WBLC-08-000236 - Oracle WebLogic must protect against or limit the effects of HTTP types of Denial of Service (DoS) attacks.

Information

Employing increased capacity and bandwidth combined with service redundancy can reduce the susceptibility to some DoS attacks. When utilizing an application server in a high risk environment (such as a DMZ), the amount of access to the system from various sources usually increases, as does the system's risk of becoming more susceptible to DoS attacks.

The application server must be able to be configured to withstand or minimize the risk of DoS attacks. This can be partially achieved if the application server provides configuration options that limit the number of allowed concurrent HTTP connections.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

1. Access AC
2. From 'Domain Structure', select 'Deployments'
3. Sort 'Deployments' table by 'Type' by click the column header
4. Select an 'Enterprise Application' or 'Web Application' to check the session timeout setting
5. Select 'Configuration' tab -> 'Application' tab for deployments of 'Enterprise Application' type
Select 'Configuration' tab -> 'General' tab for deployments of 'Web Application' type
6. Utilize 'Change Center' to create a new change session
7. Set value in 'Maximum in-memory Session' field value to an integer value at or lower than an acceptable maximum number of HTTP sessions. Click 'Save'
8. Repeat steps 4-7 for each 'Enterprise Application' and 'Web Application' deployment

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_WebLogic_Server_12c_V2R1_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-5, CAT|II, CCI|CCI-002385, Rule-ID|SV-235989r628745_rule, STIG-ID|WBLC-08-000236, STIG-Legacy|SV-70591, STIG-Legacy|V-56337, Vuln-ID|V-235989

Plugin: Windows

Control ID: faed7575ff76ff18df4e695dc36ff46340e9c7dc73e0c4f9efacedc0662689ea