STIGQter STIGQter: STIG Summary: Oracle WebLogic Server 12c Security Technical Implementation Guide Version: 1 Release: 6 Benchmark Date: 26 Jul 2019: Oracle WebLogic must restrict error messages so only authorized personnel may view them.

DISA Rule

SV-70633r1_rule

Vulnerability Number

V-56379

Group Title

SRG-APP-000267-AS-000170

Rule Version

WBLC-09-000254

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

1. Access AC
2. From 'Domain Structure', select 'Security Realms'
3. Select realm to configure (default is 'myrealm')
4. Select 'Users and Groups' tab -> 'Users' tab
5. From 'Users' table, select a user that must not have access to view error messages
6. From users settings page, select 'Groups' tab
7. From the 'Chosen' table, use the shuttle buttons to remove all of the following roles - 'Admin', 'Deployer', 'Monitor', 'Operator'
8. Click 'Save'
9. Repeat steps 5-8 for all users that must not have access to view error messages

Check Contents

1. Access AC
2. From 'Domain Structure', select 'Security Realms'
3. Select realm to configure (default is 'myrealm')
4. Select 'Users and Groups' tab -> 'Users' tab
5. From 'Users' table, select a user that must not have access to view error messages
6. From users settings page, select 'Groups' tab
7. Ensure the 'Chosen' table does not contain any of the following roles - 'Admin', 'Deployer', 'Monitor', 'Operator'
8. Repeat steps 5-7 for all users that must not have access to view error messages

If any user that should not be able to view error messages has the roles of 'Admin', 'Deployer', 'Monitor' or 'Operator', this is a finding.

Vulnerability Number

V-56379

Documentable

False

Rule Version

WBLC-09-000254

Severity Override Guidance

1. Access AC
2. From 'Domain Structure', select 'Security Realms'
3. Select realm to configure (default is 'myrealm')
4. Select 'Users and Groups' tab -> 'Users' tab
5. From 'Users' table, select a user that must not have access to view error messages
6. From users settings page, select 'Groups' tab
7. Ensure the 'Chosen' table does not contain any of the following roles - 'Admin', 'Deployer', 'Monitor', 'Operator'
8. Repeat steps 5-7 for all users that must not have access to view error messages

If any user that should not be able to view error messages has the roles of 'Admin', 'Deployer', 'Monitor' or 'Operator', this is a finding.

Check Content Reference

M

Target Key

2545

Comments