Oracle WebLogic Server 12c Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Oracle WebLogic must utilize encryption when using LDAP for authentication.
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. Application servers have the capability to utilize LDAP directorie...Rule High Severity -
SRG-APP-000175-AS-000124
Group -
Oracle WebLogic, when utilizing PKI-based authentication, must validate certificates by constructing a certification path with status information to an accepted trust anchor.
A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. When t...Rule Medium Severity -
SRG-APP-000177-AS-000126
Group -
Oracle WebLogic must map the PKI-based authentication identity to the user account.
The cornerstone of the PKI is the private key used to encrypt or digitally sign information. The key by itself is a cryptographic value that does not contain specific user information. Applicatio...Rule Medium Severity -
SRG-APP-000179-AS-000129
Group -
SRG-APP-000179-AS-000129
Group -
Oracle WebLogic must utilize FIPS 140-2 approved encryption modules when authenticating users and processes.
Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and D...Rule Medium Severity -
SRG-APP-000440-AS-000167
Group -
Oracle WebLogic must employ cryptographic encryption to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications.
Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network....Rule Medium Severity -
SRG-APP-000149-AS-000102
Group -
SRG-APP-000295-AS-000263
Group -
Oracle WebLogic must terminate the network connection associated with a communications session at the end of the session or after a DoD-defined time period of inactivity.
If communications sessions remain open for extended periods of time even when unused, there is the potential for an adversary to hijack the session and use it to gain access to the device or netwo...Rule Low Severity -
SRG-APP-000440-AS-000167
Group -
SRG-APP-000435-AS-000069
Group -
Oracle WebLogic must protect the integrity and availability of publicly available information and applications.
The purpose of this control is to ensure organizations explicitly address the protection needs for public information and applications, with such protection likely being implemented as part of oth...Rule Medium Severity -
SRG-APP-000211-AS-000146
Group -
SRG-APP-000219-AS-000147
Group -
Oracle WebLogic must ensure authentication of both client and server during the entire session.
This control focuses on communications protection at the session, versus packet level. At the application layer, session IDs are tokens generated by web applications to uniquely identify an appli...Rule Medium Severity -
SRG-APP-000220-AS-000148
Group -
Oracle WebLogic must terminate user sessions upon user logout or any other organization- or policy-defined session termination events such as idle time limit exceeded.
If communications sessions remain open for extended periods of time even when unused, there is the potential for an adversary to hijack the session and use it to gain access to the device or netwo...Rule Medium Severity -
SRG-APP-000225-AS-000153
Group -
SRG-APP-000440-AS-000167
Group -
Oracle WebLogic must protect the confidentiality of applications and leverage transmission protection mechanisms, such as TLS and SSL VPN, when deploying applications.
Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission....Rule Medium Severity -
SRG-APP-000435-AS-000069
Group -
Oracle WebLogic must protect the integrity of applications during the processes of data aggregation, packaging, and transformation in preparation for deployment.
Information can be subjected to unauthorized changes (e.g., malicious and/or unintentional modification) at information aggregation or protocol transformation points. It is therefore imperative the...Rule Low Severity -
SRG-APP-000435-AS-000163
Group -
Oracle WebLogic must protect against or limit the effects of HTTP types of Denial of Service (DoS) attacks.
Employing increased capacity and bandwidth combined with service redundancy can reduce the susceptibility to some DoS attacks. When utilizing an application server in a high risk environment (such ...Rule Medium Severity -
SRG-APP-000435-AS-000163
Group -
Oracle WebLogic must limit the use of resources by priority and not impede the host from servicing processes designated as a higher-priority.
Priority protection helps the application server prevent a lower-priority application process from delaying or interfering with any higher-priority application processes. If the application server ...Rule Medium Severity -
SRG-APP-000225-AS-000166
Group -
SRG-APP-000440-AS-000167
Group -
SRG-APP-000266-AS-000168
Group -
Oracle WebLogic must identify potentially security-relevant error conditions.
The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the application server is able to identify and handle error...Rule Low Severity -
SRG-APP-000266-AS-000169
Group -
SRG-APP-000267-AS-000170
Group -
Oracle WebLogic must restrict error messages so only authorized personnel may view them.
If the application provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be caref...Rule Medium Severity -
SRG-APP-000108-AS-000067
Group -
Oracle WebLogic must provide system notifications to a list of response personnel who are identified by name and/or role.
Incident response applications are, by their nature, designed to monitor, detect, and alarm on defined events occurring on the system or on the network. A large part of their functionality is the a...Rule Medium Severity -
SRG-APP-000516-AS-000237
Group -
SRG-APP-000516-AS-000237
Group -
Oracle WebLogic must be managed through a centralized enterprise tool.
The application server can host multiple applications which require different functions to operate successfully but many of the functions are capabilities that are needed for all the hosted applica...Rule Medium Severity -
SRG-APP-000516-AS-000237
Group -
Oracle WebLogic must be integrated with a tool to implement multi-factor user authentication.
Multifactor authentication is defined as: using two or more factors to achieve authentication. Factors include: (i) something a user knows (e.g., password/PIN); (ii) something a user has (e.g.,...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.