UCF STIG Viewer Logo

Oracle WebLogic must limit privileges to change the software resident within software libraries (including privileged programs).


Overview

Finding ID Version Rule ID IA Controls Severity
V-235960 WBLC-03-000125 SV-235960r628658_rule Medium
Description
Application servers have the ability to specify that the hosted applications utilize shared libraries. The application server must have a capability to divide roles based upon duties wherein one project user (such as a developer) cannot modify the shared library code of another project user. The application server must also be able to specify that non-privileged users cannot modify any shared library code at all.
STIG Date
Oracle WebLogic Server 12c Security Technical Implementation Guide 2021-03-18

Details

Check Text ( C-39179r628656_chk )
1. Access AC
2. From 'Domain Structure', select 'Security Realms'
3. Select realm to configure (default is 'myrealm')
4. Select 'Users and Groups' tab -> 'Users' tab
5. From 'Users' table, select a user that must not have shared library modification access
6. From users settings page, select 'Groups' tab
7. Ensure the 'Chosen' table does not contain the roles - 'Admin', 'Deployer'
8. Repeat steps 5-7 for all users that must not have shared library modification access

If any users that are not permitted to change the software resident within software libraries (including privileged programs) have the role of 'Admin' or 'Deployer', this is a finding.
Fix Text (F-39142r628657_fix)
1. Access AC
2. From 'Domain Structure', select 'Security Realms'
3. Select realm to configure (default is 'myrealm')
4. Select 'Users and Groups' tab -> 'Users' tab
5. From 'Users' table, select a user that must not have shared library modification access
6. From users settings page, select 'Groups' tab
7. From the 'Chosen' table, use the shuttle buttons to remove the role - 'Admin', 'Deployer'
8. Click 'Save'
9. Repeat steps 5-8 for all users that must not have shared library modification access