STIGQter STIGQter: STIG Summary: Oracle WebLogic Server 12c Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

Oracle WebLogic must only generate error messages that provide information necessary for corrective actions without revealing sensitive or potentially harmful information in error logs and administrative messages.

DISA Rule

SV-235994r628760_rule

Vulnerability Number

V-235994

Group Title

SRG-APP-000266-AS-000169

Rule Version

WBLC-09-000253

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

1. Access EM
2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Logs' -> 'View Log Messages'
3. Within the search criteria, click 'Add Fields' button
4. Notice the list of available fields do not contain sensitive data

Check Contents

1. Access EM
2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Logs' -> 'View Log Messages'
3. Within the search criteria, click 'Add Fields' button
4. Notice the list of available fields do not contain sensitive data

If sensitive or potentially harmful information, such as passwords, private keys or other sensitive data, is part of the error logs or administrative messages, this is a finding.

Vulnerability Number

V-235994

Documentable

False

Rule Version

WBLC-09-000253

Severity Override Guidance

1. Access EM
2. Select the domain from the navigation tree, and use the dropdown to select 'WebLogic Domain' -> 'Logs' -> 'View Log Messages'
3. Within the search criteria, click 'Add Fields' button
4. Notice the list of available fields do not contain sensitive data

If sensitive or potentially harmful information, such as passwords, private keys or other sensitive data, is part of the error logs or administrative messages, this is a finding.

Check Content Reference

M

Target Key

5282

Comments