OHS must have the RewriteOptions directive set properly.

From Oracle HTTP Server 12.1.3 Security Technical Implementation Guide

Part of SRG-APP-000516-WSR-000174

Associated with: CCI-000366

SV-79137r1_rule OHS must have the RewriteOptions directive set properly.

Vulnerability discussion

The rules for the rewrite engine can be configured to inherit those from the parent and build upon that set of rules, to copy the rules from the parent if there are none defined or to only process the rules if the input is a URL. Of these, the most secure is to inherit from the parent because of how this implemented. The rules for the current configuration, process or directory, are loaded and then the parent are overlaid. This means that the parent rule will always override the child rule. This gives the server a more consistent security configuration.

Check content

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS//httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "" directive. 2. Search for the "RewriteOptions" directive at the OHS server and virtual host configuration scopes. 3. If the directive is omitted or is not set to "inherit", this is a finding unless inherited from a larger scope.

Fix text

1. As required, open $DOMAIN_HOME/config/fmwconfig/components/OHS//httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor that contains a "" directive. 2. Search for the "RewriteOptions" directive at the OHS server and virtual host configuration scopes. 3. Set the "RewriteOptions" directive to "inherit", add the directive if it does not exist unless inherited from a larger scope.

Pro Tips

Powered by sagemincer