Oracle WebLogic must limit privileges to change the software resident within software libraries (including privileged programs).

From Oracle WebLogic Server 12c Security Technical Implementation Guide

Part of SRG-APP-000133-AS-000092

Associated with: CCI-001499

SV-70523r1_rule Oracle WebLogic must limit privileges to change the software resident within software libraries (including privileged programs).

Vulnerability discussion

Application servers have the ability to specify that the hosted applications utilize shared libraries. The application server must have a capability to divide roles based upon duties wherein one project user (such as a developer) cannot modify the shared library code of another project user. The application server must also be able to specify that non-privileged users cannot modify any shared library code at all.

Check content

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Users and Groups' tab -> 'Users' tab 5. From 'Users' table, select a user that must not have shared library modification access 6. From users settings page, select 'Groups' tab 7. Ensure the 'Chosen' table does not contain the roles - 'Admin', 'Deployer' 8. Repeat steps 5-7 for all users that must not have shared library modification access If any users that are not permitted to change the software resident within software libraries (including privileged programs) have the role of 'Admin' or 'Deployer', this is a finding.

Fix text

1. Access AC 2. From 'Domain Structure', select 'Security Realms' 3. Select realm to configure (default is 'myrealm') 4. Select 'Users and Groups' tab -> 'Users' tab 5. From 'Users' table, select a user that must not have shared library modification access 6. From users settings page, select 'Groups' tab 7. From the 'Chosen' table, use the shuttle buttons to remove the role - 'Admin', 'Deployer' 8. Click 'Save' 9. Repeat steps 5-8 for all users that must not have shared library modification access

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer