UCF STIG Viewer Logo

Oracle WebLogic must enforce password complexity by the number of numeric characters used.


Overview

Finding ID Version Rule ID IA Controls Severity
V-235969 WBLC-05-000164 SV-235969r628685_rule Medium
Description
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Use of a complex password helps to increase the time and resources required to compromise the password. Application servers provide either a local user store or they integrate with enterprise user stores like LDAP. When the application server provides the user store and enforces authentication, the application server must enforce the organization's password complexity requirements that include the requirement to use a specific number of numeric characters when passwords are created or changed.
STIG Date
Oracle WebLogic Server 12c Security Technical Implementation Guide 2021-03-18

Details

Check Text ( C-39188r628683_chk )
1. Access AC
2. From 'Domain Structure', select 'Security Realms'
3. Select realm to configure (default is 'myrealm')
4. Select 'Providers' tab -> 'Password Validation' subtab
5. Select 'SystemPasswordValidator'
6. Select 'Configuration' tab -> 'Provider Specific' subtab
7. Ensure 'Minimum Number of Numeric Characters' field value is set to '1' or higher

If the 'Minimum Number of Numeric Characters' field value is not set to '1' or higher, this is a finding.
Fix Text (F-39151r628684_fix)
1. Access AC
2. From 'Domain Structure', select 'Security Realms'
3. Select realm to configure (default is 'myrealm')
4. Select 'Providers' tab -> 'Password Validation' subtab
5. Select 'SystemPasswordValidator'
6. Select 'Configuration' tab -> 'Provider Specific' subtab
7. Utilize 'Change Center' to create a new change session
8. Set 'Minimum Number of Numeric Characters' field value to '1' or higher. Click 'Save'