Tuesday, February 15, 2011

Vulnerability

Critical Patch Update Availability for WebLogic Server Plug-ins
https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&doctype=REFERENCE&id=1263333.1

The Web Server plug-ins built at change number CL1338089

Supported config:
The WebLogic webserver plugins are common to all versions of WebLogic servers.

Upgrade instructions:
Save a back-up copy of your existing plug-in module.
replace the plug-in module with the one found in this zip-file
restart your web server.

SSL Server Allows Anonymous Authentication Vulnerability

if ssl has been set
apply below flags in startup script.
-Dweblogic.security.SSL.protocolVersion=SSL3
-Dweblogic.security.disableNullCipher=true
-Dweblogic.security.SSL.allowUnencryptedNullCipher=false

ex:
set JAVA_OPTIONS=%SAVE_JAVA_OPTIONS% -Dweblogic.security.SSL.protocolVersion=SSL3 -Dweblogic.security.disableNullCipher=true
or
ex:
SAVE_JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.security.SSL.protocolVersion=SSL3 -Dweblogic.security.disableNullCipher=true"

SSL Server Has SSLv2 Enabled Vulnerability

please shut down your servers and take a backup of config.xml
edit config.xml and add the below lines

in between <name>AdminServer</name> and <listen-address></listen-address> add

<ssl>
<enabled>true</enabled>
<ciphersuite>TLS_RSA_WITH_RC4_128_SHA</ciphersuite>
<ciphersuite>TLS_RSA_WITH_RC4_128_MD5</ciphersuite>
<ciphersuite>TLS_RSA_WITH_DES_CBC_SHA</ciphersuite>
</ssl>

and restart your server.
then check sslv2 using the command utility 
s_client -connect ip:port -ssl2

Doc ID 1312916.1

To enable High ciphers (note id 1067411.1) in nodemanager add the flag -Dweblogic.security.SSL.Ciphersuites=TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5
in your startnodemanger.sh file
or
add it in the nodemanager.properties file.
CipherSuite=TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5
if nodemanager is being started by wlst and not by startnodemanager.sh

To enable SSLV3 in nodemanager if startnodemanger.sh is not being used
SSLArguments= -Dweblogic.security.SSL.protocolVersion=SSL3 in startup.properties under user_projects\domains\<base_domain>\servers\<new_managedServer>\data\nodemanager

To deactivate SSLV2
 It's not possible to deactivate just SSL2 on Weblogic Server 10.3.x, to leave both SSL3 and TLS1 working at the same time.

The only options are:

- Use exclusively SSL3
- Use exclusively TLS1
- Use the default value which is all.

So for disabling SSLv2, you can additionally add the flag
-Dweblogic.security.SSL.protocolVersion=SSL3         - Only SSL V3.0 messages are sent and accepted.
-Dweblogic.security.SSL.protocolVersion=TLS1         - Only TLS V1.0 messages are sent and accepted.
-Dweblogic.security.SSL.protocolVersion=ALL          - This is the default behavior.

List of supported suites.
http://docs.oracle.com/cd/E17904_01/web.1111/e13707/ssl.htm#BABBDACC

3 comments:

Anonymous said...

will these options work for the node manager if we still use the weblogic default certs ?

Unknown said...

will these options work for the node manager if we still use the weblogic default certs ?

Anonymous said...

Hi, Does this require any specific configuration on Apache?