If a third-party vendor or security consultant recommends a specific cipher for your situation, you may configure these according to what is documented/supported for a given product.
The contents of this document provides cipher support for Oracle products and recommends using newer and stronger ciphers where possible and supported by your clients and applications. The above document should be reviewed and patches applied before considering the contents of this document. Security Vulnerability FAQ for Oracle Database and Fusion Middleware Products These will address all known, applicable and fixed vulnerabilities:
Oracle 10g vulnerabilities update#
Oracle's strongest recommendation is to always apply the latest Critical Patch Update for your Oracle products. Its contents should not be minimized, but its suggestions should be reviewed with the third-party vendor in order to provide an exact configuration suggestion or an action to report an reproducible exploit to Oracle Security. Oracle cannot comment on any third-party scanning report. Ensure it is known what http server port is being checked, as this can be checking the Oracle HTTP Server or Oracle Web Cache, each with separate cipher configurations. Consult your scanning vendor for exact details. A security check may not be checking for a vulnerability, but the possibility that weak or anonymous ciphers are used.
Restricting weak or anonymous ciphers is actually a configurable setting. Information in this document applies to any platform.Ī third-party security adviser may have run a scan against a given Oracle Application Server 10g or Oracle Fusion Middleware 11g/12c architecture, and advice like the following may have been issued: "SSL Server Allows Anonymous Authentication Vulnerability" Oracle HTTP Server - Version 11.1.1.2.0 and later Oracle Fusion Middleware - Version 10.1.2.0.2 and later Restricting Anonymous or Weak Ciphers in SSL (HTTPS) for Oracle Fusion Middleware 10g/11g/12c
0 kommentar(er)
