Critical Patch Update Availability for WebLogic Server Plug-ins
https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&doctype=REFERENCE&id=1263333.1
The Web Server plug-ins built at change number CL1338089
Supported config:
The WebLogic webserver plugins are common to all versions of WebLogic servers.
Upgrade instructions:
Save a back-up copy of your existing plug-in module.
replace the plug-in module with the one found in this zip-file
restart your web server.
SSL Server Allows Anonymous Authentication Vulnerability
if ssl has been set
apply below flags in startup script.
-Dweblogic.security.SSL.protocolVersion=SSL3
-Dweblogic.security.disableNullCipher=true
-Dweblogic.security.SSL.allowUnencryptedNullCipher=false
ex:
set JAVA_OPTIONS=%SAVE_JAVA_OPTIONS% -Dweblogic.security.SSL.protocolVersion=SSL3 -Dweblogic.security.disableNullCipher=true
or
ex:
SAVE_JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.security.SSL.protocolVersion=SSL3 -Dweblogic.security.disableNullCipher=true"
SSL Server Has SSLv2 Enabled Vulnerability
please shut down your servers and take a backup of config.xml
edit config.xml and add the below lines
in between <name>AdminServer</name> and <listen-address></listen-address> add
<ssl>
<enabled>true</enabled>
<ciphersuite>TLS_RSA_WITH_RC4_128_SHA</ciphersuite>
<ciphersuite>TLS_RSA_WITH_RC4_128_MD5</ciphersuite>
<ciphersuite>TLS_RSA_WITH_DES_CBC_SHA</ciphersuite>
</ssl>
and restart your server.
then check sslv2 using the command utility
s_client -connect ip:port -ssl2
Doc ID 1312916.1
To enable High ciphers (note id 1067411.1) in nodemanager add the flag -Dweblogic.security.SSL.Ciphersuites=TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5
in your startnodemanger.sh file
or
add it in the nodemanager.properties file.
CipherSuite=TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5
if nodemanager is being started by wlst and not by startnodemanager.sh
To enable SSLV3 in nodemanager if startnodemanger.sh is not being used
SSLArguments= -Dweblogic.security.SSL.protocolVersion=SSL3 in startup.properties under user_projects\domains\<base_domain>\servers\<new_managedServer>\data\nodemanager
To deactivate SSLV2
It's not possible to deactivate just SSL2 on Weblogic Server 10.3.x, to leave both SSL3 and TLS1 working at the same time.
The only options are:
- Use exclusively SSL3
- Use exclusively TLS1
- Use the default value which is all.
So for disabling SSLv2, you can additionally add the flag
-Dweblogic.security.SSL.protocolVersion=SSL3 - Only SSL V3.0 messages are sent and accepted.
-Dweblogic.security.SSL.protocolVersion=TLS1 - Only TLS V1.0 messages are sent and accepted.
-Dweblogic.security.SSL.protocolVersion=ALL - This is the default behavior.
List of supported suites.
http://docs.oracle.com/cd/E17904_01/web.1111/e13707/ssl.htm#BABBDACC
https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&doctype=REFERENCE&id=1263333.1
The Web Server plug-ins built at change number CL1338089
Supported config:
The WebLogic webserver plugins are common to all versions of WebLogic servers.
Upgrade instructions:
Save a back-up copy of your existing plug-in module.
replace the plug-in module with the one found in this zip-file
restart your web server.
SSL Server Allows Anonymous Authentication Vulnerability
if ssl has been set
apply below flags in startup script.
-Dweblogic.security.SSL.protocolVersion=SSL3
-Dweblogic.security.disableNullCipher=true
-Dweblogic.security.SSL.allowUnencryptedNullCipher=false
ex:
set JAVA_OPTIONS=%SAVE_JAVA_OPTIONS% -Dweblogic.security.SSL.protocolVersion=SSL3 -Dweblogic.security.disableNullCipher=true
or
ex:
SAVE_JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.security.SSL.protocolVersion=SSL3 -Dweblogic.security.disableNullCipher=true"
SSL Server Has SSLv2 Enabled Vulnerability
please shut down your servers and take a backup of config.xml
edit config.xml and add the below lines
in between <name>AdminServer</name> and <listen-address></listen-address> add
<ssl>
<enabled>true</enabled>
<ciphersuite>TLS_RSA_WITH_RC4_128_SHA</ciphersuite>
<ciphersuite>TLS_RSA_WITH_RC4_128_MD5</ciphersuite>
<ciphersuite>TLS_RSA_WITH_DES_CBC_SHA</ciphersuite>
</ssl>
and restart your server.
then check sslv2 using the command utility
s_client -connect ip:port -ssl2
Doc ID 1312916.1
To enable High ciphers (note id 1067411.1) in nodemanager add the flag -Dweblogic.security.SSL.Ciphersuites=TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5
in your startnodemanger.sh file
or
add it in the nodemanager.properties file.
CipherSuite=TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5
if nodemanager is being started by wlst and not by startnodemanager.sh
To enable SSLV3 in nodemanager if startnodemanger.sh is not being used
SSLArguments= -Dweblogic.security.SSL.protocolVersion=SSL3 in startup.properties under user_projects\domains\<base_domain>\servers\<new_managedServer>\data\nodemanager
To deactivate SSLV2
It's not possible to deactivate just SSL2 on Weblogic Server 10.3.x, to leave both SSL3 and TLS1 working at the same time.
The only options are:
- Use exclusively SSL3
- Use exclusively TLS1
- Use the default value which is all.
So for disabling SSLv2, you can additionally add the flag
-Dweblogic.security.SSL.protocolVersion=SSL3 - Only SSL V3.0 messages are sent and accepted.
-Dweblogic.security.SSL.protocolVersion=TLS1 - Only TLS V1.0 messages are sent and accepted.
-Dweblogic.security.SSL.protocolVersion=ALL - This is the default behavior.
List of supported suites.
http://docs.oracle.com/cd/E17904_01/web.1111/e13707/ssl.htm#BABBDACC
