Tuesday, February 15, 2011

Vulnerability

Critical Patch Update Availability for WebLogic Server Plug-ins
https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&doctype=REFERENCE&id=1263333.1

The Web Server plug-ins built at change number CL1338089

Supported config:
The WebLogic webserver plugins are common to all versions of WebLogic servers.

Upgrade instructions:
Save a back-up copy of your existing plug-in module.
replace the plug-in module with the one found in this zip-file
restart your web server.

SSL Server Allows Anonymous Authentication Vulnerability

if ssl has been set
apply below flags in startup script.
-Dweblogic.security.SSL.protocolVersion=SSL3
-Dweblogic.security.disableNullCipher=true
-Dweblogic.security.SSL.allowUnencryptedNullCipher=false

ex:
set JAVA_OPTIONS=%SAVE_JAVA_OPTIONS% -Dweblogic.security.SSL.protocolVersion=SSL3 -Dweblogic.security.disableNullCipher=true
or
ex:
SAVE_JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.security.SSL.protocolVersion=SSL3 -Dweblogic.security.disableNullCipher=true"

SSL Server Has SSLv2 Enabled Vulnerability

please shut down your servers and take a backup of config.xml
edit config.xml and add the below lines

in between <name>AdminServer</name> and <listen-address></listen-address> add

<ssl>
<enabled>true</enabled>
<ciphersuite>TLS_RSA_WITH_RC4_128_SHA</ciphersuite>
<ciphersuite>TLS_RSA_WITH_RC4_128_MD5</ciphersuite>
<ciphersuite>TLS_RSA_WITH_DES_CBC_SHA</ciphersuite>
</ssl>

and restart your server.
then check sslv2 using the command utility 
s_client -connect ip:port -ssl2

Doc ID 1312916.1

To enable High ciphers (note id 1067411.1) in nodemanager add the flag -Dweblogic.security.SSL.Ciphersuites=TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5
in your startnodemanger.sh file
or
add it in the nodemanager.properties file.
CipherSuite=TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5
if nodemanager is being started by wlst and not by startnodemanager.sh

To enable SSLV3 in nodemanager if startnodemanger.sh is not being used
SSLArguments= -Dweblogic.security.SSL.protocolVersion=SSL3 in startup.properties under user_projects\domains\<base_domain>\servers\<new_managedServer>\data\nodemanager

To deactivate SSLV2
 It's not possible to deactivate just SSL2 on Weblogic Server 10.3.x, to leave both SSL3 and TLS1 working at the same time.

The only options are:

- Use exclusively SSL3
- Use exclusively TLS1
- Use the default value which is all.

So for disabling SSLv2, you can additionally add the flag
-Dweblogic.security.SSL.protocolVersion=SSL3         - Only SSL V3.0 messages are sent and accepted.
-Dweblogic.security.SSL.protocolVersion=TLS1         - Only TLS V1.0 messages are sent and accepted.
-Dweblogic.security.SSL.protocolVersion=ALL          - This is the default behavior.

List of supported suites.
http://docs.oracle.com/cd/E17904_01/web.1111/e13707/ssl.htm#BABBDACC

5 comments:

Anonymous said...

will these options work for the node manager if we still use the weblogic default certs ?

ram kumar said...

will these options work for the node manager if we still use the weblogic default certs ?

Anonymous said...

Hi, Does this require any specific configuration on Apache?

Blogger said...

If you want your ex-girlfriend or ex-boyfriend to come crawling back to you on their knees (even if they're dating somebody else now) you gotta watch this video
right away...

(VIDEO) Win your ex back with TEXT messages?

Blogger said...

BlueHost is ultimately one of the best web-hosting company with plans for all of your hosting requirements.