click 'Save' 11. Enter the fully qualified path to Identity keystore, from step 2, in 'Custom Identity Keystore' field 12. Enter 'JKS' in the 'Custom Identity Keystore Type' field 13. Enter the Identity keystore password in 'Custom Identity Keystore Passphrase' and 'Confirm Custom Identity Keystore Passphrase' fields 14. Enter the Java Standard Trust keystore (cacerts) password in 'Java Standard Trust Keystore Passphrase' and 'Confirm Java Standard Trust Keystore Passphrase' fields 15. Leave all other fields blank and click 'Save' 16. From 'Configuration' tab -> 'SSL' tab, enter values from step 2 into corresponding fields, as follows: - Enter <alias> into 'Private Key Alias' - Enter <private_key_password> into 'Private Key Passphrase' - Enter <private_key_password> into 'Confirm Private Key Passphrase' 17. Click 'Save', and from 'Change Center' click 'Activate Changes' to enable configuration changes 18. Repeat steps 4-17 for all servers requiring SSL configuration 19. From 'Domain Structure', select 'Environment' -> 'Servers', click 'Control' tab 20. Select checkbox for all servers configured in previous steps and click 'Restart SSL'

a
Oracle WebLogic must identify potentially security-relevant error conditions.
SI-11 - Low - CCI-001312 - V-235993 - SV-235993r628757_rule
RMF Control
SI-11
Severity
Low
CCI
CCI-001312
Version
WBLC-09-000252
Vuln IDs
  • V-235993
  • V-56351
Rule IDs
  • SV-235993r628757_rule
  • SV-70605
The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the application server is able to identify and handle error conditions is guided by organizational policy and operational requirements. Adequate logging levels and system performance capabilities need to be balanced with data protection requirements. Application servers must have the capability to log at various levels which can provide log entries for potential security-related error events. An example is the capability for the application server to assign a criticality level to a failed login attempt error message, a security-related error message being of a higher criticality.
Checks: C-39212r628755_chk

1. Access EM 2. Expand the domain from the navigation tree, and select the AdminServer 3. Use the dropdown to select 'WebLogic Server' -&gt; 'Logs' -&gt; 'Log Configuration' 4. Select the 'Log Levels' tab, and within the table, expand 'Root Logger' node 5. Log levels for system-related events can be set here 6. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -&gt; 'Security' -&gt; 'Audit Policy' 7. Select 'Oracle Platform Security Services' from the 'Audit Component Name' dropdown 8. Log levels for security-related events can be set here If security-related events are not set properly, this is a finding.

Fix: F-39175r628756_fix

1. Access EM 2. Expand the domain from the navigation tree, and select the AdminServer 3. Use the dropdown to select 'WebLogic Server' -> 'Logs' -> 'Log Configuration' 4. Select the 'Log Levels' tab, and within the table, expand 'Root Logger' node 5. Log levels for system-related events can be set here 6. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Security' -> 'Audit Policy' 7. Select 'Oracle Platform Security Services' from the 'Audit Component Name' dropdown 8. Log levels for security-related events can be set here

b
Oracle WebLogic must only generate error messages that provide information necessary for corrective actions without revealing sensitive or potentially harmful information in error logs and administrative messages.
SI-11 - Medium - CCI-001312 - V-235994 - SV-235994r628760_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001312
Version
WBLC-09-000253
Vuln IDs
  • V-235994
  • V-56377
Rule IDs
  • SV-235994r628760_rule
  • SV-70631
Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and content of error messages needs to be carefully considered by the organization and development team. The application server must not log sensitive information such as passwords, private keys, or other sensitive data. This requirement pertains to logs that are generated by the application server and application server processes, not the applications that may reside on the application server. Those errors are out of the scope of these requirements.
Checks: C-39213r628758_chk

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -&gt; 'Logs' -&gt; 'View Log Messages' 3. Within the search criteria, click 'Add Fields' button 4. Notice the list of available fields do not contain sensitive data If sensitive or potentially harmful information, such as passwords, private keys or other sensitive data, is part of the error logs or administrative messages, this is a finding.

Fix: F-39176r628759_fix

1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Logs' -> 'View Log Messages' 3. Within the search criteria, click 'Add Fields' button 4. Notice the list of available fields do not contain sensitive data

b
Oracle WebLogic must restrict error messages so only authorized personnel may view them.
SI-11 - Medium - CCI-001314 - V-235995 - SV-235995r628763_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001314
Version
WBLC-09-000254
Vuln IDs
  • V-235995
  • V-56379
Rule IDs
  • SV-235995r628763_rule
  • SV-70633
If the application provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Application servers must protect the error messages that are created by the application server. All application server users' accounts are used for the management of the server and the applications residing on the application server. All accounts are assigned to a certain role with corresponding access rights. The application server must restrict access to error messages so only authorized personnel may view them. Error messages are usually written to logs contained on the file system. The application server will usually create new log files as needed and must take steps to ensure that the proper file permissions are utilized when the log files are created.
Checks: C-39214r628761_chk

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Users and Groups' tab -&gt; 'Users' tab 5. From 'Users' table, select a user that must not have access to view error messages 6. From users settings page, select 'Groups' tab 7. Ensure the 'Chosen' table does not contain any of the following roles - 'Admin', 'Deployer', 'Monitor', 'Operator' 8. Repeat steps 5-7 for all users that must not have access to view error messages If any user that should not be able to view error messages has the roles of 'Admin', 'Deployer', 'Monitor' or 'Operator', this is a finding.

Fix: F-39177r628762_fix

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Users and Groups' tab -> 'Users' tab 5. From 'Users' table, select a user that must not have access to view error messages 6. From users settings page, select 'Groups' tab 7. From the 'Chosen' table, use the shuttle buttons to remove all of the following roles - 'Admin', 'Deployer', 'Monitor', 'Operator' 8. Click 'Save' 9. Repeat steps 5-8 for all users that must not have access to view error messages

b
Oracle WebLogic must provide system notifications to a list of response personnel who are identified by name and/or role.
AU-5 - Medium - CCI-000139 - V-235996 - SV-235996r628766_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-000139
Version
WBLC-09-000257
Vuln IDs
  • V-235996
  • V-56381
Rule IDs
  • SV-235996r628766_rule
  • SV-70635
Incident response applications are, by their nature, designed to monitor, detect, and alarm on defined events occurring on the system or on the network. A large part of their functionality is the accurate and timely notification of events. Application servers can act as a resource for incident responders by providing information and notifications needed for support personnel to respond to application server incidents. Notifications can be made more efficient by the utilization of groups containing the members who would be responding to a particular alarm or event.
Checks: C-39215r628764_chk

1. Access AC 2. From 'Domain Structure', select 'Diagnostics' -&gt; 'Diagnostic Modules' 3. Select 'Module-HealthState' from 'Diagnostic System Modules' list 4. Select 'Configuration' tab -&gt; 'Watches and Notifications' tab. Select the 'Watches' tab from the bottom of page 5. Ensure 'ServerHealthWatch' row has 'Enabled' column value set to 'true' 6. Select 'Configuration' tab -&gt; 'Watches and Notifications' tab. Select the 'Notifications' tab from the bottom of page 7. Ensure 'ServerHealthNotification' row has 'Enable Notification' column value set to 'true' If 'ServerHealthNotification' is set to false, this is a finding.

Fix: F-39178r628765_fix

1. Access AC 2. Utilize 'Change Center' to create a new change session 3. From 'Domain Structure', select 'Diagnostics' -> 'Diagnostic Modules' 4. If 'Module-HealthState' does not exist, click 'New' button. Enter 'Module-HealthState' in 'Name' field and click 'OK' button 5. Select 'Module-HealthState' from 'Diagnostic System Modules' list 6. Select 'Configuration' tab -> 'Watches and Notifications' tab. Select the 'Watches' tab from the bottom of page 7. Click 'New' button. Set the following values in the fields as shown: 'Watch Name' = 'ServerHealthWatch' 'Watch Type' = 'Collected Metrics' 'Enable Watch' = selected 8. Click 'Next' 9. Click 'Add Expressions' 10. Set 'MBean Server location' dropdown value to 'ServerRuntime'. Click 'Next' 11. Set 'MBean Type' dropdown value to 'weblogic.management.runtime.ServerRuntimeMBean'. Click 'Next' 12. Set 'Instance' dropdown value to a WebLogic Server instance to be monitored. Click 'Next' 13. Select 'Enter an Attribute Expression' radio button, enter following value in 'Attribute Expression' field: HealthState.State 14. Set 'Operator' dropdown value to '>='. Set 'Value' field to '3'. Click 'Finish' 15. Repeat steps 9-14 for all WebLogic Server instances to be monitored. Click 'Finish' 16. Continuing from step 6 above, select the 'Notifications' tab from the bottom of page 17. Click 'New' button. Set 'Type' dropdown value to 'SMTP (E-Mail)'. Click 'Next'. Set the following values in the fields as shown: 'Notification Name' = 'ServerHealthNotification' 'Enable Notification' = selected 18. Click 'Next' 19. Select an existing 'Mail Session Name', or click 'Create a New Mail Session' button to create one (JNDI name and Java mail settings must be known) 20. In 'E-Mail Recipients' text area, add list of administrator email addresses, and customize 'E-Mail Subject' and 'E-Mail Body' fields as needed. Click 'Finish' 21. Return to the 'Watches' tab from the bottom of page. Select 'ServerHealthWatch'. Select 'Notifications' tab 22. Use shuttle list to set 'ServerHealthNotification' into the 'Chosen' table. Click 'Save'

b
Oracle WebLogic must be integrated with a tool to monitor audit subsystem failure notification information that is sent out (e.g., the recipients of the message and the nature of the failure).
CM-6 - Medium - CCI-000366 - V-235997 - SV-235997r628769_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WBLC-10-000270
Vuln IDs
  • V-235997
  • V-56383
Rule IDs
  • SV-235997r628769_rule
  • SV-70637
It is critical that, when a system is at risk of failing to process audit logs, it detects and takes action to mitigate the failure. As part of the mitigation, the system must send a notification to designated individuals that auditing is failing, log the notification message and the individuals who received the notification. When the system is not capable of notification and notification logging, an external software package, such as Oracle Diagnostic Framework, must be used.
Checks: C-39216r628767_chk

Review the configuration of Oracle WebLogic to determine if a tool, such as Oracle Diagnostic Framework, is in place to monitor audit subsystem failure notification information that is sent out. If a tool is not in place to monitor audit subsystem failure notification information that is sent, this is a finding.

Fix: F-39179r628768_fix

Install a tool, such as Oracle Diagnostics Framework, to monitor audit subsystem failure notification information.

b
Oracle WebLogic must be managed through a centralized enterprise tool.
CM-6 - Medium - CCI-000366 - V-235998 - SV-235998r628772_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WBLC-10-000271
Vuln IDs
  • V-235998
  • V-56385
Rule IDs
  • SV-235998r628772_rule
  • SV-70639
The application server can host multiple applications which require different functions to operate successfully but many of the functions are capabilities that are needed for all the hosted applications and should be managed through a common interface. Examples of enterprise wide functions are automated rollback of changes, failover and patching. These functions are often outside the domain of the application server and so the application server must be integrated with a tool, such as Oracle Enterprise Manager, which is specific built to handle these requirements.
Checks: C-39217r628770_chk

Review the Oracle WebLogic configuration to determine if a tool, such as Oracle Enterprise Manager, is in place to centrally manage enterprise functionality needed for Oracle WebLogic. If a tool is not in place to centrally manage enterprise functionality, this is a finding.

Fix: F-39180r628771_fix

Install a tool such as Oracle Enterprise Manager, to handle enterprise functionality such as automated failover, rollback and patching of Oracle WebLogic.

b
Oracle WebLogic must be integrated with a tool to implement multi-factor user authentication.
CM-6 - Medium - CCI-000366 - V-235999 - SV-235999r628775_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
WBLC-10-000272
Vuln IDs
  • V-235999
  • V-56387
Rule IDs
  • SV-235999r628775_rule
  • SV-70641
Multifactor authentication is defined as: using two or more factors to achieve authentication. Factors include: (i) something a user knows (e.g., password/PIN); (ii) something a user has (e.g., cryptographic identification device, token); or (iii) something a user is (e.g., biometric). A CAC meets this definition. Implementing a tool, such as Oracle Access Manager, will implement multi-factor authentication to the application server and tie the authenticated user to a user account (i.e. roles and privileges) assigned to the authenticated user.
Checks: C-39218r628773_chk

Review the WebLogic configuration to determine if a tool, such as Oracle Access Manager, is in place to implement multi-factor authentication for the users. If a tool is not in place to implement multi-factor authentication, this is a finding.

Fix: F-39181r628774_fix

Install a tool, such as Oracle Access Manager, to handle multi-factor authentication of users.