Oracle WebLogic must protect against or limit the effects of HTTP types of Denial of Service (DoS) attacks.

From Oracle WebLogic Server 12c Security Technical Implementation Guide

Part of SRG-APP-000245-AS-000163

Associated with: CCI-001092

SV-70591r1_rule Oracle WebLogic must protect against or limit the effects of HTTP types of Denial of Service (DoS) attacks.

Vulnerability discussion

Employing increased capacity and bandwidth combined with service redundancy can reduce the susceptibility to some DoS attacks. When utilizing an application server in a high risk environment (such as a DMZ), the amount of access to the system from various sources usually increases, as does the system's risk of becoming more susceptible to DoS attacks. The application server must be able to be configured to withstand or minimize the risk of DoS attacks. This can be partially achieved if the application server provides configuration options that limit the number of allowed concurrent HTTP connections.

Check content

1. Access AC 2. From 'Domain Structure', select 'Deployments' 3. Sort 'Deployments' table by 'Type' by click the column header 4. Select an 'Enterprise Application' or 'Web Application' to check the session timeout setting 5. Select 'Configuration' tab -> 'Application' tab for deployments of 'Enterprise Application' type Select 'Configuration' tab -> 'General' tab for deployments of 'Web Application' type 6. Ensure 'Maximum in-memory Session' field value is set to an integer value at or lower than an acceptable maximum number of HTTP sessions If a value is not set in the 'Maximum in-memory Session' field for all deployments, this is a finding.

Fix text

1. Access AC 2. From 'Domain Structure', select 'Deployments' 3. Sort 'Deployments' table by 'Type' by click the column header 4. Select an 'Enterprise Application' or 'Web Application' to check the session timeout setting 5. Select 'Configuration' tab -> 'Application' tab for deployments of 'Enterprise Application' type Select 'Configuration' tab -> 'General' tab for deployments of 'Web Application' type 6. Utilize 'Change Center' to create a new change session 7. Set value in 'Maximum in-memory Session' field value to an integer value at or lower than an acceptable maximum number of HTTP sessions. Click 'Save' 8. Repeat steps 4-7 for each 'Enterprise Application' and 'Web Application' deployment

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer