STIGQter STIGQter: STIG Summary: Oracle WebLogic Server 12c Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

Oracle WebLogic must utilize encryption when using LDAP for authentication.

DISA Rule

SV-235972r628694_rule

Vulnerability Number

V-235972

Group Title

SRG-APP-000172-AS-000121

Rule Version

WBLC-05-000169

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

1. Access AC
2. From 'Domain Structure', select 'Environment' -> 'Servers'
3. From the list of servers, select one which is assigned 'LDAP' protocol
4. Utilize 'Change Center' to create a new change session
5. From 'Configuration' tab -> 'General' tab, deselect the 'Listen Port Enabled' checkbox
6. Select the 'SSL Listen Port Enabled checkbox
7. Enter a valid port value in the 'SSL Listen Port' field and click 'Save'
8. Review the 'Port Usage' table in EM again to ensure the 'Protocol' column does not contain the value 'LDAP'

Check Contents

1. Access EM
2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Monitoring' -> 'Port Usage'
3. In the results table, ensure the 'Protocol' column does not contain the value 'LDAP' (only 'LDAPS')

If LDAP is being used and the 'Protocol' column contains the value 'LDAP', this is a finding.

Vulnerability Number

V-235972

Documentable

False

Rule Version

WBLC-05-000169

Severity Override Guidance

1. Access EM
2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Monitoring' -> 'Port Usage'
3. In the results table, ensure the 'Protocol' column does not contain the value 'LDAP' (only 'LDAPS')

If LDAP is being used and the 'Protocol' column contains the value 'LDAP', this is a finding.

Check Content Reference

M

Target Key

5282

Comments