STIGQter: STIG Summary: Oracle HTTP Server 12.1.3 Security Technical Implementation Guide Version: 1 Release: 7 Benchmark Date: 24 Jul 2020:

OHS must have production information removed from error documents to minimize the identity of OHS, patches, loaded modules, and directory paths in warning and error messages displayed to clients.

DISA Rule

SV-78979r1_rule

Vulnerability Number

V-64489

Group Title

SRG-APP-000266-WSR-000159

Rule Version

OH12-1X-000352

Severity

CAT III

CCI(s)

• CCI-001312 - The information system generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.

Weight

10

Fix Recommendation

1. Go to the directory specified by the "Alias /error/" directive in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf. (e.g., cd $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/error).

2. Change the extension of each file located in $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/error from .html.var to .html (e.g., mv HTTP_NOT_FOUND.hmtl.var HTTP_NOT_FOUND_en.html).

3. Modify the content of each file to be static such that mod_include and mod_negotiation are not needed and that no OHS product information is discernable by a user encountering the error.

4. Set the appropriate "ErrorDocument" directives in $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf to reference the appropriate file in $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/httpd.conf, add the directives if they do not exist.

Check Contents

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor.

2. Search for the "Alias /error/ "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/error/"", "Directory "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/{COMPONENT_NAME}/error"", and "ErrorDocument" directives at the OHS server, virtual host, and directory configuration scopes.

3. For every file specified by an "ErrorDocument" directive, check the file exists and its contents to determine whether any OHS product information is present.

4. If OHS product information is present in the file(s), this is a finding.

Vulnerability Number

V-64489

Documentable

False

Rule Version

OH12-1X-000352

Severity Override Guidance

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor.

2. Search for the "Alias /error/ "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/error/"", "Directory "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/{COMPONENT_NAME}/error"", and "ErrorDocument" directives at the OHS server, virtual host, and directory configuration scopes.

3. For every file specified by an "ErrorDocument" directive, check the file exists and its contents to determine whether any OHS product information is present.

4. If OHS product information is present in the file(s), this is a finding.

Check Content Reference

M

Target Key

2753

Comments