UCF STIG Viewer Logo

Oracle WebLogic Server 12c Security Technical Implementation Guide


Overview

Date Finding Count (72)
2021-03-18 CAT I (High): 4 CAT II (Med): 49 CAT III (Low): 19
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Classified)

Finding ID Severity Title
V-235964 High Oracle WebLogic must uniquely identify and authenticate users (or processes acting on behalf of users).
V-235965 High Oracle WebLogic must authenticate users individually prior to using a group authenticator.
V-235971 High Oracle WebLogic must encrypt passwords during transmission.
V-235972 High Oracle WebLogic must utilize encryption when using LDAP for authentication.
V-235997 Medium Oracle WebLogic must be integrated with a tool to monitor audit subsystem failure notification information that is sent out (e.g., the recipients of the message and the nature of the failure).
V-235996 Medium Oracle WebLogic must provide system notifications to a list of response personnel who are identified by name and/or role.
V-235995 Medium Oracle WebLogic must restrict error messages so only authorized personnel may view them.
V-235994 Medium Oracle WebLogic must only generate error messages that provide information necessary for corrective actions without revealing sensitive or potentially harmful information in error logs and administrative messages.
V-235992 Medium Oracle WebLogic must employ approved cryptographic mechanisms when transmitting sensitive data.
V-235991 Medium Oracle WebLogic must fail securely in the event of an operational failure.
V-235990 Medium Oracle WebLogic must limit the use of resources by priority and not impede the host from servicing processes designated as a higher-priority.
V-235939 Medium Oracle WebLogic must protect against an individual falsely denying having performed a particular action.
V-235935 Medium Oracle WebLogic must provide access logging that ensures users who are granted a privileged role (or roles) have their privileged activity logged.
V-235999 Medium Oracle WebLogic must be integrated with a tool to implement multi-factor user authentication.
V-235998 Medium Oracle WebLogic must be managed through a centralized enterprise tool.
V-235938 Medium Oracle WebLogic must automatically lock accounts when the maximum number of unsuccessful login attempts is exceeded for an organization-defined time period or until the account is unlocked by an administrator.
V-235958 Medium Oracle WebLogic must protect audit tools from unauthorized modification.
V-235966 Medium Oracle WebLogic must enforce minimum password length.
V-235928 Medium Oracle WebLogic must utilize cryptography to protect the confidentiality of remote access management sessions.
V-235929 Medium Oracle WebLogic must use cryptography to protect the integrity of the remote access session.
V-235967 Medium Oracle WebLogic must enforce password complexity by the number of upper-case characters used.
V-235962 Medium Oracle WebLogic must prohibit or restrict the use of unauthorized functions, ports, protocols, and/or services.
V-235968 Medium Oracle WebLogic must enforce password complexity by the number of lower-case characters used.
V-235984 Medium Oracle WebLogic must ensure authentication of both client and server during the entire session.
V-235985 Medium Oracle WebLogic must terminate user sessions upon user logout or any other organization- or policy-defined session termination events such as idle time limit exceeded.
V-235986 Medium Oracle WebLogic must be configured to perform complete application deployments.
V-235987 Medium Oracle WebLogic must protect the confidentiality of applications and leverage transmission protection mechanisms, such as TLS and SSL VPN, when deploying applications.
V-235980 Medium Oracle WebLogic must establish a trusted communications path between the user and organization-defined security functions within the information system.
V-235981 Medium Oracle WebLogic must utilize NSA-approved cryptography when protecting classified compartmentalized data.
V-235982 Medium Oracle WebLogic must protect the integrity and availability of publicly available information and applications.
V-235960 Medium Oracle WebLogic must limit privileges to change the software resident within software libraries (including privileged programs).
V-235961 Medium Oracle WebLogic must adhere to the principles of least functionality by providing only essential capabilities.
V-235989 Medium Oracle WebLogic must protect against or limit the effects of HTTP types of Denial of Service (DoS) attacks.
V-235983 Medium Oracle WebLogic must separate hosted application functionality from Oracle WebLogic management functionality.
V-235949 Medium Oracle WebLogic must produce audit records containing sufficient information to establish the identity of any user/subject or process associated with the event.
V-235934 Medium Oracle WebLogic must automatically audit account modification.
V-235978 Medium Oracle WebLogic must employ strong identification and authentication techniques when establishing nonlocal maintenance and diagnostic sessions.
V-235937 Medium Oracle WebLogic must enforce the organization-defined time period during which the limit of consecutive invalid access attempts by a user is counted.
V-235936 Medium Oracle WebLogic must limit the number of failed login attempts to an organization-defined number of consecutive invalid attempts that occur within an organization-defined time period.
V-235931 Medium Oracle WebLogic must ensure remote sessions for accessing security functions and security-relevant information are audited.
V-235930 Medium Oracle WebLogic must employ automated mechanisms to facilitate the monitoring and control of remote access methods.
V-235933 Medium Oracle WebLogic must automatically audit account creation.
V-235932 Medium Oracle WebLogic must support the capability to disable network protocols deemed by the organization to be non-secure except for explicitly identified components in support of specific operational requirements.
V-235970 Medium Oracle WebLogic must enforce password complexity by the number of special characters used.
V-235973 Medium Oracle WebLogic, when utilizing PKI-based authentication, must validate certificates by constructing a certification path with status information to an accepted trust anchor.
V-235975 Medium Oracle WebLogic must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when encrypting stored data.
V-235974 Medium Oracle WebLogic must map the PKI-based authentication identity to the user account.
V-235977 Medium Oracle WebLogic must employ cryptographic encryption to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications.
V-235976 Medium Oracle WebLogic must utilize FIPS 140-2 approved encryption modules when authenticating users and processes.
V-235950 Medium Oracle WebLogic must provide the ability to write specified audit record content to an audit log server.
V-235957 Medium Oracle WebLogic must protect audit tools from unauthorized access.
V-235959 Medium Oracle WebLogic must protect audit tools from unauthorized deletion.
V-235969 Medium Oracle WebLogic must enforce password complexity by the number of numeric characters used.
V-235993 Low Oracle WebLogic must identify potentially security-relevant error conditions.
V-235941 Low Oracle WebLogic must generate audit records for the DoD-selected list of auditable events.
V-235942 Low Oracle WebLogic must produce process events and severity levels to establish what type of HTTPD-related events and severity levels occurred.
V-235940 Low Oracle WebLogic must compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within an organization-defined level of tolerance.
V-235945 Low Oracle WebLogic must produce audit records containing sufficient information to establish when (date and time) the events occurred.
V-235946 Low Oracle WebLogic must produce audit records containing sufficient information to establish where the events occurred.
V-235947 Low Oracle WebLogic must produce audit records containing sufficient information to establish the sources of the events.
V-235948 Low Oracle WebLogic must produce audit records that contain sufficient information to establish the outcome (success or failure) of application server and application events.
V-235944 Low Oracle WebLogic must produce process events and security levels to establish what type of Oracle WebLogic process events and severity levels occurred.
V-235963 Low Oracle WebLogic must utilize automated mechanisms to prevent program execution on the information system.
V-235943 Low Oracle WebLogic must produce audit records containing sufficient information to establish what type of JVM-related events and severity levels occurred.
V-235988 Low Oracle WebLogic must protect the integrity of applications during the processes of data aggregation, packaging, and transformation in preparation for deployment.
V-235979 Low Oracle WebLogic must terminate the network connection associated with a communications session at the end of the session or after a DoD-defined time period of inactivity.
V-235953 Low Oracle WebLogic must notify administrative personnel as a group in the event of audit processing failure.
V-235952 Low Oracle WebLogic must alert designated individual organizational officials in the event of an audit processing failure.
V-235951 Low Oracle WebLogic must provide a real-time alert when organization-defined audit failure events occur.
V-235956 Low Oracle WebLogic must protect audit information from any type of unauthorized read access.
V-235955 Low Oracle WebLogic must synchronize with internal information system clocks which, in turn, are synchronized on an organization-defined frequency with an organization-defined authoritative time source.
V-235954 Low Oracle WebLogic must use internal system clocks to generate time stamps for audit records.