UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Oracle WebLogic must protect against or limit the effects of HTTP types of Denial of Service (DoS) attacks.


Overview

Finding ID Version Rule ID IA Controls Severity
V-235989 WBLC-08-000236 SV-235989r628745_rule Medium
Description
Employing increased capacity and bandwidth combined with service redundancy can reduce the susceptibility to some DoS attacks. When utilizing an application server in a high risk environment (such as a DMZ), the amount of access to the system from various sources usually increases, as does the system's risk of becoming more susceptible to DoS attacks. The application server must be able to be configured to withstand or minimize the risk of DoS attacks. This can be partially achieved if the application server provides configuration options that limit the number of allowed concurrent HTTP connections.
STIG Date
Oracle WebLogic Server 12c Security Technical Implementation Guide 2021-03-18

Details

Check Text ( C-39208r628743_chk )
1. Access AC
2. From 'Domain Structure', select 'Deployments'
3. Sort 'Deployments' table by 'Type' by click the column header
4. Select an 'Enterprise Application' or 'Web Application' to check the session timeout setting
5. Select 'Configuration' tab -> 'Application' tab for deployments of 'Enterprise Application' type
Select 'Configuration' tab -> 'General' tab for deployments of 'Web Application' type
6. Ensure 'Maximum in-memory Session' field value is set to an integer value at or lower than an acceptable maximum number of HTTP sessions

If a value is not set in the 'Maximum in-memory Session' field for all deployments, this is a finding.
Fix Text (F-39171r628744_fix)
1. Access AC
2. From 'Domain Structure', select 'Deployments'
3. Sort 'Deployments' table by 'Type' by click the column header
4. Select an 'Enterprise Application' or 'Web Application' to check the session timeout setting
5. Select 'Configuration' tab -> 'Application' tab for deployments of 'Enterprise Application' type
Select 'Configuration' tab -> 'General' tab for deployments of 'Web Application' type
6. Utilize 'Change Center' to create a new change session
7. Set value in 'Maximum in-memory Session' field value to an integer value at or lower than an acceptable maximum number of HTTP sessions. Click 'Save'
8. Repeat steps 4-7 for each 'Enterprise Application' and 'Web Application' deployment