Oracle WebLogic must separate hosted application functionality from Oracle WebLogic management functionality.

From Oracle WebLogic Server 12c Security Technical Implementation Guide

Part of SRG-APP-000211-AS-000146

Associated with: CCI-001082

SV-70571r1_rule Oracle WebLogic must separate hosted application functionality from Oracle WebLogic management functionality.

Vulnerability discussion

Application server management functionality includes functions necessary to administer the application server and requires privileged access via one of the accounts assigned to a management role. The separation of application server administration functionality from hosted application functionality is either physical or logical and is accomplished by using different computers, different central processing units, different instances of the operating system, network addresses, network ports, or combinations of these methods, as appropriate.

Check content

1. Access AC 2. From 'Domain Structure', select 'Environment' -> 'Servers' 3. A single server in the list will be named 'Admin Server' and this is the server which hosts AS management functionality, such as the AdminConsole application 4. All remaining servers in the list are 'Managed Servers' and these are the individual or clustered servers which will host the actual applications 5. Ensure no applications are deployed on the Admin server, rather, only on the Managed servers If any applications are deployed on the Admin server, this is a finding.

Fix text

1. Access AC 2. From 'Domain Structure', select 'Environment' -> 'Servers' 3. A single server in the list will be named 'Admin Server' and this is the server which hosts AS management functionality, such as the AdminConsole application 4. All remaining servers in the list are 'Managed Servers' and these are the individual or clustered servers which will host the actual applications 5. Utilize 'Change Center' to create a new change session 6. Undeploy all applications that are not used for AS management from the Admin server, and redeploy onto the Managed servers 7. This can be done from 'Deployments' tab -> 'Targets' tab; select each application which must be redeployed , deselect 'Admin Server' and select one or more of the Managed servers 8. Click 'Save' and restart servers if necessary

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer