Oracle WebLogic must limit privileges to change the software resident within software libraries (including privileged programs).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-235960	WBLC-03-000125	SV-235960r628658_rule		Medium

Description
Application servers have the ability to specify that the hosted applications utilize shared libraries. The application server must have a capability to divide roles based upon duties wherein one project user (such as a developer) cannot modify the shared library code of another project user. The application server must also be able to specify that non-privileged users cannot modify any shared library code at all.

Description

Application servers have the ability to specify that the hosted applications utilize shared libraries. The application server must have a capability to divide roles based upon duties wherein one project user (such as a developer) cannot modify the shared library code of another project user. The application server must also be able to specify that non-privileged users cannot modify any shared library code at all.

STIG	Date
Oracle WebLogic Server 12c Security Technical Implementation Guide	2021-03-18

Details

Check Text ( C-39179r628656_chk )
1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Users and Groups' tab -> 'Users' tab 5. From 'Users' table, select a user that must not have shared library modification access 6. From users settings page, select 'Groups' tab 7. Ensure the 'Chosen' table does not contain the roles - 'Admin', 'Deployer' 8. Repeat steps 5-7 for all users that must not have shared library modification access If any users that are not permitted to change the software resident within software libraries (including privileged programs) have the role of 'Admin' or 'Deployer', this is a finding.

Check Text ( C-39179r628656_chk )

1. Access AC
2. From 'Domain Structure', select 'Security Realms'
3. Select realm to configure (default is 'myrealm')
4. Select 'Users and Groups' tab -> 'Users' tab
5. From 'Users' table, select a user that must not have shared library modification access
6. From users settings page, select 'Groups' tab
7. Ensure the 'Chosen' table does not contain the roles - 'Admin', 'Deployer'
8. Repeat steps 5-7 for all users that must not have shared library modification access

If any users that are not permitted to change the software resident within software libraries (including privileged programs) have the role of 'Admin' or 'Deployer', this is a finding.

Fix Text (F-39142r628657_fix)
1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Users and Groups' tab -> 'Users' tab 5. From 'Users' table, select a user that must not have shared library modification access 6. From users settings page, select 'Groups' tab 7. From the 'Chosen' table, use the shuttle buttons to remove the role - 'Admin', 'Deployer' 8. Click 'Save' 9. Repeat steps 5-8 for all users that must not have shared library modification access

Fix Text (F-39142r628657_fix)

1. Access AC
2. From 'Domain Structure', select 'Security Realms'
3. Select realm to configure (default is 'myrealm')
4. Select 'Users and Groups' tab -> 'Users' tab
5. From 'Users' table, select a user that must not have shared library modification access
6. From users settings page, select 'Groups' tab
7. From the 'Chosen' table, use the shuttle buttons to remove the role - 'Admin', 'Deployer'
8. Click 'Save'
9. Repeat steps 5-8 for all users that must not have shared library modification access