Oracle WebLogic must restrict error messages so only authorized personnel may view them.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-235995	WBLC-09-000254	SV-235995r628763_rule		Medium

Description
If the application provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Application servers must protect the error messages that are created by the application server. All application server users' accounts are used for the management of the server and the applications residing on the application server. All accounts are assigned to a certain role with corresponding access rights. The application server must restrict access to error messages so only authorized personnel may view them. Error messages are usually written to logs contained on the file system. The application server will usually create new log files as needed and must take steps to ensure that the proper file permissions are utilized when the log files are created.

Description

If the application provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Application servers must protect the error messages that are created by the application server. All application server users' accounts are used for the management of the server and the applications residing on the application server. All accounts are assigned to a certain role with corresponding access rights. The application server must restrict access to error messages so only authorized personnel may view them. Error messages are usually written to logs contained on the file system. The application server will usually create new log files as needed and must take steps to ensure that the proper file permissions are utilized when the log files are created.

STIG	Date
Oracle WebLogic Server 12c Security Technical Implementation Guide	2021-03-18

Details

Check Text ( C-39214r628761_chk )
1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Users and Groups' tab -> 'Users' tab 5. From 'Users' table, select a user that must not have access to view error messages 6. From users settings page, select 'Groups' tab 7. Ensure the 'Chosen' table does not contain any of the following roles - 'Admin', 'Deployer', 'Monitor', 'Operator' 8. Repeat steps 5-7 for all users that must not have access to view error messages If any user that should not be able to view error messages has the roles of 'Admin', 'Deployer', 'Monitor' or 'Operator', this is a finding.

Check Text ( C-39214r628761_chk )

1. Access AC
2. From 'Domain Structure', select 'Security Realms'
3. Select realm to configure (default is 'myrealm')
4. Select 'Users and Groups' tab -> 'Users' tab
5. From 'Users' table, select a user that must not have access to view error messages
6. From users settings page, select 'Groups' tab
7. Ensure the 'Chosen' table does not contain any of the following roles - 'Admin', 'Deployer', 'Monitor', 'Operator'
8. Repeat steps 5-7 for all users that must not have access to view error messages

If any user that should not be able to view error messages has the roles of 'Admin', 'Deployer', 'Monitor' or 'Operator', this is a finding.

Fix Text (F-39177r628762_fix)
1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Users and Groups' tab -> 'Users' tab 5. From 'Users' table, select a user that must not have access to view error messages 6. From users settings page, select 'Groups' tab 7. From the 'Chosen' table, use the shuttle buttons to remove all of the following roles - 'Admin', 'Deployer', 'Monitor', 'Operator' 8. Click 'Save' 9. Repeat steps 5-8 for all users that must not have access to view error messages

Fix Text (F-39177r628762_fix)

1. Access AC
2. From 'Domain Structure', select 'Security Realms'
3. Select realm to configure (default is 'myrealm')
4. Select 'Users and Groups' tab -> 'Users' tab
5. From 'Users' table, select a user that must not have access to view error messages
6. From users settings page, select 'Groups' tab
7. From the 'Chosen' table, use the shuttle buttons to remove all of the following roles - 'Admin', 'Deployer', 'Monitor', 'Operator'
8. Click 'Save'
9. Repeat steps 5-8 for all users that must not have access to view error messages