Oracle Weblogic Server Archive

Security Vulnerability in your WebApplication (CVE 2017-9805)

Researchers have identified a major security flaw (CVE 2017-9805) in the Apache framework (Apache Struts REST Plugin) which could allow the hackers to inject malicious code to either steal critical customer data or cause service disruption of any server running an application built using the Struts framework and using the popular REST communication plugin.

This vulnerability is designated by CVE 2017-9805.

Versions affected:  Versions released since 2008.

Fix:  Upgrade the Apache Framework to 2.3.34 and 2.5.13.

https://struts.apache.org/announce.html

Further reading:

https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement

Configuring Strong Ciphers on Linux OS

Security Vulnerabilities at IP

Environment Description:

OS – Oracle V 6.6              Weblogic Version – 12.2.1.0

Application Server IP : 192.168.0.132        Port : 8001

Soon after Nessus scan security vulnerabilities are detected as below for the above mentioned IP and port.

1. SSL RC4 Cipher Suites Supported (Bar Mitzvah)
2. SSL 64-bit Block Size Cipher Suites Supported (SWEET32)
3. SSL Medium Strength Cipher Suites Supported
4. SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)

This means that the cipher suites which are using the ciphers are weak and needs to be reconfigured with stronger ciphers.

Check the java version and validate the ciphers list.

Java version can be checked as below in terminal :

JavaVersion

Now what is required is to check , whether ciphers which we will add in application server configuration is supported by java version. The below link contains more details on ciphers suites.

http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider

Now to add the ciphers in Oracle WebLogic Application Server follow the below steps.

Step 1 : Go to config folder (Directory structure may be different for different environments but configuration remains the same). for example my directory structure is as below :

DirectoryWBLDirectoryWBLDirectoryWBL

Step 2 : it is very important to take backup of config.xml file as it is a very important file and holds all application server configuration.

ConfigXMLBackup

Step 3 : Edit config.xml file as below

CiphersConfigXML

Step 4 : Save the config.xml file and restart the server.

Step 5 : Rescan the IP again either with nmap or nessus and you will find the vulnerabilities are eliminated now.

Note : I have added Advanced Encryption Securities with 128 and 256 encryption, you can more strong ciphers as per the security requirement.

Cheers..!

Issue while creating datasource on Weblogic Server

In Weblogic Sometimes when you try add datasource to cluster group it fails with following error, which might be due to process limit on database side.

WLS Console Error
==============

Caused by: java.lang.Throwable: Substituted for the exception oracle.net.ns.NetException which lacks a String contructor, original message – Got minus one from a read call
at oracle.net.ns.Packet.receive(Packet.java:314)
at oracle.net.ns.NSProtocolStream.negotiateConnection(NSProtocolStream.java:160)
at oracle.net.ns.NSProtocol.connect(NSProtocol.java:264)
at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1452)
at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:496)
at oracle.jdbc.driver.PhysicalConnection.connect(PhysicalConnection.java:666)
at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:32)
at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:566)
at weblogic.jdbc.common.internal.ConnectionEnvFactory.makeConnection0(ConnectionEnvFactory.java:286)
at weblogic.jdbc.common.internal.ConnectionEnvFactory.access$000(ConnectionEnvFactory.java:20)
at weblogic.jdbc.common.internal.ConnectionEnvFactory$1.run(ConnectionEnvFactory.java:215)
at java.security.AccessController.doPrivileged(Native Method)
at weblogic.jdbc.common.internal.ConnectionEnvFactory.makeConnection(ConnectionEnvFactory.java:212)
at weblogic.jdbc.common.internal.ConnectionEnvFactory.setConnection(ConnectionEnvFactory.java:143)
at weblogic.jdbc.common.internal.JDBCResourceFactoryImpl.createResource(JDBCResourceFactoryImpl.java:185)
at weblogic.common.resourcepool.ResourcePoolImpl.makeResources(ResourcePoolImpl.java:1356)
at weblogic.common.resourcepool.ResourcePoolImpl.makeResources(ResourcePoolImpl.java:1272)
at weblogic.common.resourcepool.ResourcePoolImpl.start(ResourcePoolImpl.java:240)
at weblogic.jdbc.common.internal.ConnectionPool.doStart(ConnectionPool.java:1754)
at weblogic.jdbc.common.internal.ConnectionPool.start(ConnectionPool.java:239)
at weblogic.jdbc.common.internal.ConnectionPoolManager.createAndStartPool(ConnectionPoolManager.java:614)
at weblogic.jdbc.common.internal.ConnectionPoolManager.createAndStartPool(ConnectionPoolManager.java:475)
at weblogic.jdbc.module.JDBCModule.prepare(JDBCModule.java:344)

DB Error
==================

oracle@host02:/u01/app/db11g/product/11.2.0/dbhome_1/dbs >sqlplus / as sysdba

SQL*Plus: Release 11.2.0.3.0 Production on Thu Apr 6 08:21:02 2017

Copyright (c) 1982, 2011, Oracle. All rights reserved.

ERROR:
ORA-00020: maximum number of processes (150) exceeded
Validation Process
======================

List number of process running for the DB instance

oracle@host02:/practices/part1/practice12-02 >ps -auxf |grep orcl|wc -l
149
oracle@host02:/practices/part1/practice12-02

Check on DB level for limit
==========================
SQL> show parameter process scope=both;

NAME TYPE VALUE
———————————— ———– ——————————
aq_tm_processes integer 1
cell_offload_processing boolean TRUE
db_writer_processes integer 1
gcs_server_processes integer 0
global_txn_processes integer 1
job_queue_processes integer 1000
log_archive_max_processes integer 4
processes integer 150
processor_group_name string
SQL>

WorkAround
================

Increase the number of process on db level

SQL> alter system set processes=500 scope=spfile;

SQL> show parameter process;

NAME TYPE VALUE
———————————— ———– ——————————
aq_tm_processes integer 1
cell_offload_processing boolean TRUE
db_writer_processes integer 1
gcs_server_processes integer 0
global_txn_processes integer 1
job_queue_processes integer 1000
log_archive_max_processes integer 4
processes integer 500
processor_group_name string
SQL>

Now try to re-enable the datasource on weblogic

MOS Article Reference
=================
“IO Error:Got minus one from a read call”: In the Diagnostic logs (Doc ID 1995125.1)

Unable to Activate Changes in Enterprise Manager or WebLogic Console

This issue can be observed while updating a change from the console and saving and activating the changes or in this case from Enterprise manager console trying to edit a configuration and got the below error in the process and the same was seen in AdminServer logs too.

<Apr 4, 2017 9:19:34 AM PDT> <Warning> <DeploymentService> <BEA-290015> <Domain wide secret mismatch>

<Apr 4, 2017 9:20:34 AM PDT> <Warning> <DeploymentService> <BEA-290015> <Domain wide secret mismatch>

 

Failed-server: server2, Reason: java.rmi.RemoteException: [Deployer:149150]An IOException occurred while reading the input. : with response code ‘401’ : with response message ‘Unauthorized’

Edit-owner: principals=[weblogic, Administrators], Exclusive: false, Acquired: 1491322469714, Expire: 0

Possible Reason

1) Significant time delay between Admin and Managed Servers

Validation

1) Check the time on both admin servers, if there time difference is more then 2 mins / 120 sec then please proceed further.

# date —–→ Command Can be used to validate time on unix/linux systems

2) Check NTP configruations

# ntpq -pn —→ will list out the ntp servers if configured.

Sample

———

[root@host01 ~]# ntpq -pn

remote           refid      st t when poll reach   delay   offset  jitter

==============================================================================

10.232.144.1    .INIT.          16 u    – 1024    0    0.000    0.000   0.000

130.35.136.1    .INIT.          16 u    – 1024    0    0.000    0.000   0.000

*127.127.1.0     .LOCL.          10 l   18   64  377    0.000    0.000   0.000

3) Run a time check on ntp server to see if it is working, using ntpdate -dv command

# ntpdate -dv <ntp server ip>

Sample

——–

[root@host01 ~]# ntpdate -dv 10.232.144.1

4 Apr 15:12:08 ntpdate[1014]: ntpdate 4.2.4p8@1.1612-o Tue Jul  6 21:50:29 UTC 2010 (1)

Looking for host 10.232.144.1 and service ntp

host found : 10.232.144.1

transmit(10.232.144.1)

transmit(10.232.144.1)

transmit(10.232.144.1)

transmit(10.232.144.1)

transmit(10.232.144.1)

10.232.144.1: Server dropped: no data

server 10.232.144.1, port 123

stratum 0, precision 0, leap 00, trust 000

refid [10.232.144.1], delay 0.00000, dispersion 64.00000

transmitted 4, in filter 4

reference time:    00000000.00000000  Wed, Feb  6 2036 22:28:16.000

originate timestamp: 00000000.00000000  Wed, Feb  6 2036 22:28:16.000

transmit timestamp:  dc8e98c6.1b00c15f  Tue, Apr  4 2017 15:12:22.105

filter delay:  0.00000  0.00000  0.00000  0.00000

0.00000  0.00000  0.00000  0.00000

filter offset: 0.000000 0.000000 0.000000 0.000000

0.000000 0.000000 0.000000 0.000000

delay 0.00000, dispersion 64.00000

offset 0.000000

 

4 Apr 15:12:23 ntpdate[1014]: no server suitable for synchronization found

[root@host01 ~]#

 

In this case NTPServer isn’t responding so that’s the reason there was time delay between WLS servers

4) Use ntpdate -uv command to manually sync the server with active working ntp server.

# ntpdate -uv <ntpserver ip>

[root@host01 ~]# ntpdate -uv 192.0.2.1

4 Apr 09:40:37 ntpdate[31627]: ntpdate 4.2.4p8@1.1612-o Tue Jul  6 21:50:29 UTC 2010 (1)

4 Apr 09:42:34 ntpdate[31627]: step time server 192.0.2.1 offset 116.684819 sec

run the above command on all wls server to make sure time is sync, then run date command to verify.

5) Now try to update wls settings changes from admin console, it should work.

Oracle MOS References

Unable to Make Any Changes to Managed Server While It Is Running With Error “BEA-290015> Domain wide secret mismatch>”(Doc ID 2122342.1)

Unable To Lock/edit/Activate Changes from Weblogic Console with Response Message ‘Unauthorized’ (Doc ID 2240077.1)

The Activate Changes Operation for Request “xxxxxx” Could not be Completed Because the Activate Timed Out’ When Time On Managed Servers Is Out Of Sync (Doc ID 2107803.1)

How to force a NTP sync with the NTP server(s) on Oracle Linux or Oracle VM (Doc ID 2094959.1)

CREATING ORACLE WALLET AND CERTIFICATE SIGNING REQUEST IN ORACLE OHS 12C USING COMMAND LINE INTERFACE orapki

CREATE A DIRECTORY WHERE YOU WILL SAVE YOU WALLET.

I have created  “wallet”   DIRECTORY UNDER ORACLE_HOME BY USING FOLLOWING COMMAND  <mkdir /u01/oracle/wallet>

RUN  SetDomainEnv.sh  SCRIPT THAT YOU WILL FIND  UNDER DOMAIN_HOME/bin  FOLDER

./setDomainEnv.sh

TO  CREATE A WALLET UNDER /u01/oracle/wallet  RUN THE FOLLOWING COMMAND  <u01/oracle/oracle_common/bin/orapki wallet create -wallet /u01/oracle/wallet -pwd Spring2016>

REMOVE DEFAULT CERTIFICATE FROM THE WALLET USING FOLLOWING COMMAND

/u01/oracle/oracle_common/orapki wallet remove -trusted_cert_all -wallet /u01/oracle/wallet

DISPLAY THE WALLET USING FOLLOWING COMMAND AND WALLET SHOULD BE EMPTY

</u01/oracle/oracle_common/orapki/ wallet display -wallet /u01/oracle/wallet

CREATE CSR  USING orapki COMMAND

</u01/oracle/oracle_common/orapki wallet add -wallet /u01/oracle/wallet/ -dn “CN=host01.lucknow.com,OU=Distributed,O=Business ,L=Atlanta,S=GA,C=US” -keysize 2048 -validity 1024

EXPORT CSR TO BE SIGN FROM SIGNING AUTHORITY

<./orapki wallet export -wallet /u01/oracle/wallet -dn “CN=host01.lucknow.com,OU=Distributed,O=Business,L=Atlanta,S=GA,C=US” -request ./host01.lucknow.com.csr

ONCE YOU RECEIVE THE SIGNED CERTIFICATE FROM YOU TRUSTED AUTHORIGHTY THEN ADD THAT CERTIFICATE IN THE WALLET

</u01/oracle/oracle_common/orapki wallet add -wallet /u01/oracle/wallet -user_cert -cert /u01/oracle/wallet/host01.lucknow.com.txt

Starting the WEBLOGIC Administration Server Using Node Manager and WLST IN 11G

  1. GO TO WEBLOGIC HOME  AND SET THE PATH ENVIRONMENT VARIABLE      1
  2. START WLST USING  java weblogic.WLST2
  3. NOW START THE NODEMANAGER USING COMMAND  startNodeManager.sh    YOU WILL SEE A MESAGE STATING   “INFO: Secure socket listener started on port 5556, host localhost/127.0.0.1”    <— WHICH MEAN NODEMANAGER HAS STARTED ON LOCAL HOST

4. Connect WLST TO NODE MANAGER USING FOLLOWING COMMAND.  ONCE CONNECTED YOU WILL SEE A MESSAGE STATING      “SECURE SOCKET LISTENER STARTED ON PORT 5556,  host localhost/127.0.0.1

4

5.   BY USING nmConnect   COMMNAD CONNECT NODEMANAGER TO WLST  — ONCE CONNECTED USING BELOW COMMAND   YOU    SHOULD GET A MESSAGE SAYING ‘Successfully Connected To Node Manager’

5

6.  RUN THE FOLLOWING COMMAND TO START ADMIN SERVER   nmStart(‘MedRecAdmSvr’)   AS SHOWN IN BELOW SCREEN SHOT

6

7. TO CHECK THE STATUS OF ADMIN SERVER  AND TO SHUTDOWN THE ADMIN SERVER THIS IS WHAT YOU WILL DO.

7

 

 

 

Cheer!!

Parvez Ahmad