Last updated on JUNE 16, 2017
Applies to:Oracle HTTP Server - Version 10.1.2.0.2 to 10.1.3.5.0 [Release AS10gR2 to AS10gR3]
Oracle Fusion Middleware - Version 10.1.2.0.2 and later
Oracle HTTP Server - Version 18.104.22.168.0 and later
Web Cache - Version 10.1.2.0.2 to 10.1.2.3.0 [Release AS10gR2]
Web Cache - Version 22.214.171.124.0 and later
Information in this document applies to any platform.
A third-party security adviser may have run a scan against a given Oracle Application Server 10g or Oracle Fusion Middleware 11g/12c architecture, and advice like the following may have been issued:
"SSL Server Allows Anonymous Authentication Vulnerability"
"SSL Server Allows Weak Ciphers"
Restricting weak or anonymous ciphers is actually a configurable setting. A security check may not be checking for a vulnerability, but the possibility that weak or anonymous ciphers are used. Consult your scanning vendor for exact details. Ensure it is known what http server port is being checked, as this can be checking the Oracle HTTP Server or Oracle Web Cache, each with separate cipher configurations.
Oracle's First Recommendation
Oracle cannot comment on any third-party scanning report. Its contents should not be minimized, but its suggestions should be reviewed with the third-party vendor in order to provide an exact configuration suggestion or an action to report an reproducible exploit to Oracle Security. Oracle's strongest recommendation is to always apply the latest Critical Patch Update for your Oracle products. These will address all known, applicable and fixed vulnerabilities:
<Note 1074055.1> Security Vulnerability FAQ for Oracle Database and Fusion Middleware ProductsThe above document should be reviewed and patches applied before considering the contents of this document. The contents of this document provides cipher support for Oracle products and recommends using newer and stronger ciphers where possible and supported by your clients and applications. If a third-party vendor or security consultant recommends a specific cipher for your situation, you may configure these according to what is documented/supported for a given product.
To obtain the latest CPU for OHS and other required patches for compatibility, go to http://www.oracle.com/technetwork/topics/security/alerts-086861.html and obtain latest Security Advisory, then click the "Fusion Middleware" link within to find the latest cumulative Patch Availability Document. There are some patches which do update ciphers used for SSL.
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
Million Knowledge Articles and hundreds of Community platforms