Tuesday, February 15, 2011

Vulnerability

Critical Patch Update Availability for WebLogic Server Plug-ins
https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&doctype=REFERENCE&id=1263333.1

The Web Server plug-ins built at change number CL1338089

Supported config:
The WebLogic webserver plugins are common to all versions of WebLogic servers.

Upgrade instructions:
Save a back-up copy of your existing plug-in module.
replace the plug-in module with the one found in this zip-file
restart your web server.

SSL Server Allows Anonymous Authentication Vulnerability

if ssl has been set
apply below flags in startup script.
-Dweblogic.security.SSL.protocolVersion=SSL3
-Dweblogic.security.disableNullCipher=true
-Dweblogic.security.SSL.allowUnencryptedNullCipher=false

ex:
set JAVA_OPTIONS=%SAVE_JAVA_OPTIONS% -Dweblogic.security.SSL.protocolVersion=SSL3 -Dweblogic.security.disableNullCipher=true
or
ex:
SAVE_JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.security.SSL.protocolVersion=SSL3 -Dweblogic.security.disableNullCipher=true"

SSL Server Has SSLv2 Enabled Vulnerability

please shut down your servers and take a backup of config.xml
edit config.xml and add the below lines

in between <name>AdminServer</name> and <listen-address></listen-address> add

<ssl>
<enabled>true</enabled>
<ciphersuite>TLS_RSA_WITH_RC4_128_SHA</ciphersuite>
<ciphersuite>TLS_RSA_WITH_RC4_128_MD5</ciphersuite>
<ciphersuite>TLS_RSA_WITH_DES_CBC_SHA</ciphersuite>
</ssl>

and restart your server.
then check sslv2 using the command utility 
s_client -connect ip:port -ssl2

Doc ID 1312916.1

To enable High ciphers (note id 1067411.1) in nodemanager add the flag -Dweblogic.security.SSL.Ciphersuites=TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5
in your startnodemanger.sh file
or
add it in the nodemanager.properties file.
CipherSuite=TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5
if nodemanager is being started by wlst and not by startnodemanager.sh

To enable SSLV3 in nodemanager if startnodemanger.sh is not being used
SSLArguments= -Dweblogic.security.SSL.protocolVersion=SSL3 in startup.properties under user_projects\domains\<base_domain>\servers\<new_managedServer>\data\nodemanager

To deactivate SSLV2
 It's not possible to deactivate just SSL2 on Weblogic Server 10.3.x, to leave both SSL3 and TLS1 working at the same time.

The only options are:

- Use exclusively SSL3
- Use exclusively TLS1
- Use the default value which is all.

So for disabling SSLv2, you can additionally add the flag
-Dweblogic.security.SSL.protocolVersion=SSL3         - Only SSL V3.0 messages are sent and accepted.
-Dweblogic.security.SSL.protocolVersion=TLS1         - Only TLS V1.0 messages are sent and accepted.
-Dweblogic.security.SSL.protocolVersion=ALL          - This is the default behavior.

List of supported suites.
http://docs.oracle.com/cd/E17904_01/web.1111/e13707/ssl.htm#BABBDACC

Sunday, February 13, 2011

Disable sun one webserver from displaying server information within response header

Start Web Server 7 Administration Server
Run the below command line
wadm set-http-prop --user=admin --config= server-header=""
wadm deploy-config --user=admin

which does nothing but adding the ServerString none value in magnus.conf file,
you may also change it to ServerString apache where apache is your custom or misleading info.
below is an example.

magnus.conf file
#
# Copyright 2008 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#

ServerString none

Init fn="load-modules" shlib="lib*****lugin.so"
Init fn="load-modules" funcs="wl_proxy,wl_init" shlib="/opt/s***em/web***gin/lib/lib***xy.so"
Init fn="wl_init"

Wednesday, February 2, 2011

CR295275

CR295275 is associated with Bug 8094100
Description : INVESTIGATE/REMOVE CHECK THAT PREVENTS INTEROP BETWEEN >2 MAJOR VERSIONS
It has been Fixed in Product Version 10.0

You would be only needing the fix if you need interoperability between
WLS 7.0 and WLS 10.0
However the patch is only available for WLS 7.0 SP4, SP6 & SP7
Oracle support for WLS7.x is being terminated from 31st march 2011.