I applied the 11.2.0.4.8 PSU (and the latest JavaVM 11.20.0.4.5) to my Oracle Standard Edition 11.2.0.4 and a simple test with testssl.sh shows a lot of vulnerabilities on the Enterprise Manager port.
Part of the output:
SSLv3 offered (NOT ok)
TLS 1.2 not offered (NOT ok)
Medium grade encryption offered (NOT ok)
Triple DES Ciphers offered (NOT ok)
High grade encryption not offered (NOT ok)
Not OK: No ciphers supporting Forward Secrecy offered
Has server cipher order? nope (NOT ok)
Negotiated protocol TLSv1
Negotiated cipher RC4-SHA (limited sense as client will pick)
Negotiated cipher per proto (limited sense as client will pick)
RC4-SHA: SSLv3, TLSv1
Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), DoS threat
POODLE, SSL (CVE-2014-3566) VULNERABLE (NOT ok), uses SSLv3+CBC (check TLS_FALLBACK_SCSV mitigation below)
TLS_FALLBACK_SCSV (RFC 7507), experim. Downgrade attack prevention NOT supported
BEAST (CVE-2011-3389) SSL3: DES-CBC3-SHA
TLS1: DES-CBC3-SHA
VULNERABLE (NOT ok) -- and no higher protocols as mitigation supported
RC4 (CVE-2013-2566, CVE-2015-2808) VULNERABLE (NOT ok): RC4-SHA RC4-MD5 RC4-MD5
The tool I used:
https://github.com/drwetter/testssl.sh
How can I configure Enterprise Manager to only use TLSv1 and not SSLv3 ?