The AuthenticationEnabled property of the Node Manager configured to support OHS must be configured to enforce authentication.
An XCCDF Rule
Description
<VulnDiscussion>Oracle Node Manager is the utility that is used to perform common operational tasks for OHS. To accept connections from the WebLogic Scripting Tool, the Node Manager can be setup to authenticate the connections or not. If connections are not authenticated, a hacker could connect to the Node Manager and initiate commands to OHS to gain further access, cause a DoS, or view protected information. To protect against unauthenticated connections, the "AuthenticationEnabled" directive must be set to "true".</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-221420r879887_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
1. Open $DOMAIN_HOME/nodemanager/nodemanager.properties with an editor.
2. Search for the "AuthenticationEnabled" property.
3. Set the "AuthenticationEnabled" property "True", add the property if it does not exist.