Monday, 24 August 2020

INS-06006 GI RunInstaller Fails If OpenSSH Is Upgraded to 8.x

 When attempting to configure 19c grid infrastructure by running <gridSetup.sh>, the following error occurs in SSH connectivity step:

[INS-06006] Passwordless SSH connectivity not set up between the following node(s): [<racnode2>]

The error can't be ignored so CRS installation fails.


However, SSH setup shows successful and ssh <node> date command works fine for all nodes, CVU user equivalence check also shows passed status.

OpenSSH is upgraded to 8.x. Please note OpenSSH's behavior might be different on any other platforms/OS, for example on AIX, OpenSSH 7.5 has this problem, and on SLES Linux 12 SP4, OpenSSH_7.2p2 has this problem.

# ssh -V
OpenSSH_8.0p1, OpenSSL 1.0.2r 24 Aug 2020
The below command might also give the above error on OpenSSH 8.0.

# scp -p <racnode2>:"'/tmp/test.txt'" /tmp/test.txt
protocol error: filename does not match request
And the error can be avoided by adding "-T" option in the command:

# scp -T -p <racnode2>:"'/tmp/test.txt'" /tmp/test.txt
test.txt 100% 2 0.1KB/s 00:00

To mitigate the risk of (CVE-2019-6111), OpenSSH 8.0 adds client-side checking that the filenames sent from the server match the command-line request, if there is a difference between client and server wildcard expansion, the client may refuse files from the server. For this reason, OpenSSH 8.0 provids a new "-T" flag to scp that disables these client-side checks. for details, see https://www.openssh.com/txt/release-8.0

Workaround

Before installation, as root user: (please change the path if the location of your "scp" is not the same with below)

# Rename the original scp.
mv /usr/bin/scp /usr/bin/scp.orig

# Create a new file </usr/bin/scp>.
vi /usr/bin/scp

# Add the below line to the new created file </usr/bin/scp>.
/usr/bin/scp.orig -T $*

# Change the file permission.
chmod 555 /usr/bin/scp

After installation:

mv /usr/bin/scp.orig /usr/bin/scp

Posted by at No comments:
Labels:

WUT-121: The file transfer has been forbidden by the Administrator

 


Problem:  Users were not able to download files.


Solution: Edit these files and add below parameters:


$DOMAIN_HOME/config/fmwconfig/components/FORMS/forms1/server/webutil.cfg

$DOMAIN_HOME/config/fmwconfig/components/FORMS/instances/forms1/server/webutil.cfg


transfer.database.enabled=TRUE

transfer.appsrv.enabled=TRUE

transfer.appsrv.workAreadRoot=TRUE

transfer.appsrv.accessControl=TRUE

#List transfer.appsrv.read.<n> directories

transfer.appsrv.read.1=/temp

#transfer.appsrv.read2.=<locatation>

#List transfer.appsrv.write.<n> directories

transfer.appsrv.write.1=/temp


Posted by at No comments:
Labels:

Database Open Access Vulnerability

Vulnerability Title: Database Open Access

Service Port: Database Listener Port

Service Name: Oracle TNS Listener

Service Protocol: tcp

Vulnerability Description

The database allows any remote system the ability to connect to it. It is recommended to limit direct access to trusted systems because databases may contain sensitive data, and new vulnerabilities and exploits are discovered routinely for them. For this reason, it is a violation of PCI DSS section 1.3.6 to have databases listening on ports accessible from the Internet, even when protected with secure authentication mechanisms.



Solution:

Configure the database server to only allow access to trusted systems. For example, the PCI DSS standard requires you to place the database in an internal network zone, segregated from the DMZ


Add VALIDNODE_CHECKING in sqlnet.ora file and add IPs to restrict database access and then reload the listener and check:


$ORACLE_HOME/network/admin/sqlnet.ora

tcp.validnode_checking = yes

tcp.invited_nodes =(*.*.*.*)


Posted by at No comments:
Labels:

Self-signed TLS/SSL certificate Vulnerability - Weblogic 12.2.1.4

Vulnerability Title: Self-signed TLS/SSL certificate

Service Port:4443

Service Name: HTTPS

Service Protocol: tcp

Vulnerability Description: 

The server's TLS/SSL certificate is self-signed. Self-signed certificates cannot be trusted by default, especially because TLS/SSL man-in-the-middle attacks typically use self-signed certificates to eavesdrop on TLS/SSL connections.


Solution:

Obtain a new TLS/SSL server certificate that is NOT self-signed and install it on the server or remove the demo certificates.

remove these demo.cert and DemoTrust.jks certificates and check:


$MWH/wlserver/server/lib/DemoTrust.jks

$MWH/wlserver/server/lib/demo.cert



Posted by at No comments:
Labels:

Click Jacking Vulnerability - Weblogic 12.2.1.4

Vulnerability Title: Click Jacking

Service Port:4443

Service Name: HTTPS

Service Protocol: tcp

Vulnerability Description

Clickjacking, also known as a UI redress attack, is a method in which an attacker uses multiple transparent or opaque layers to trick a user into clicking a button or link on a page other than the one they believe they are clicking. Thus, the attacker is "hijacking" clicks meant for one page and routing the user to an illegitimate page.


Vulnerability Solution:Use HTTP X-Frame-Options. Send the HTTP response headers with X-Frame-Options that instruct the browser to restrict framing where it is not allowed.

 

1. Apply the Patch 30418565

 Patch 30418565 FORMS LISTENER SERVLET NOT GENERATING X-FRAME-OPTIONS HTTP HEADER

 

Add SAMEORIGIN option with X-Frame-Options optin in Run-time and Staging httpd.conf

--  X-Frame-Options is available at line 1033


Header always append X-Frame-Options SAMEORIGIN


2.Run-time directory:


$DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/httpd.conf


3.Staging directory:


$DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf


Restart the service and check.

Posted by at No comments:
Labels:

Sunday, 23 August 2020

Browsable Web Directory Vulnerability - Weblogic 12.2.1.4

Vulnerability Title:Browsable web directory 

Service Port:4443

Service Name:HTTPS

Service Protocol:tcp

Vulnerability Description: A web directory was found to be browsable, which means that anyone can see the contents of the directory. These directories can be found: 

 * via page spidering (following hyperlinks), or

 * as part of a parent path (checking each directory along the path and searching for ""Directory Listing"" or similar strings), or

 * by brute forcing a list of common directories.

 Browsable directories could allow an attacker to perform a directory traversal attack by viewing ""hidden"" files in the web root, including CGI scripts, data files, or backup pages."

Vulnerability Proof: https://<*.*,*.*>:4443/OracleHTTPServer12c_files/ 


Solution:

Remove the "Indexs" option from Run-time & Staging httpd.conf 

--check @ line # 241


From: Options Indexes FollowSymLinks

To: Options FollowSymLinks


1.Run-time directory:

$DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/httpd.conf


2.Staging directory:

$DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf


You should add the following value in [default] section of the formsweb.cfg


3.$DOMAIN_HOME/config/fmwconfig/servers/WLS_FORMS/applications/formsapp_12.2.1/config/formsweb.cfg


#

#X-Frame-Options to Resolve Click-Jacking

#

Set_X_Frame_Options=true


If you are not planing for https then comment out these lines in both Run-time and Staging httpd.conf files:


# Include the SSL definitions and Virtual Host container

include "ssl.conf"------------------------------->Comment out this.


....

IncludeOptional "moduleconf/*.conf" ------------------------------->Comment out this.



Restart the services and then test.


Posted by at No comments:
Labels:

Weblogic 12.2.1.4 Admin Server Default Port Change

 

Please make the below changes to update the port in FMW 12.2.1.4:


Step 1: Take the backup of the below files:


$DOMAIN_HOME/config/fmwconfig/servers/AdminServer/applications/em/META-INF/emoms.properties

$DOMAIN_HOME/sysman/state/targets.xml

$DOMAIN_HOME/bin/stopManagedWebLogic.sh

$DOMAIN_HOME/bin/startManagedWebLogic.sh

$DOMAIN_HOME/bin/stopWebLogic.sh


Step 2: Navigate to the Weblogic Admin Console Environments > Servers > AdminServer > Configuration Tab > General Sub Tab > now change the listen port from 7001 to 7010 and save the changes


Step3: Update the Admin Port(7001 to 7010) in the below files:


$DOMAIN_HOME/config/fmwconfig/servers/AdminServer/applications/em/META-INF/emoms.properties

$DOMAIN_HOME/sysman/state/targets.xml

$DOMAIN_HOME/bin/stopManagedWebLogic.sh

$DOMAIN_HOME/bin/startManagedWebLogic.sh

$DOMAIN_HOME/bin/stopWebLogic.sh


Step 4: Run $DOMAIN_HOME/bin/setDomainEnv.sh


Step 5: Restart your Admin Server and test the Weblogic Console URL and EM Console URL.


Posted by at No comments:
Labels:

Admin Server Failure To Start With Error BEA-000362 Server failed

There are 1 nested errors:

weblogic.management.DeploymentException: java.io.IOException: Error from fcntl() for file locking, Resource temporarily unavailable, errno=11


Solution: 

Remove these *.lok file and then try to start

$DOMAIN_HOME/edit.lok
$DOMAIN_HOME/config/lifecycle-config.xml.lok
$DOMAIN_HOME/config/ovd/default/ovd.lok
$DOMAIN_HOME/servers/AdminServer/tmp/AdminServer.lok
$DOMAIN_HOME/servers/WLS_FORMS/tmp/WLS_FORMS.lok
$DOMAIN_HOME/servers/WLS_REPORTS/tmp/WLS_REPORTS.lok
$DOMAIN_HOME/tmp/<filename>.lok

find . -name "*.lok" -exec rm -f {} \;


$DOMAIN_HOME/servers/AdminServer/data/store/default/_WLS_ADMINSERVER000000.DAT
$DOMAIN_HOME/servers/AdminServer/data/store/diagnostics/WLS_DIAGNOSTICS000000.DAT
$DOMAIN_HOME/servers/WLS_FORMS/data/store/default/_WLS_WLS_FORMS000000.DAT
$DOMAIN_HOME/servers/WLS_FORMS/data/store/diagnostics/WLS_DIAGNOSTICS000000.DAT
$DOMAIN_HOME/servers/WLS_REPORTS/data/store/default/_WLS_WLS_REPORTS000000.DAT
$DOMAIN_HOME/servers/WLS_REPORTS/data/store/diagnostics/WLS_DIAGNOSTICS000000.DAT



find . -name "*.DAT" -exec rename '.DAT' '.DAT_OLD' {} \;

Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)