WebLogic Server Security Warnings Displayed in Admin Console after JUL 2021 patch

We have applied Weblogic Critical path 2021 JUL due the high critical CVE’s reported . After we apply the patch successfully we started seeing security warning on the admin console . This is the due to the new feature introduced from JUL 2021 patch where the Weblogic validate and show the warnings in the console .This evaluation done from multiple areas in order to secure Weblogic environment .

  • Installation
  • WebLogic domains
  • Network
  • Configuration Settings
  • Applications

The WebLogic Server July 2021 Patch Set Update (PSU) for WebLogic Server versions 14.1.1, 12.2.1.4 and 12.2.1.3 includes new WebLogic Administration Console security validation screens and new security validation MBeans that validate security configuration settings in your domain.

With the July 2021 PSU applied, WebLogic Server regularly validates your domain configuration settings against a set of security configuration guidelines to determine whether the domain meets key security guidelines recommended by Oracle.

If your domain does not meet a recommendation for a security configuration setting, a warning is logged in the Security Warnings Report in the WebLogic Administration Console. When there are active warnings in the Security Warnings Report, a banner with red text appears across the top of the Administration Console. Click the text to see the report. In the Security Warnings Report, you will see any issues that need to be addressed and on which servers. You can also click View Security Warnings Report on the Administration Console home page to see current warnings.

Security Validation Screen

The Lockdown Guide explains the warnings report and how to review the information provided before taking action. 

See the links below for more information: 

Description of Figure 3-1 follows

Although Oracle recommends resolving the warnings by changing the domain configuration setting, you may determine that based on your security and business requirements, certain warnings do not apply to your domain.

For those warnings, you can disable the relevant security configuration settings.

To disable the security configuration settings 

  • Login to the WebLogic Administration Console
  • Go to Domain => Security => Warnings
  • Deselect any settings for which you do not want to see warnings

Error IDSecurity check belongsDescription of the Issue
000345 Managed ServerThe selected version of Java, JDK 1.8.0_121, contains a known security flaw.
SOLUTION: Upgrade to at least JDK 1.8.0_191.
003818 Admin ServerThe selected version of Java, JDK 1.8.0_121, contains a known security flaw.
SOLUTION: Upgrade to at least JDK 1.8.0_191.
090976 Admin ServerSecure Mode is enabled but no auditing provider is configured in realm: myrealm.
SOLUTION: Configure an auditing provider in the realm.
090977 Admin ServerSecure Mode is enabled but the Default Auditor logging level does not include WARNING, ERROR, and FAILURE audit records in realm: myrealm.
SOLUTION: Set the appropriate logging level for the Default Auditor.
090978 Admin ServerUser lockout settings are not secure in realm: myrealm, i.e. LockoutThreshold should not be greater than 5, LockoutDuration should not be less than 30.
SOLUTION: Update the user lockout settings (LockoutThreshold, LockoutDuration) to be secure.
090979  Admin ServerProduction Mode is enabled but unencrypted password is used in command line, i.e. system property weblogic.management.password is set.
SOLUTION: Do not specify the weblogic.management.password system property when starting the server.
090980 Admin ServerNo password validator is configured in realm: myrealm.
SOLUTION: Configure a password validator.
090980 Managed ServerNo password validator is configured in realm: myrealm.
SOLUTION: Configure a password validator.
090982Managed ServerProduction Mode is enabled but PostBind is not enabled for machine : mymachine when unix machine is configured and port 80 < 1024 is used.
SOLUTION: Enable PostBind attributes in the UnixMachine MBean.
090983Admin ServerSecure Mode is enabled but the the administration port is not enabled.
SOLUTION: Enable the administration port.
090985 Admin ServerThe file or directory SerializedSystemIni.dat is insecure since its permission is not a minimum of umask 027.
SOLUTION: Change the file or directory permission to at most allow only write by owner, read by group.
090985 Admin Server The file or directory /u01/mydomain/servers/myserver/data/ldap/ldapfiles/EmbeddedLDAP.data is insecure since its permission is not a minimum of umask 027.
SOLUTION: Change the file or directory permission to at most allow only write by owner, read by group.
090987 Managed ServerSSLv3 is enabled by the system property {0} in secure mode. SSLv3 is vulnerable and should not be enabled.
SOLUTION: Modify the system property to specify a secure TLS version such as TLSv1.2.
090988 Managed ServerBasic Constraints extension validation is turned off by the system property {0}=off in secure mode.

SOLUTION: Modify the system property to turn on Basic Constraints extension validation, {0}=strong or {0}=true or {0}=strict.
090989 Managed ServerSSL hostname verification is disabled by the system property {0} in production mode. Disabling host name verification will leave the server vulnerable to man-in-the-middle attacks.
SOLUTION: Remove the specified system property and ensure SSL host name verification is enabled.
090990 Managed ServerSSL hostname verification is disabled by the SSL configuration of server {0} in production mode. Disabling host name verification will leave the server vulnerable to man-in-the-middle attacks.
SOLUTION: Enable SSL host name verification by setting the HostnameVerificationIgnored SSL MBean attribute to false.
090991 Managed ServerSSL hostname verification is disabled by the SSL configuration of server channel mychannel in production mode. Disabling host name verification will leave the server vulnerable to man-in-the-middle attacks.
SOLUTION: Enable SSL host name verification by setting the HostnameVerificationIgnored NetworkAccessPoint MBean attribute to false.
090992Managed ServerSSLv3 is enabled as the minimum TLS protocol version by the system property {0} in production mode. SSLv3 is vulnerable and should not be enabled.
SOLUTION: Configure the system property with a secure TLS version such as TLSv1.2 as the minimum TLS protocol version
090993Managed ServerSSLv3 is enabled as the minimum TLS protocol version by the SSL configuration of server {0} in production mode. SSLv3 is vulnerable and should not be enabled.
SOLUTION: Configure the MinimumTLSProtocolVersion SSL MBean attribute to contain a secure TLS version such as TLSv1.2.
090995 Managed Server Null cipher suites are allowed by the system property {0} in secure mode.
SOLUTION: Remove or modify the system property to not allow null cipher suites.
090996 Managed ServerNull cipher suites are allowed by the SSL configuration of server myserver in secure mode.
SOLUTION: Set the AllowUnencryptedNullCipher SSL MBean attribute to false to not allow null cipher suites.
090997 Managed ServerAnonymous cipher suites are allowed by the system property {0} in secure mode.
SOLUTION: Update the system property to not allow Anonymous cipher suites.
090998 Managed ServerNull cipher suites are allowed by the SSL configuration of server channel mychannel in secure mode.
SOLUTION: Set the AllowUnencryptedNullCipher NetworkAccessPoint MBean attribute to false to not allow null cipher suites.
090999 Managed ServerTLS client initiated secure renegotiation is enabled by the SSL configuration of server myserver in production mode.
SOLUTION: Set the ClientInitSecureRenegotiationAccepted SSL MBean attribute to false to disable TLS client initiated secure renegotiation.
091000  Managed ServerTLS client initiated secure renegotiation is enabled by the SSL configuration of server channel mychannel in secure mode.
SOLUTION: Set the ClientInitSecureRenegotiationAccepted NetworkAccessPoint MBean attribute to false to disable TLS client initiated secure renegotiation.
091001 Managed ServerInsecure cipher suites are configured by the SSL configuration of server {0} in secure mode: {1}.
SOLUTION: Remove the insecure cipher suites {1} from the CipherSuites SSL MBean attribute.
091002 Managed ServerInsecure cipher suites are configured by the SSL configuration of server channel {0} in secure mode: {1}.
SOLUTION: Remove the insecure cipher suites {1} from the CipherSuites NetworkAccessPoint MBean attribute.
091003 Admin ServerSecure Mode requires that users in the Administrators group do not have obvious user names.
SOLUTION: Change the user name “weblogic” so it is not a commonly used administrator name.
091004 Managed ServerSamples should not be installed in the WebLogic installation directory.
SOLUTION: Reinstall WebLogic and do not include the samples when choosing the installation type.
091020  Admin ServerCertificate myserver will expire in 5 days.
SOLUTION: Replace the specified certificate with a newer version. 
091023 Admin ServerRemote Anonymous RMI T3 or IIOP requests are enabled.
SOLUTION: Set the RemoteAnonymousRMIT3Enabled and RemoteAnonymousRMIIIOPEnabled attributes to false.
091024Admin ServerNo WebLogic Server CPU patch is applied to the Oracle home.
SOLUTION: Download and apply the latest WebLogic Server CPU patch.
091025Admin ServerA new version of the WebLogic Server CPU patch should be available.
SOLUTION: Download and apply the latest WebLogic Server CPU patch. If extended support has ended for this version and no CPU patch is available, upgrade to a newer version of WebLogic Server.
091026Admin ServerNo Coherence CPU patch is applied to the Oracle home.
SOLUTION: Download and apply the latest Coherence CPU patch.
091027Admin ServerWebLogic Server requires the Coherence CPU patch version 13 or higher.
SOLUTION: Download and apply the latest Coherence CPU patch.

When the issues are identified go to each of the warning and follow the recommended solution to fix the warning . it may be affected multiple managed instances we need to fix for all the warning then we can refresh the console to see the warning gone or not .

We may not required to restart any Weblogic for this warnings to clear .

To disable the security configuration settings 

  • Login to the WebLogic Administration Console
  • Go to Domain => Security => Warnings
  • Deselect any settings for which you do not want to see warnings

All these warning are oracle recommendations it depends on at the application to application . We need to assess if it really don’t require or or any dependency we have with our functionality before disabling any of these warnings .

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *