We have applied Weblogic Critical path 2021 JUL due the high critical CVE’s reported . After we apply the patch successfully we started seeing security warning on the admin console . This is the due to the new feature introduced from JUL 2021 patch where the Weblogic validate and show the warnings in the console .This evaluation done from multiple areas in order to secure Weblogic environment .
- Installation
- WebLogic domains
- Network
- Configuration Settings
- Applications
The WebLogic Server July 2021 Patch Set Update (PSU) for WebLogic Server versions 14.1.1, 12.2.1.4 and 12.2.1.3 includes new WebLogic Administration Console security validation screens and new security validation MBeans that validate security configuration settings in your domain.
With the July 2021 PSU applied, WebLogic Server regularly validates your domain configuration settings against a set of security configuration guidelines to determine whether the domain meets key security guidelines recommended by Oracle.
If your domain does not meet a recommendation for a security configuration setting, a warning is logged in the Security Warnings Report in the WebLogic Administration Console. When there are active warnings in the Security Warnings Report, a banner with red text appears across the top of the Administration Console. Click the text to see the report. In the Security Warnings Report, you will see any issues that need to be addressed and on which servers. You can also click View Security Warnings Report on the Administration Console home page to see current warnings.
Security Validation Screen
The Lockdown Guide explains the warnings report and how to review the information provided before taking action.
See the links below for more information:
- Security Warnings Report – Version 14.1.1.0
- Security Warnings Report – Version 12.2.1.4
- Security Warnings Report – Version 12.2.1.3
Although Oracle recommends resolving the warnings by changing the domain configuration setting, you may determine that based on your security and business requirements, certain warnings do not apply to your domain.
For those warnings, you can disable the relevant security configuration settings.
To disable the security configuration settings
- Login to the WebLogic Administration Console
- Go to Domain => Security => Warnings
- Deselect any settings for which you do not want to see warnings
| Error ID | Security check belongs | Description of the Issue |
|---|---|---|
| 000345 | Managed Server | The selected version of Java, JDK 1.8.0_121, contains a known security flaw. SOLUTION: Upgrade to at least JDK 1.8.0_191. |
| 003818 | Admin Server | The selected version of Java, JDK 1.8.0_121, contains a known security flaw. SOLUTION: Upgrade to at least JDK 1.8.0_191. |
| 090976 | Admin Server | Secure Mode is enabled but no auditing provider is configured in realm: myrealm. SOLUTION: Configure an auditing provider in the realm. |
| 090977 | Admin Server | Secure Mode is enabled but the Default Auditor logging level does not include WARNING, ERROR, and FAILURE audit records in realm: myrealm. SOLUTION: Set the appropriate logging level for the Default Auditor. |
| 090978 | Admin Server | User lockout settings are not secure in realm: myrealm, i.e. LockoutThreshold should not be greater than 5, LockoutDuration should not be less than 30. SOLUTION: Update the user lockout settings (LockoutThreshold, LockoutDuration) to be secure. |
| 090979 | Admin Server | Production Mode is enabled but unencrypted password is used in command line, i.e. system property weblogic.management.password is set. SOLUTION: Do not specify the weblogic.management.password system property when starting the server. |
| 090980 | Admin Server | No password validator is configured in realm: myrealm. SOLUTION: Configure a password validator. |
| 090980 | Managed Server | No password validator is configured in realm: myrealm. SOLUTION: Configure a password validator. |
| 090982 | Managed Server | Production Mode is enabled but PostBind is not enabled for machine : mymachine when unix machine is configured and port 80 < 1024 is used. SOLUTION: Enable PostBind attributes in the UnixMachine MBean. |
| 090983 | Admin Server | Secure Mode is enabled but the the administration port is not enabled. SOLUTION: Enable the administration port. |
| 090985 | Admin Server | The file or directory SerializedSystemIni.dat is insecure since its permission is not a minimum of umask 027. SOLUTION: Change the file or directory permission to at most allow only write by owner, read by group. |
| 090985 | Admin Server | The file or directory /u01/mydomain/servers/myserver/data/ldap/ldapfiles/EmbeddedLDAP.data is insecure since its permission is not a minimum of umask 027. SOLUTION: Change the file or directory permission to at most allow only write by owner, read by group. |
| 090987 | Managed Server | SSLv3 is enabled by the system property {0} in secure mode. SSLv3 is vulnerable and should not be enabled. SOLUTION: Modify the system property to specify a secure TLS version such as TLSv1.2. |
| 090988 | Managed Server | Basic Constraints extension validation is turned off by the system property {0}=off in secure mode. SOLUTION: Modify the system property to turn on Basic Constraints extension validation, {0}=strong or {0}=true or {0}=strict. |
| 090989 | Managed Server | SSL hostname verification is disabled by the system property {0} in production mode. Disabling host name verification will leave the server vulnerable to man-in-the-middle attacks. SOLUTION: Remove the specified system property and ensure SSL host name verification is enabled. |
| 090990 | Managed Server | SSL hostname verification is disabled by the SSL configuration of server {0} in production mode. Disabling host name verification will leave the server vulnerable to man-in-the-middle attacks. SOLUTION: Enable SSL host name verification by setting the HostnameVerificationIgnored SSL MBean attribute to false. |
| 090991 | Managed Server | SSL hostname verification is disabled by the SSL configuration of server channel mychannel in production mode. Disabling host name verification will leave the server vulnerable to man-in-the-middle attacks. SOLUTION: Enable SSL host name verification by setting the HostnameVerificationIgnored NetworkAccessPoint MBean attribute to false. |
| 090992 | Managed Server | SSLv3 is enabled as the minimum TLS protocol version by the system property {0} in production mode. SSLv3 is vulnerable and should not be enabled. SOLUTION: Configure the system property with a secure TLS version such as TLSv1.2 as the minimum TLS protocol version |
| 090993 | Managed Server | SSLv3 is enabled as the minimum TLS protocol version by the SSL configuration of server {0} in production mode. SSLv3 is vulnerable and should not be enabled. SOLUTION: Configure the MinimumTLSProtocolVersion SSL MBean attribute to contain a secure TLS version such as TLSv1.2. |
| 090995 | Managed Server | Null cipher suites are allowed by the system property {0} in secure mode. SOLUTION: Remove or modify the system property to not allow null cipher suites. |
| 090996 | Managed Server | Null cipher suites are allowed by the SSL configuration of server myserver in secure mode. SOLUTION: Set the AllowUnencryptedNullCipher SSL MBean attribute to false to not allow null cipher suites. |
| 090997 | Managed Server | Anonymous cipher suites are allowed by the system property {0} in secure mode. SOLUTION: Update the system property to not allow Anonymous cipher suites. |
| 090998 | Managed Server | Null cipher suites are allowed by the SSL configuration of server channel mychannel in secure mode. SOLUTION: Set the AllowUnencryptedNullCipher NetworkAccessPoint MBean attribute to false to not allow null cipher suites. |
| 090999 | Managed Server | TLS client initiated secure renegotiation is enabled by the SSL configuration of server myserver in production mode. SOLUTION: Set the ClientInitSecureRenegotiationAccepted SSL MBean attribute to false to disable TLS client initiated secure renegotiation. |
| 091000 | Managed Server | TLS client initiated secure renegotiation is enabled by the SSL configuration of server channel mychannel in secure mode. SOLUTION: Set the ClientInitSecureRenegotiationAccepted NetworkAccessPoint MBean attribute to false to disable TLS client initiated secure renegotiation. |
| 091001 | Managed Server | Insecure cipher suites are configured by the SSL configuration of server {0} in secure mode: {1}. SOLUTION: Remove the insecure cipher suites {1} from the CipherSuites SSL MBean attribute. |
| 091002 | Managed Server | Insecure cipher suites are configured by the SSL configuration of server channel {0} in secure mode: {1}. SOLUTION: Remove the insecure cipher suites {1} from the CipherSuites NetworkAccessPoint MBean attribute. |
| 091003 | Admin Server | Secure Mode requires that users in the Administrators group do not have obvious user names. SOLUTION: Change the user name “weblogic” so it is not a commonly used administrator name. |
| 091004 | Managed Server | Samples should not be installed in the WebLogic installation directory. SOLUTION: Reinstall WebLogic and do not include the samples when choosing the installation type. |
| 091020 | Admin Server | Certificate myserver will expire in 5 days. SOLUTION: Replace the specified certificate with a newer version. |
| 091023 | Admin Server | Remote Anonymous RMI T3 or IIOP requests are enabled. SOLUTION: Set the RemoteAnonymousRMIT3Enabled and RemoteAnonymousRMIIIOPEnabled attributes to false. |
| 091024 | Admin Server | No WebLogic Server CPU patch is applied to the Oracle home. SOLUTION: Download and apply the latest WebLogic Server CPU patch. |
| 091025 | Admin Server | A new version of the WebLogic Server CPU patch should be available. SOLUTION: Download and apply the latest WebLogic Server CPU patch. If extended support has ended for this version and no CPU patch is available, upgrade to a newer version of WebLogic Server. |
| 091026 | Admin Server | No Coherence CPU patch is applied to the Oracle home. SOLUTION: Download and apply the latest Coherence CPU patch. |
| 091027 | Admin Server | WebLogic Server requires the Coherence CPU patch version 13 or higher. SOLUTION: Download and apply the latest Coherence CPU patch. |
When the issues are identified go to each of the warning and follow the recommended solution to fix the warning . it may be affected multiple managed instances we need to fix for all the warning then we can refresh the console to see the warning gone or not .
We may not required to restart any Weblogic for this warnings to clear .
To disable the security configuration settings
- Login to the WebLogic Administration Console
- Go to Domain => Security => Warnings
- Deselect any settings for which you do not want to see warnings
All these warning are oracle recommendations it depends on at the application to application . We need to assess if it really don’t require or or any dependency we have with our functionality before disabling any of these warnings .