Oracle WebLogic must fail securely in the event of an operational failure.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-235991	WBLC-08-000238	SV-235991r628751_rule		Medium

Description
Fail secure is a condition achieved by the application server in order to ensure that in the event of an operational failure, the system does not enter into an unsecure state where intended security properties no longer hold. An example of secure failure is when an application server is configured for secure LDAP (LDAPS) authentication. If the application server fails to make a successful LDAPS connection it does not try to use unencrypted LDAP instead.

Description

Fail secure is a condition achieved by the application server in order to ensure that in the event of an operational failure, the system does not enter into an unsecure state where intended security properties no longer hold. An example of secure failure is when an application server is configured for secure LDAP (LDAPS) authentication. If the application server fails to make a successful LDAPS connection it does not try to use unencrypted LDAP instead.

STIG	Date
Oracle WebLogic Server 12c Security Technical Implementation Guide	2021-03-18

Details

Check Text ( C-39210r628749_chk )
1. Access EM 2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Monitoring' -> 'Port Usage' 3. In the results table, ensure values in the 'Protocol' column each end with 's' (secure) If the protocols are not secure, this is a finding.

Fix Text (F-39173r628750_fix)
1. Access AC 2. From 'Domain Structure', select 'Environment' -> 'Servers' 3. From the list of servers, select one which is assigned a protocol which does not end in 's' (secure) 4. Utilize 'Change Center' to create a new change session 5. From 'Configuration' tab -> 'General' tab, deselect the 'Listen Port Enabled' checkbox 6. Select the 'SSL Listen Port Enabled checkbox 7. Enter a valid port value in the 'SSL Listen Port' field and click 'Save' 8. Review the 'Port Usage' table in EM again to ensure all values in the 'Protocol' column end with 's' (secure)

Fix Text (F-39173r628750_fix)

1. Access AC
2. From 'Domain Structure', select 'Environment' -> 'Servers'
3. From the list of servers, select one which is assigned a protocol which does not end in 's' (secure)
4. Utilize 'Change Center' to create a new change session
5. From 'Configuration' tab -> 'General' tab, deselect the 'Listen Port Enabled' checkbox
6. Select the 'SSL Listen Port Enabled checkbox
7. Enter a valid port value in the 'SSL Listen Port' field and click 'Save'
8. Review the 'Port Usage' table in EM again to ensure all values in the 'Protocol' column end with 's' (secure)