VMware vSphere 6.7 Virgo-Client Security Technical Implementation Guide

  • Version/Release: V1R2
  • Published: 2023-06-20
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected].
b
vSphere Client must limit the amount of time that each TCP connection is kept alive.
AC-10 - Medium - CCI-000054 - V-239743 - SV-239743r879511_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
VCFL-67-000001
Vuln IDs
  • V-239743
Rule IDs
  • SV-239743r879511_rule
Denial of service (DoS) is one threat against web servers. Many DoS attacks attempt to consume web server resources in such a way that no more resources are available to satisfy legitimate requests. In Virgo, the "connectionTimeout" attribute sets the number of milliseconds the server will wait after accepting a connection for the request URI line to be presented. This timeout will also be used when reading the request body (if any). This prevents idle sockets that are not sending HTTP requests from consuming system resources and potentially denying new connections. Satisfies: SRG-APP-000001-WSR-000001, SRG-APP-000435-WSR-000148
Checks: C-42976r679454_chk

At the command prompt, execute the following command: # xmllint --format --xpath '/Server/Service/Connector[@port="9090"]/@connectionTimeout' /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml Expected result: connectionTimeout="20000" If the output does not match the expected result, this is a finding.

Fix: F-42935r679455_fix

Navigate to and open /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml. Configure each <Connector> node with the following: connectionTimeout="20000"

b
vSphere Client must limit the number of concurrent connections permitted.
AC-10 - Medium - CCI-000054 - V-239744 - SV-239744r879511_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
VCFL-67-000002
Vuln IDs
  • V-239744
Rule IDs
  • SV-239744r879511_rule
Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a website, facilitating a denial-of-service attack. Unless the number of requests is controlled, the web server can consume enough system resources to cause a system crash. Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests. In Virgo, each incoming request requires a thread for the duration of that request. If more simultaneous requests are received than can be handled by the currently available request processing threads, additional threads will be created up to the value of the "maxThreads" attribute.
Checks: C-42977r679457_chk

At the command prompt, execute the following command: # xmllint --format --xpath '/Server/Service/Connector/@maxThreads' /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml Expected result: maxThreads="800" maxThreads="800" If the output does not match the expected result, this is a finding.

Fix: F-42936r679458_fix

Navigate to and open /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml. Configure each <Connector> node with the following: maxThreads="800"

b
vSphere Client must limit the maximum size of a POST request.
AC-10 - Medium - CCI-000054 - V-239745 - SV-239745r879511_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
VCFL-67-000003
Vuln IDs
  • V-239745
Rule IDs
  • SV-239745r879511_rule
The "maxPostSize" value is the maximum size in bytes of the POST that will be handled by the container FORM URL parameter parsing. Limit its size to reduce exposure to a denial-of-service attack. If "maxPostSize" is not set, the default value of 2097152 (2MB) is used. Security Token Service is configured in its shipping state to not set a value for "maxPostSize".
Checks: C-42978r679460_chk

At the command prompt, execute the following command: # xmllint --format --xpath '/Server/Service/Connector/@maxPostSize' /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml Expected result: XPath set is empty If the output does not match the expected result, this is a finding.

Fix: F-42937r679461_fix

Navigate to and open /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml. Navigate to each of the <Connector> nodes. Remove any configuration for "maxPostSize".

b
vSphere Client must protect cookies from XSS.
AC-10 - Medium - CCI-000054 - V-239746 - SV-239746r879511_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
VCFL-67-000004
Vuln IDs
  • V-239746
Rule IDs
  • SV-239746r879511_rule
Cookies are a common way to save session state over the HTTP(S) protocol. If an attacker can compromise session data stored in a cookie, they are better able to launch an attack against the server and its applications. When a cookie is tagged with the "HttpOnly" flag, it tells the browser that this particular cookie should only be accessed by the originating server. Any attempt to access the cookie from client script is strictly forbidden. Satisfies: SRG-APP-000001-WSR-000002, SRG-APP-000223-WSR-000011, SRG-APP-000439-WSR-000154
Checks: C-42979r679463_chk

At the command prompt, execute the following command: # xmllint --xpath '/Context/@useHttpOnly' /usr/lib/vmware-vsphere-client/server/configuration/context.xml Expected result: useHttpOnly="true" If the output does not match the expected result, this is a finding.

Fix: F-42938r679464_fix

Navigate to and open /usr/lib/vmware-vsphere-client/server/configuration/context.xml. Configure the <Context> node as follows: <Context useHttpOnly="true">

c
vSphere Client must be configured with FIPS 140-2 compliant ciphers for HTTPS connections.
AC-17 - High - CCI-000068 - V-239747 - SV-239747r879519_rule
RMF Control
AC-17
Severity
High
CCI
CCI-000068
Version
VCFL-67-000005
Vuln IDs
  • V-239747
Rule IDs
  • SV-239747r879519_rule
Encryption of data in flight is an essential element of protecting information confidentiality. If a web server uses weak or outdated encryption algorithms, the server's communications can potentially be compromised. The US Federal Information Processing Standards (FIPS) publication 140-2, Security Requirements for Cryptographic Modules (FIPS 140-2), approved ciphers provide the maximum level of encryption possible for a private web server. The Tomcat connector listening on 9443 comes preconfigured with appropriate FIPS ciphers by default, but this must be verified. Satisfies: SRG-APP-000014-WSR-000006, SRG-APP-000179-WSR-000110, SRG-APP-000439-WSR-000188
Checks: C-42980r679466_chk

At the command prompt, execute the following command: # xmllint --format --xpath '/Server/Service/Connector[@port=9443]/SSLHostConfig/@ciphers' /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml Expected result: ciphers="TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA" If the output does not match the expected result, this is a finding.

Fix: F-42939r679467_fix

Navigate to and open /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml. Ensure that the SSLHostConfig contains the following value: ciphers="TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA"

c
vSphere Client must be configured to enable SSL/TLS.
IA-5 - High - CCI-000197 - V-239748 - SV-239748r879520_rule
RMF Control
IA-5
Severity
High
CCI
CCI-000197
Version
VCFL-67-000006
Vuln IDs
  • V-239748
Rule IDs
  • SV-239748r879520_rule
Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session. HTTP connections in Virgo are managed through the Connector object. The vSphere Client endpoint has two connectors. One is behind a reverse proxy, which terminates TLS, and the other is serving SSL/TLS natively on 9443. The first will be addressed in a separate STIG, while this control addresses ensuring SSL/TLS is enabled on the 9443 connector. Satisfies: SRG-APP-000015-WSR-000014, SRG-APP-000172-WSR-000104, SRG-APP-000315-WSR-000004, SRG-APP-000439-WSR-000151, SRG-APP-000439-WSR-000152, SRG-APP-000439-WSR-000156, SRG-APP-000442-WSR-000182
Checks: C-42981r679469_chk

At the command prompt, execute the following command: # xmllint --format --xpath '/Server/Service/Connector[@port=9443]/@SSLEnabled' /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml Expected result: SSLEnabled="true" If the output does not match the expected result, this is a finding.

Fix: F-42940r679470_fix

Navigate to and open /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml. Ensure that the <Connector> node with 'port=9443' contains the following value: SSLEnabled="true"

c
vSphere Client must be configured to only communicate over TLS 1.2.
AC-17 - High - CCI-001453 - V-239749 - SV-239749r879520_rule
RMF Control
AC-17
Severity
High
CCI
CCI-001453
Version
VCFL-67-000007
Vuln IDs
  • V-239749
Rule IDs
  • SV-239749r879520_rule
Data exchanged between the user and the web server can range from static display data to credentials used to log in to the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session. HTTP connections in Virgo are managed through the Connector object. The vSphere Client endpoint has two connectors. One is behind a reverse proxy that terminates TLS and the other is serving TLS natively on 9443. The first will be addressed in a separate STIG, while this control addresses ensuring TLS is enabled on the 9443 connector.
Checks: C-42982r679472_chk

At the command prompt, execute the following command: # xmllint --format --xpath '/Server/Service/Connector[@port=9443]/SSLHostConfig/@protocols' /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml Expected result: protocols="TLSv1.2" If the output does not match the expected result, this is a finding.

Fix: F-42941r679473_fix

Navigate to and open /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml. Ensure that the <SSLHostConfig> node contains the following value: protocols="TLSv1.2"

b
vSphere Client must be configured to use the HTTPS scheme.
AC-17 - Medium - CCI-001453 - V-239750 - SV-239750r879520_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-001453
Version
VCFL-67-000008
Vuln IDs
  • V-239750
Rule IDs
  • SV-239750r879520_rule
Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted system relationships. The integrity of all the data being exchanged between the user and web server must always be trusted. To protect the integrity and trust, encryption methods should be used to protect the complete communication session. HTTP connections in Virgo are managed through the Connector object. The vSphere Client endpoint has two connectors. One is behind a reverse proxy that terminates TLS and the other is serving TLS natively on 9443. The first will be addressed in a separate STIG, while this control addresses ensuring TLS is enabled on the 9443 connector.
Checks: C-42983r679475_chk

At the command prompt, execute the following command: # xmllint --format --xpath '/Server/Service/Connector[@port=9443]/@scheme' /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml Expected result: scheme="https" If the output does not match the expected result, this is a finding.

Fix: F-42942r679476_fix

Navigate to and open /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml. Ensure that the <Connector> node with 'port=9443' contains the following value: scheme="https"

b
vSphere Client must record user access in a format that enables monitoring of remote access.
AC-17 - Medium - CCI-000067 - V-239751 - SV-239751r879521_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000067
Version
VCFL-67-000009
Vuln IDs
  • V-239751
Rule IDs
  • SV-239751r879521_rule
Remote access can be exploited by an attacker to compromise the server. By recording all remote access activities, it will be possible to determine the attacker's location, intent, and degree of success. Virgo can be configured with an "AccessLogValve", a component that can be inserted into the request processing pipeline to provide robust access logging. The AccessLogValve creates log files in the same format as those created by standard web servers. When AccessLogValve is properly configured, log files will contain all the forensic information necessary in the case of a security incident. Satisfies: SRG-APP-000016-WSR-000005, SRG-APP-000089-WSR-000047, SRG-APP-000092-WSR-000055, SRG-APP-000095-WSR-000056, SRG-APP-000096-WSR-000057, SRG-APP-000097-WSR-000058, SRG-APP-000098-WSR-000059, SRG-APP-000098-WSR-000060, SRG-APP-000099-WSR-000061, SRG-APP-000100-WSR-000064, SRG-APP-000374-WSR-000172, SRG-APP-000375-WSR-000171
Checks: C-42984r679478_chk

At the command prompt, execute the following command: # xmllint --format /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml | sed '2 s/xmlns=".*"//g' | xmllint --xpath '/Server/Service/Engine/Host/Valve[@className="org.apache.catalina.valves.AccessLogValve"]'/@pattern - Expected result: pattern="%h %{x-forwarded-for}i %l %u %t &amp;quot;%r&amp;quot; %s %b %{#hashedSessionId#}s %I %D" If the output does not match the expected result, this is a finding.

Fix: F-42943r679479_fix

Navigate to and open /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml. Ensure the log pattern in the "org.apache.catalina.valves.AccessLogValve" node is set to the following: pattern="%h %{x-forwarded-for}i %l %u %t &quot;%r&quot; %s %b %{#hashedSessionId#}s %I %D"

b
vSphere Client must generate log records during Java startup and shutdown.
AU-12 - Medium - CCI-000169 - V-239752 - SV-239752r879559_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000169
Version
VCFL-67-000010
Vuln IDs
  • V-239752
Rule IDs
  • SV-239752r879559_rule
Logging must be started as soon as possible when a service starts and when a service is stopped. Many forms of suspicious actions can be detected by analyzing logs for unexpected service starts and stops. Also, by starting to log immediately after a service starts, it becomes more difficult for suspicious activity to go unlogged. On the VCSA, the vmware-vmon service starts up the JVMs for various vCenter processes, including vSphere Client, and the individual json config files control the early jvm logging. Ensuring these json files are configured correctly enables early Java stdout and stderr logging.
Checks: C-42985r679481_chk

At the command prompt, execute the following command: # grep StreamRedirectFile /etc/vmware/vmware-vmon/svcCfgfiles/vsphere-client.json Expected result: "StreamRedirectFile": "%VMWARE_LOG_DIR%/vmware/vsphere-client/logs/vsphere-client-runtime.log", If there is no log file specified for the "StreamRedirectFile" setting, this is a finding.

Fix: F-42944r679482_fix

Navigate to and open /etc/vmware/vmware-vmon/svcCfgfiles/vsphere-client.json. Below the last line of the "PreStartCommandArg" block, add the following line: "StreamRedirectFile": "%VMWARE_LOG_DIR%/vmware/vsphere-client/logs/vsphere-client-runtime.log", Restart the appliance for changes to take effect.

b
vSphere Client application files must be verified for their integrity.
CM-5 - Medium - CCI-001749 - V-239753 - SV-239753r879584_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001749
Version
VCFL-67-000012
Vuln IDs
  • V-239753
Rule IDs
  • SV-239753r879584_rule
Verifying that vSphere Client application code is unchanged from its shipping state is essential for file validation and non-repudiation of vSphere Client. There is no reason that the MD5 hash of the rpm original files should be changed after installation, excluding configuration files.
Checks: C-42986r679484_chk

At the command prompt, execute the following command: # rpm -V vsphere-client|grep "^..5......"|grep -E "\.war|\.jar|\.sh|\.py" If there is any output, this is a finding.

Fix: F-42945r679485_fix

Reinstall the VCSA or roll back to a snapshot. Modifying the vSphere Client installation files manually is not supported by VMware.

b
vSphere Client must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled.
CM-7 - Medium - CCI-000381 - V-239754 - SV-239754r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VCFL-67-000013
Vuln IDs
  • V-239754
Rule IDs
  • SV-239754r879587_rule
MIME mappings tell vSphere Client what type of program various file types and extensions are and what external utilities or programs are needed to execute the file type.  By ensuring that various shell script MIME types are not included in web.xml, the server is protected against malicious users tricking the server into executing shell command files.
Checks: C-42987r679487_chk

At the command prompt, execute the following command: # grep -En '(x-csh&lt;)|(x-sh&lt;)|(x-shar&lt;)|(x-ksh&lt;)' /usr/lib/vmware-vsphere-client/server/configuration/conf/web.xml If the command produces any output, this is a finding.

Fix: F-42946r679488_fix

Open /usr/lib/vmware-vsphere-client/server/configuration/conf/web.xml in a text editor. Remove any and all of the following nodes lines: <mime-type>application/x-csh</mime-type> <mime-type>application/x-shar</mime-type> <mime-type>application/x-sh</mime-type> <mime-type>application/x-ksh</mime-type>

b
vSphere Client must have mappings set for Java servlet pages.
CM-7 - Medium - CCI-000381 - V-239755 - SV-239755r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VCFL-67-000014
Vuln IDs
  • V-239755
Rule IDs
  • SV-239755r879587_rule
Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client and identify which file types are not to be delivered to a client. By not specifying which files can and cannot be served to a user, the web server could deliver to a user web server configuration files, log files, password files, etc. As Virgo is a Java-based web server, the main file extension used is *.jsp. This check ensures that the *.jsp and *.jspx file types has been properly mapped to servlets.
Checks: C-42988r679490_chk

At the command prompt, execute the following command: # xmllint --format /usr/lib/vmware-vsphere-client/server/configuration/conf/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '/web-app/servlet-mapping/servlet-name[text()="jsp"]/parent::servlet-mapping' - Expected result: &lt;servlet-mapping&gt; &lt;servlet-name&gt;jsp&lt;/servlet-name&gt; &lt;url-pattern&gt;*.jsp&lt;/url-pattern&gt; &lt;url-pattern&gt;*.jspx&lt;/url-pattern&gt; &lt;/servlet-mapping&gt; If the output of the command does not match the expected result, this is a finding.

Fix: F-42947r679491_fix

Navigate to and open /usr/lib/vmware-vsphere-client/server/configuration/conf/web.xml. Navigate to and locate the mapping for the JSP servlet. It is the <servlet-mapping> node that contains <servlet-name>jsp</servlet-name>. Configure the <servlet-mapping> node to look like the code snippet below:    <!-- The mappings for the JSP servlet -->    <servlet-mapping>        <servlet-name>jsp</servlet-name>        <url-pattern>*.jsp</url-pattern>        <url-pattern>*.jspx</url-pattern>    </servlet-mapping>

b
vSphere Client must not have the Web Distributed Authoring (WebDAV) servlet installed.
CM-7 - Medium - CCI-000381 - V-239756 - SV-239756r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VCFL-67-000015
Vuln IDs
  • V-239756
Rule IDs
  • SV-239756r879587_rule
WebDAV is an extension to the HTTP protocol that, when developed, was meant to allow users to create, change, and move documents on a server, typically a web server or web share. WebDAV is not widely used and has serious security concerns because it may allow clients to modify unauthorized files on the web server and must therefore be disabled. Because the WebDAV service has been found to have an excessive number of vulnerabilities, this servlet must not be installed. vSphere Client does not configure WebDAV by default.
Checks: C-42989r679493_chk

At the command prompt, execute the following command: # grep -n -i 'webdav' /usr/lib/vmware-vsphere-client/server/configuration/conf/web.xml If the command produces any output, this is a finding.

Fix: F-42948r679494_fix

Navigate to and open all listed files. Navigate to and locate the mapping for the JSP servlet. It is the <servlet-mapping> node that contains <servlet-name>webdav</servlet-name>. Remove the WebDav servlet and any mapping associated with it.

b
vSphere Client must be configured with memory leak protection.
CM-7 - Medium - CCI-000381 - V-239757 - SV-239757r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VCFL-67-000016
Vuln IDs
  • V-239757
Rule IDs
  • SV-239757r879587_rule
The Java Runtime environment can cause a memory leak or lock files under certain conditions. Without memory leak protection, vSphere Client can continue to consume system resources, which will lead to "OutOfMemoryErrors" when reloading web applications. Memory leaks occur when JRE code uses the context class loader to load a singleton, as this will cause a memory leak if a web application class loader happens to be the context class loader at the time. The "JreMemoryLeakPreventionListener" class is designed to initialize these singletons when Tomcat's common class loader is the context class loader. Proper use of JRE memory leak protection will ensure that the hosted application does not consume system resources and cause an unstable environment.
Checks: C-42990r679496_chk

At the command prompt, execute the following command: # grep JreMemoryLeakPreventionListener /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml Expected result: &lt;Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" /&gt; If the output of the command does not match the expected result, this is a finding.

Fix: F-42949r679497_fix

Navigate to and open /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml. Navigate to the <Server> node. Add '<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>' to the <Server> node.

b
vSphere Client must not have any symbolic links in the web content directory tree.
CM-7 - Medium - CCI-000381 - V-239758 - SV-239758r879587_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VCFL-67-000017
Vuln IDs
  • V-239758
Rule IDs
  • SV-239758r879587_rule
A web server is designed to deliver content and execute scripts or applications on the request of a client or user. Containing user requests to files in the directory tree of the hosted web application and limiting the execution of scripts and applications guarantees that the user is not accessing information protected outside the application's realm. By checking that no symbolic links exist in the document root, the web server is protected from users jumping outside the hosted application directory tree and gaining access to the other directories, including the system root.
Checks: C-42991r679499_chk

At the command prompt, execute the following command: # find /usr/lib/vmware-vsphere-client/server/work/ -type l -ls If the command produces any output, this is a finding.

Fix: F-42950r679500_fix

At the command prompt, execute the following commands: Note: Replace <file_name> for the name of any files that were returned. # unlink <file_name> Repeat the commands for each file that was returned.

b
vSphere Client must ensure appropriate permissions are set on the keystore.
IA-5 - Medium - CCI-000186 - V-239759 - SV-239759r879613_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000186
Version
VCFL-67-000018
Vuln IDs
  • V-239759
Rule IDs
  • SV-239759r879613_rule
The web server's private key is used to prove the identity of the server to clients and securely exchange the shared secret key used to encrypt communications between the web server and clients. By gaining access to the private key, an attacker can pretend to be an authorized server and decrypt the SSL traffic between a client and the web server. vSphere Client pulls the machine certificate from the VECS keystore and stores it in keystore.jks so Tomcat can access it. The minimum permissions and ownership on the keystore are set by default but must be verified.
Checks: C-42992r679502_chk

At the command prompt, execute the following command: # stat -c "%n permissions are %a and is owned by %U:%G" /etc/vmware/vsphere-client/keystore.jks Expected result: /etc/vmware/vsphere-client/keystore.jks permissions are 640 and is owned by vsphere-client:users If the output of the command does not match the expected result, this is a finding.

Fix: F-42951r679503_fix

At the command prompt, execute the following command: # chmod 640 /etc/vmware/vsphere-client/keystore.jks # chown vsphere-client:users /etc/vmware/vsphere-client/keystore.jks

b
vSphere Client directory tree must have permissions in an "out-of-the-box" state.
SC-2 - Medium - CCI-001082 - V-239760 - SV-239760r879631_rule
RMF Control
SC-2
Severity
Medium
CCI
CCI-001082
Version
VCFL-67-000019
Vuln IDs
  • V-239760
Rule IDs
  • SV-239760r879631_rule
As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the web server. The resources to which these accounts have access must also be closely monitored and controlled. vSphere Client files must be adequately protected with correct permissions as applied out of the box. Satisfies: SRG-APP-000211-WSR-000030, SRG-APP-000380-WSR-000072
Checks: C-42993r679505_chk

At the command prompt, execute the following command: # find /usr/lib/vmware-vsphere-client/server -xdev -type f -a '(' -not -user vsphere-client -o '(' -not -group root -a -not -group users -not -group cis ')' ')' -exec ls -ld {} \; If the command produces any output, this is a finding.

Fix: F-42952r679506_fix

At the command prompt, execute the following command: #chown vsphere-client:root <file_name> Repeat the command for each file that was returned. Note: Replace <file_name> for the name of the file that was returned.

b
vSphere Client must limit the number of allowed connections.
SC-5 - Medium - CCI-001094 - V-239761 - SV-239761r879650_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-001094
Version
VCFL-67-000020
Vuln IDs
  • V-239761
Rule IDs
  • SV-239761r879650_rule
Limiting the number of established connections to Sphere Client is a basic denial-of-service protection. Servers where the limit is too high or unlimited can potentially run out of system resources and negatively affect system availability.
Checks: C-42994r679508_chk

At the command prompt, execute the following command: # xmllint --format --xpath '/Server/Service/Connector/@acceptCount' /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml Expected result: acceptCount="300" acceptCount="300" If the output does not match the expected result, this is a finding.

Fix: F-42953r679509_fix

Navigate to and open /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml. Configure each <Connector> node with the following: acceptCount="300"

b
vSphere Client must set "URIEncoding" to UTF-8.
SI-10 - Medium - CCI-001310 - V-239762 - SV-239762r879652_rule
RMF Control
SI-10
Severity
Medium
CCI
CCI-001310
Version
VCFL-67-000021
Vuln IDs
  • V-239762
Rule IDs
  • SV-239762r879652_rule
Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application. An attacker can also enter Unicode characters into hosted applications in an effort to break out of the document home or root home directory or to bypass security checks. vSphere Client must be configured to use a consistent character set via the "URIEncoding" attribute on the Connector nodes.
Checks: C-42995r679511_chk

At the command prompt, execute the following command: # xmllint --format --xpath '/Server/Service/Connector/@URIEncoding' /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml Expected result: URIEncoding="UTF-8" URIEncoding="UTF-8" If the output does not match the expected result, this is a finding.

Fix: F-42954r679512_fix

Navigate to and open /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml. Configure each <Connector> node with the following: URIEncoding="UTF-8"

b
vSphere Client must set the "welcome-file" node to a default web page.
SI-11 - Medium - CCI-001312 - V-239763 - SV-239763r879655_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001312
Version
VCFL-67-000022
Vuln IDs
  • V-239763
Rule IDs
  • SV-239763r879655_rule
Enumeration techniques, such as URL parameter manipulation, rely on being able to obtain information about the web server's directory structure by locating directories without default pages. In this scenario, the web server will display to the user a listing of the files in the directory being accessed. By having a default hosted application web page, the anonymous web user will not obtain directory browsing information or an error message that reveals the server type and version. Ensuring that every document directory has an "index.jsp" (or equivalent) file is one approach to mitigating the vulnerability.
Checks: C-42996r679514_chk

At the command prompt, execute the following command: # xmllint --format /usr/lib/vmware-vsphere-client/server/configuration/conf/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '/web-app/welcome-file-list' - Expected result: &lt;welcome-file-list&gt; &lt;welcome-file&gt;index.html&lt;/welcome-file&gt; &lt;welcome-file&gt;index.htm&lt;/welcome-file&gt; &lt;welcome-file&gt;index.jsp&lt;/welcome-file&gt; &lt;/welcome-file-list&gt; If the output of the command does not match the expected result, this is a finding.

Fix: F-42955r679515_fix

Navigate to and open /usr/lib/vmware-vsphere-client/server/configuration/conf/web.xml. Inspect the file and ensure that it contains the following section: <welcome-file-list> <welcome-file>index.html</welcome-file> <welcome-file>index.htm</welcome-file> <welcome-file>index.jsp</welcome-file> </welcome-file-list>

b
vSphere Client must not show directory listings.
SI-11 - Medium - CCI-001312 - V-239764 - SV-239764r879655_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001312
Version
VCFL-67-000023
Vuln IDs
  • V-239764
Rule IDs
  • SV-239764r879655_rule
Enumeration techniques, such as URL parameter manipulation, rely on being able to obtain information about the web server's directory structure by locating directories without default pages. In this scenario, the web server will display to the user a listing of the files in the directory being accessed. Ensuring that directory listing is disabled is one approach to mitigating the vulnerability.
Checks: C-42997r679517_chk

At the command prompt, execute the following command: # xmllint --format /usr/lib/vmware-vsphere-client/server/configuration/conf/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '//param-name[text()="listings"]/parent::init-param' - Expected result: &lt;init-param&gt; &lt;param-name&gt;listings&lt;/param-name&gt; &lt;param-value&gt;false&lt;/param-value&gt; &lt;/init-param&gt; If the output of the command does not match the expected result, this is a finding.

Fix: F-42956r679518_fix

Navigate to and open /usr/lib/vmware-vsphere-client/server/configuration/conf/web.xml. Set the <param-value> to "false" in all <param-name>listing</param-name> nodes. Note: The setting should look like the following: <init-param> <param-name>listings</param-name> <param-value>false</param-value> </init-param>

b
vSphere Client must be configured to show error pages with minimal information.
SI-11 - Medium - CCI-001312 - V-239765 - SV-239765r879655_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001312
Version
VCFL-67-000024
Vuln IDs
  • V-239765
Rule IDs
  • SV-239765r879655_rule
Web servers will often display error messages to client users, displaying enough information to aid in the debugging of the error. The information given back in error messages may display the web server type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any backends being used for data storage. This information could be used by an attacker to blueprint what type of attacks might be successful. Therefore, vSphere Client must be configured to not show server version information in error messages.
Checks: C-42998r679520_chk

At the command prompt, execute the following command: # xmllint --format --xpath '/Server/Service/Connector/@server' /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml Expected result: server="Anonymous" server="Anonymous" If the output does not match the expected result, this is a finding.

Fix: F-42957r679521_fix

Navigate to and open /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml. Configure each <Connector> node with the following: server="Anonymous"

b
vSphere Client must not enable support for TRACE requests.
SI-11 - Medium - CCI-001312 - V-239766 - SV-239766r879655_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001312
Version
VCFL-67-000025
Vuln IDs
  • V-239766
Rule IDs
  • SV-239766r879655_rule
"Trace" is a technique for a user to request internal information about Tomcat. This is useful during product development but should not be enabled in production. Allowing an attacker to conduct a Trace operation against the Security Token Service will expose information that would be useful to perform a more targeted attack. vSphere Client provides the "allowTrace" parameter as a means to disable responding to Trace requests.
Checks: C-42999r679523_chk

At the command prompt, execute the following command: # grep allowTrace /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml If "allowTrace" is set to "true", this is a finding. If no line is returned, this is NOT a finding.

Fix: F-42958r679524_fix

Navigate to and open /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml. Navigate to and locate: 'allowTrace="true"' Remove the 'allowTrace="true"' setting.

b
vSphere Client must have the debug option turned off.
SI-11 - Medium - CCI-001312 - V-239767 - SV-239767r879655_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001312
Version
VCFL-67-000026
Vuln IDs
  • V-239767
Rule IDs
  • SV-239767r879655_rule
Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or trace information is enabled in a production web server, information about the web server, such as web server type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any backends being used for data storage, may be displayed. Since this information may be placed in logs and general messages during normal operation of the web server, an attacker does not need to cause an error condition to gain this information. vSphere Client can be configured to set the debugging level. By setting the debugging level to zero, no debugging information will be provided to a malicious user.
Checks: C-43000r679526_chk

At the command prompt, execute the following command: # xmllint --format /usr/lib/vmware-vsphere-client/server/configuration/conf/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '//param-name[text()="debug"]/parent::init-param' - Expected result: &lt;init-param&gt; &lt;param-name&gt;debug&lt;/param-name&gt; &lt;param-value&gt;0&lt;/param-value&gt; &lt;/init-param&gt; If the output of the command does not match the expected result, this is a finding.

Fix: F-42959r679527_fix

Navigate to and open /usr/lib/vmware-vsphere-client/server/configuration/conf/web.xml. Navigate to all <debug> nodes that are not set to "0". Set the <param-value> to "0" in all <param-name>debug</param-name> nodes. Note: The debug setting should look like the following: <init-param> <param-name>debug</param-name> <param-value>0</param-value> </init-param>

b
Rsyslog must be configured to monitor and ship vSphere Client log files.
AU-4 - Medium - CCI-001851 - V-239768 - SV-239768r879731_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001851
Version
VCFL-67-000027
Vuln IDs
  • V-239768
Rule IDs
  • SV-239768r879731_rule
The vSphere Client produces a handful of logs that must be offloaded from the originating system. This information can then be used for diagnostic, forensics, or other purposes relevant to ensuring the availability and integrity of the hosted application.
Checks: C-43001r679529_chk

At the command prompt, execute the following command: # grep -v "^#" /etc/vmware-syslog/stig-vsphere-client.conf Expected result: input(type="imfile" File="/var/log/vmware/vsphere-client/logs/access/localhost_access*" Tag="client-access" Severity="info" Facility="local0") input(type="imfile" File="/var/log/vmware/vsphere-client/logs/vsphere-client-runtime*" Tag="client-runtime" Severity="info" Facility="local0") If the file does not exist, this is a finding. If the output of the command does not match the expected result, this is a finding.

Fix: F-42960r679530_fix

Navigate to and open /etc/vmware-syslog/stig-vsphere-client.conf. Create the file if it does not exist. Set the contents of the file as follows: input(type="imfile" File="/var/log/vmware/vsphere-client/logs/access/localhost_access*" Tag="client-access" Severity="info" Facility="local0") input(type="imfile" File="/var/log/vmware/vsphere-client/logs/vsphere-client-runtime*" Tag="client-runtime" Severity="info" Facility="local0")

b
vSphere Client must be configured with the appropriate ports.
CM-7 - Medium - CCI-001762 - V-239769 - SV-239769r879756_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-001762
Version
VCFL-67-000028
Vuln IDs
  • V-239769
Rule IDs
  • SV-239769r879756_rule
Web servers provide numerous processes, features, and functionalities that use TCP/IP ports. Some of these processes may be deemed unnecessary or too unsecure to run on a production system. vSphere Client comes configured with two connectors. One is behind the reverse proxy and listening on 9090, and the other is serving SSL natively on 9443. The ports that vSphere Client listens on must be verified as accurate to their shipping state.
Checks: C-43002r679532_chk

At the command prompt, execute the following command: # xmllint --format --xpath '/Server/Service/Connector/@port' /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml Expected result: port="9090" port="9443" If the output does not match the expected result, this is a finding.

Fix: F-42961r679533_fix

Navigate to and open /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml in a text editor. On the first <Connector>, with redirectPort="9443", configure the port as follows: port="9090" On the second <Connector>, with SSLEnabled="true", configure the port as follows: port="9443"

b
vSphere Client must disable the shutdown port.
SC-5 - Medium - CCI-002385 - V-239770 - SV-239770r879806_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
VCFL-67-000029
Vuln IDs
  • V-239770
Rule IDs
  • SV-239770r879806_rule
An attacker has at least two reasons to stop a web server. The first is to cause a denial of service, and the second is to put in place changes the attacker made to the web server configuration. If the Tomcat shutdown port feature is enabled, a shutdown signal can be sent to vSphere Client through this port. To ensure availability, the shutdown port must be disabled.
Checks: C-43003r679535_chk

At the command prompt, execute the following command: # xmllint --format --xpath '/Server/@port' /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml Expected result: port="-1" If the output does not match the expected result, this is a finding.

Fix: F-42962r679536_fix

Navigate to and open /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml in a text editor. Ensure that the server port is disabled as follows: <Server port="-1">

b
vSphere Client must set the secure flag for cookies.
SC-8 - Medium - CCI-002418 - V-239771 - SV-239771r879810_rule
RMF Control
SC-8
Severity
Medium
CCI
CCI-002418
Version
VCFL-67-000030
Vuln IDs
  • V-239771
Rule IDs
  • SV-239771r879810_rule
The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from being observed by unauthorized parties due to the transmission of a cookie in clear text. By setting the secure flag, the browser will prevent the transmission of a cookie over an unencrypted channel.
Checks: C-43004r679538_chk

At the command prompt, execute the following command: # xmllint --format /usr/lib/vmware-vsphere-client/server/configuration/conf/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '/web-app/session-config/cookie-config/secure' - Expected result: &lt;secure&gt;true&lt;/secure&gt; If the output of the command does not match the expected result, this is a finding.

Fix: F-42963r679539_fix

Navigate to and open /usr/lib/vmware-vsphere-client/server/configuration/conf/web.xml. Navigate to the /<web-apps>/<session-config>/<cookie-config> node and configure it as follows: <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config>

c
The version of Virgo-Client running on the system must be a supported version.
SI-2 - High - CCI-002605 - V-257288 - SV-257288r919287_rule
RMF Control
SI-2
Severity
High
CCI
CCI-002605
Version
VCFL-67-000999
Vuln IDs
  • V-257288
Rule IDs
  • SV-257288r919287_rule
Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously. Organization-defined time periods for updating security-relevant software may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). This requirement will apply to software patch management solutions that are used to install patches across the enclave and to applications that are not part of that patch management solution. For example, many browsers today provide the capability to install their own patch software. Patch criticality, as well as system criticality, will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means the time period used must be a configurable parameter. Time frames for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process. The application will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).
Checks: C-60971r918897_chk

Virgo-Client 6.7 is no longer supported by the vendor. If the system is running Virgo-Client 6.7, this is a finding.

Fix: F-53958r798705_fix

Upgrade to a supported version.