UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Oracle WebLogic Server 12c Security Technical Implementation Guide



Findings (MAC I - Mission Critical Sensitive)

Finding ID Severity Title
V-56277 High Oracle WebLogic must uniquely identify and authenticate users (or processes acting on behalf of users).
V-56291 High Oracle WebLogic must encrypt passwords during transmission.
V-56293 High Oracle WebLogic must utilize encryption when using LDAP for authentication.
V-56279 High Oracle WebLogic must authenticate users individually prior to using a group authenticator.
V-56223 Medium Oracle WebLogic must enforce the organization-defined time period during which the limit of consecutive invalid access attempts by a user is counted.
V-56315 Medium Oracle WebLogic must protect the integrity and availability of publicly available information and applications.
V-56377 Medium Oracle WebLogic must only generate error messages that provide information necessary for corrective actions without revealing sensitive or potentially harmful information in error logs and administrative messages.
V-56379 Medium Oracle WebLogic must restrict error messages so only authorized personnel may view them.
V-56271 Medium Oracle WebLogic must adhere to the principles of least functionality by providing only essential capabilities.
V-56249 Medium Oracle WebLogic must provide the ability to write specified audit record content to an audit log server.
V-56219 Medium Oracle WebLogic must provide access logging that ensures users who are granted a privileged role (or roles) have their privileged activity logged.
V-56337 Medium Oracle WebLogic must protect against or limit the effects of HTTP types of Denial of Service (DoS) attacks.
V-56215 Medium Oracle WebLogic must automatically audit account creation.
V-56313 Medium Oracle WebLogic must utilize NSA-approved cryptography when protecting classified compartmentalized data.
V-56217 Medium Oracle WebLogic must automatically audit account modification.
V-56211 Medium Oracle WebLogic must ensure remote sessions for accessing security functions and security-relevant information are audited.
V-56317 Medium Oracle WebLogic must separate hosted application functionality from Oracle WebLogic management functionality.
V-56213 Medium Oracle WebLogic must support the capability to disable network protocols deemed by the organization to be non-secure except for explicitly identified components in support of specific operational requirements.
V-56295 Medium Oracle WebLogic, when utilizing PKI-based authentication, must validate certificates by constructing a certification path with status information to an accepted trust anchor.
V-56297 Medium Oracle WebLogic must map the PKI-based authentication identity to the user account.
V-56299 Medium Oracle WebLogic must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.
V-56269 Medium Oracle WebLogic must limit privileges to change the software resident within software libraries (including privileged programs).
V-56305 Medium Oracle WebLogic must employ strong identification and authentication techniques when establishing nonlocal maintenance and diagnostic sessions.
V-56247 Medium Oracle WebLogic must produce audit records containing sufficient information to establish the identity of any user/subject or process associated with the event.
V-56303 Medium Oracle WebLogic must employ cryptographic encryption to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications.
V-56301 Medium Oracle WebLogic must utilize FIPS 140-2 approved encryption modules when authenticating users and processes.
V-56265 Medium Oracle WebLogic must protect audit tools from unauthorized modification.
V-56343 Medium Oracle WebLogic must fail securely in the event of an operational failure.
V-56267 Medium Oracle WebLogic must protect audit tools from unauthorized deletion.
V-56341 Medium Oracle WebLogic must limit the use of resources by priority and not impede the host from servicing processes designated as a higher-priority.
V-56347 Medium Oracle WebLogic must employ approved cryptographic mechanisms when transmitting sensitive data.
V-56263 Medium Oracle WebLogic must protect audit tools from unauthorized access.
V-56309 Medium Oracle WebLogic must establish a trusted communications path between the user and organization-defined security functions within the information system.
V-56329 Medium Oracle WebLogic must protect the confidentiality of applications and leverage transmission protection mechanisms, such as TLS and SSL VPN, when deploying applications.
V-56209 Medium Oracle WebLogic must employ automated mechanisms to facilitate the monitoring and control of remote access methods.
V-56207 Medium Oracle WebLogic must use cryptography to protect the integrity of the remote access session.
V-56205 Medium Oracle WebLogic must utilize cryptography to protect the confidentiality of remote access management sessions.
V-56327 Medium Oracle WebLogic must be configured to perform complete application deployments.
V-56225 Medium Oracle WebLogic must automatically lock accounts when the maximum number of unsuccessful login attempts is exceeded for an organization-defined time period or until the account is unlocked by an administrator.
V-56321 Medium Oracle WebLogic must ensure authentication of both client and server during the entire session.
V-56227 Medium Oracle WebLogic must protect against an individual falsely denying having performed a particular action.
V-56323 Medium Oracle WebLogic must terminate user sessions upon user logout or any other organization- or policy-defined session termination events such as idle time limit exceeded.
V-56287 Medium Oracle WebLogic must enforce password complexity by the number of numeric characters used.
V-56221 Medium Oracle WebLogic must limit the number of failed login attempts to an organization-defined number of consecutive invalid attempts that occur within an organization-defined time period.
V-56285 Medium Oracle WebLogic must enforce password complexity by the number of lower-case characters used.
V-56283 Medium Oracle WebLogic must enforce password complexity by the number of upper-case characters used.
V-56281 Medium Oracle WebLogic must enforce minimum password length.
V-56273 Medium Oracle WebLogic must prohibit or restrict the use of unauthorized functions, ports, protocols, and/or services.
V-56387 Medium Oracle WebLogic must be integrated with a tool to implement multi-factor user authentication.
V-56385 Medium Oracle WebLogic must be managed through a centralized enterprise tool.
V-56383 Medium Oracle WebLogic must be integrated with a tool to monitor audit subsystem failure notification information that is sent out (e.g., the recipients of the message and the nature of the failure).
V-56289 Medium Oracle WebLogic must enforce password complexity by the number of special characters used.
V-56381 Medium Oracle WebLogic must provide system notifications to a list of response personnel who are identified by name and/or role.
V-56257 Low Oracle WebLogic must use internal system clocks to generate time stamps for audit records.
V-56237 Low Oracle WebLogic must produce process events and security levels to establish what type of Oracle WebLogic process events and severity levels occurred.
V-56235 Low Oracle WebLogic must produce audit records containing sufficient information to establish what type of JVM-related events and severity levels occurred.
V-56233 Low Oracle WebLogic must produce process events and severity levels to establish what type of HTTPD-related events and severity levels occurred.
V-56231 Low Oracle WebLogic must generate audit records for the DoD-selected list of auditable events.
V-56259 Low Oracle WebLogic must synchronize with internal information system clocks which, in turn, are synchronized on an organization-defined frequency with an organization-defined authoritative time source.
V-56351 Low Oracle WebLogic must identify potentially security-relevant error conditions.
V-56239 Low Oracle WebLogic must produce audit records containing sufficient information to establish when (date and time) the events occurred.
V-56253 Low Oracle WebLogic must alert designated individual organizational officials in the event of an audit processing failure.
V-56333 Low Oracle WebLogic must protect the integrity of applications during the processes of data aggregation, packaging, and transformation in preparation for deployment.
V-56255 Low Oracle WebLogic must notify administrative personnel as a group in the event of audit processing failure.
V-56275 Low Oracle WebLogic must utilize automated mechanisms to prevent program execution on the information system.
V-56243 Low Oracle WebLogic must produce audit records containing sufficient information to establish the sources of the events.
V-56307 Low Oracle WebLogic must terminate the network connection associated with a communications session at the end of the session or after a DoD-defined time period of inactivity.
V-56241 Low Oracle WebLogic must produce audit records containing sufficient information to establish where the events occurred.
V-56245 Low Oracle WebLogic must produce audit records that contain sufficient information to establish the outcome (success or failure) of application server and application events.
V-56261 Low Oracle WebLogic must protect audit information from any type of unauthorized read access.
V-56229 Low Oracle WebLogic must compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within an organization-defined level of tolerance.
V-56251 Low Oracle WebLogic must provide a real-time alert when organization-defined audit failure events occur.