VMware vSphere 8.0 vCenter Appliance User Interface (UI) Security Technical Implementation Guide

  • Version/Release: V2R1
  • Published: 2024-07-11
  • Released: 2024-08-01
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
The vCenter UI service must limit the number of maximum concurrent connections permitted.
AC-10 - Medium - CCI-000054 - V-259104 - SV-259104r960735_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
VCUI-80-000001
Vuln IDs
  • V-259104
Rule IDs
  • SV-259104r960735_rule
Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a website, facilitating a denial-of-service attack. Unless the number of requests is controlled, the web server can consume enough system resources to cause a system crash. Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests. In Tomcat, each incoming request requires a thread for the duration of that request. If more simultaneous requests are received than can be handled by the currently available request processing threads, additional threads will be created up to the value of the maxThreads attribute. Satisfies: SRG-APP-000001-AS-000001, SRG-APP-000435-AS-000163
Checks: C-62844r935214_chk

At the command prompt, run the following command: # xmllint --xpath '/Server/Service/Connector[@port="${http.port}"]/@maxThreads' /usr/lib/vmware-vsphere-ui/server/conf/server.xml Expected result: maxThreads="800" If the output does not match the expected result, this is a finding.

Fix: F-62753r935215_fix

Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/server.xml Navigate to the <Connector> node and configure with the value "maxThreads="800"". Restart the service with the following command: # vmon-cli --restart vsphere-ui

b
The vCenter UI service cookies must have secure flag set.
AC-3 - Medium - CCI-000213 - V-259105 - SV-259105r960792_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
VCUI-80-000005
Vuln IDs
  • V-259105
Rule IDs
  • SV-259105r960792_rule
The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from being observed by unauthorized parties due to the transmission of a cookie in clear text. By setting the secure flag, the browser will prevent the transmission of a cookie over an unencrypted channel.
Checks: C-62845r935217_chk

At the command prompt, run the following command: # xmllint --format /usr/lib/vmware-vsphere-ui/server/conf/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '/web-app/session-config/cookie-config/secure' - Expected result: &lt;secure&gt;true&lt;/secure&gt; If the output of the command does not match the expected result, this is a finding.

Fix: F-62754r935218_fix

Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/web.xml Navigate to the <session-config> node and configure the <secure> setting as follows: <session-config> <session-timeout>30</session-timeout> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> </session-config> Restart the service with the following command: # vmon-cli --restart vsphere-ui

b
The vCenter UI service must initiate session logging upon startup.
AU-14 - Medium - CCI-001464 - V-259106 - SV-259106r960888_rule
RMF Control
AU-14
Severity
Medium
CCI
CCI-001464
Version
VCUI-80-000013
Vuln IDs
  • V-259106
Rule IDs
  • SV-259106r960888_rule
Logging must be started as soon as possible when a service starts and as late as possible when a service is stopped. Many forms of suspicious actions can be detected by analyzing logs for unexpected service starts and stops. Also, by starting to log immediately after a service starts, it becomes more difficult for suspicious activity to go unlogged.
Checks: C-62846r935220_chk

At the command prompt, run the following command: # grep StreamRedirectFile /etc/vmware/vmware-vmon/svcCfgfiles/vsphere-ui.json Expected output: "StreamRedirectFile" : "%VMWARE_LOG_DIR%/vmware/vsphere-ui/logs/vsphere-ui-runtime.log", If no log file is specified for the "StreamRedirectFile" setting, this is a finding.

Fix: F-62755r935221_fix

Navigate to and open: /etc/vmware/vmware-vmon/svcCfgfiles/vsphere-ui.json Below the last line of the "PreStartCommandArg" block, add the following line: "StreamRedirectFile" : "%VMWARE_LOG_DIR%/vmware/vsphere-ui/logs/vsphere-ui-runtime.log", Restart the service with the following command: # vmon-cli --restart vsphere-ui

b
The vCenter UI service must produce log records containing sufficient information regarding event details.
AC-17 - Medium - CCI-000067 - V-259107 - SV-259107r960891_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000067
Version
VCUI-80-000014
Vuln IDs
  • V-259107
Rule IDs
  • SV-259107r960891_rule
Remote access can be exploited by an attacker to compromise the server. By recording all remote access activities, it will be possible to determine the attacker's location, intent, and degree of success. Tomcat can be configured with an "AccessLogValve", a component that can be inserted into the request processing pipeline to provide robust access logging. The "AccessLogValve" creates log files in the same format as those created by standard web servers. When "AccessLogValve" is properly configured, log files will contain all the forensic information necessary in the case of a security incident. Satisfies: SRG-APP-000095-AS-000056, SRG-APP-000016-AS-000013, SRG-APP-000080-AS-000045, SRG-APP-000089-AS-000050, SRG-APP-000090-AS-000051, SRG-APP-000091-AS-000052, SRG-APP-000096-AS-000059, SRG-APP-000097-AS-000060, SRG-APP-000098-AS-000061, SRG-APP-000099-AS-000062, SRG-APP-000100-AS-000063, SRG-APP-000343-AS-000030, SRG-APP-000375-AS-000211, SRG-APP-000495-AS-000220, SRG-APP-000499-AS-000224, SRG-APP-000503-AS-000228
Checks: C-62847r935223_chk

At the command prompt, run the following command: # xmllint --xpath '/Server/Service/Engine/Host/Valve[@className="org.apache.catalina.valves.AccessLogValve"]/@pattern' /usr/lib/vmware-vsphere-ui/server/conf/server.xml Example result: pattern="%h %{x-forwarded-for}i %l %u %t &amp;quot;%r&amp;quot; %s %b %{#hashedClientId#}s %{#hashedRequestId#}r %I %D" Required elements: %h %{X-Forwarded-For}i %l %t %u &amp;quot;%r&amp;quot; %s %b If the log pattern does not contain the required elements in any order, this is a finding.

Fix: F-62756r935224_fix

Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/server.xml Inside the <Host> node, find the "AccessLogValve" <Valve> node and replace the "pattern" element as follows: pattern="%h %{x-forwarded-for}i %l %u %t &quot;%r&quot; %s %b %{#hashedClientId#}s %{#hashedRequestId#}r %I %D" Restart the service with the following command: # vmon-cli --restart vsphere-ui

b
The vCenter UI service must protect logs from unauthorized access.
AU-9 - Medium - CCI-000162 - V-259108 - SV-259108r960930_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
VCUI-80-000025
Vuln IDs
  • V-259108
Rule IDs
  • SV-259108r960930_rule
Log data is essential in the investigation of events. The accuracy of the information is always pertinent. One of the first steps an attacker will take is the modification or deletion of log records to cover tracks and prolong discovery. The web server must protect the log data from unauthorized modification. Satisfies: SRG-APP-000118-AS-000078, SRG-APP-000119-AS-000079, SRG-APP-000120-AS-000080
Checks: C-62848r935226_chk

At the command prompt, run the following command: # find /var/log/vmware/vsphere-ui/ -xdev -type f -a '(' -perm -o+w -o -not -user vsphere-ui -o -not -group users -a -not -group root ')' -exec ls -ld {} \; If any files are returned, this is a finding.

Fix: F-62757r935227_fix

At the command prompt, run the following commands: # chmod o-w <file> # chown vsphere-ui:users <file> Note: Substitute <file> with the listed file.

b
The vCenter UI service must limit privileges for creating or modifying hosted application shared files.
CM-5 - Medium - CCI-001499 - V-259109 - SV-259109r960960_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
VCUI-80-000034
Vuln IDs
  • V-259109
Rule IDs
  • SV-259109r960960_rule
Application servers have the ability to specify that the hosted applications use shared libraries. The application server must have a capability to divide roles based upon duties wherein one project user (such as a developer) cannot modify the shared library code of another project user. The application server must also be able to specify that nonprivileged users cannot modify any shared library code at all. Ensuring the Security Lifecycle Listener element is uncommented and sets a minimum Umask value will allow the server to perform a number of security checks when starting and prevent the service from starting if they fail.
Checks: C-62849r935229_chk

At the command prompt, run the following command: # xmllint --xpath '/Server/Listener[@className="org.apache.catalina.security.SecurityListener"]' /usr/lib/vmware-vsphere-ui/server/conf/server.xml Example result: &lt;Listener className="org.apache.catalina.security.SecurityListener"/&gt; If the "org.apache.catalina.security.SecurityListener" listener is not present, this is a finding. If the "org.apache.catalina.security.SecurityListener" listener is configured with a "minimumUmask" and is not "0007", this is a finding.

Fix: F-62758r935230_fix

Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/server.xml Navigate to the <Server> node and add or update the "org.apache.catalina.security.SecurityListener" as follows: <Listener className="org.apache.catalina.security.SecurityListener"/> Restart the service with the following command: # vmon-cli --restart vsphere-ui

b
The vCenter UI service must disable stack tracing.
CM-7 - Medium - CCI-000381 - V-259110 - SV-259110r960963_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VCUI-80-000036
Vuln IDs
  • V-259110
Rule IDs
  • SV-259110r960963_rule
Stack tracing provides debugging information from the application call stacks when a runtime error is encountered. If stack tracing is left enabled, Tomcat will provide this call stack information to the requestor, which could result in the loss of sensitive information or data that could be used to compromise the system.
Checks: C-62850r935232_chk

At the command prompt, run the following command: # xmllint --xpath "//Connector[@allowTrace = 'true']" /usr/lib/vmware-vsphere-ui/server/conf/server.xml Expected result: XPath set is empty If any connectors are returned, this is a finding.

Fix: F-62759r935233_fix

Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/server.xml Navigate to and locate: 'allowTrace="true"' Remove the 'allowTrace="true"' setting. Note: If "allowTrace" is not present, it defaults to false. Restart the service with the following command: # vmon-cli --restart vsphere-ui

b
The vCenter UI service must be configured to use a specified IP address and port.
CM-7 - Medium - CCI-000382 - V-259111 - SV-259111r960966_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VCUI-80-000037
Vuln IDs
  • V-259111
Rule IDs
  • SV-259111r960966_rule
The server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for server to use, the server will listen on all IP addresses available. Accessing the hosted application through an IP address normally used for nonapplication functions opens the possibility of user access to resources, utilities, files, ports, and protocols that are protected on the desired application IP address.
Checks: C-62851r935235_chk

At the command prompt, run the following command: # xmllint --xpath "//Connector[(@port = '0') or not(@address)]" /usr/lib/vmware-vsphere-ui/server/conf/server.xml Expected result: XPath set is empty If any connectors are returned, this is a finding.

Fix: F-62760r935236_fix

Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/server.xml Navigate to the <Connector> node and configure the port and address as follows. port="${http.port}" address="localhost" Restart the service with the following command: # vmon-cli --restart vsphere-ui

b
The vCenter UI service must be configured to limit data exposure between applications.
SC-23 - Medium - CCI-001664 - V-259112 - SV-259112r961116_rule
RMF Control
SC-23
Severity
Medium
CCI
CCI-001664
Version
VCUI-80-000057
Vuln IDs
  • V-259112
Rule IDs
  • SV-259112r961116_rule
If RECYCLE_FACADES is true or if a security manager is in use, a new facade object will be created for each request. This reduces the chances that a bug in an application might expose data from one request to another.
Checks: C-62852r935238_chk

At the command line, run the following command: # grep RECYCLE_FACADES /usr/lib/vmware-vsphere-ui/server/conf/catalina.properties Example result: org.apache.catalina.connector.RECYCLE_FACADES=true If "org.apache.catalina.connector.RECYCLE_FACADES" is not set to "true", this is a finding. If the "org.apache.catalina.connector.RECYCLE_FACADES" setting does not exist, this is not a finding.

Fix: F-62761r935239_fix

Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/catalina.properties Update or remove the following line: org.apache.catalina.connector.RECYCLE_FACADES=true Restart the service with the following command: # vmon-cli --restart vsphere-ui

b
The vCenter UI service must be configured to fail to a known safe state if system initialization fails.
SC-24 - Medium - CCI-001190 - V-259113 - SV-259113r961122_rule
RMF Control
SC-24
Severity
Medium
CCI
CCI-001190
Version
VCUI-80-000062
Vuln IDs
  • V-259113
Rule IDs
  • SV-259113r961122_rule
Determining a safe state for failure and weighing that against a potential denial of service for users depends on what type of application the web server is hosting. It is preferable that the service abort startup on any initialization failure rather than continuing in a degraded, and potentially insecure, state.
Checks: C-62853r935241_chk

At the command line, run the following command: # grep EXIT_ON_INIT_FAILURE /usr/lib/vmware-vsphere-ui/server/conf/catalina.properties Example result: org.apache.catalina.startup.EXIT_ON_INIT_FAILURE=true If there are no results, or if the "org.apache.catalina.startup.EXIT_ON_INIT_FAILURE" is not set to "true", this is a finding.

Fix: F-62762r935242_fix

Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/catalina.properties Add or change the following line: org.apache.catalina.startup.EXIT_ON_INIT_FAILURE=true Restart the service with the following command: # vmon-cli --restart vsphere-ui

b
The vCenter UI service must set URIEncoding to UTF-8.
SI-10 - Medium - CCI-001310 - V-259114 - SV-259114r961158_rule
RMF Control
SI-10
Severity
Medium
CCI
CCI-001310
Version
VCUI-80-000065
Vuln IDs
  • V-259114
Rule IDs
  • SV-259114r961158_rule
Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application. An attacker can also enter Unicode characters into hosted applications in an effort to break out of the document home or root home directory or bypass security checks.
Checks: C-62854r935244_chk

At the command prompt, run the following command: # xmllint --xpath "//Connector[@URIEncoding != 'UTF-8'] | //Connector[not[@URIEncoding]]" /usr/lib/vmware-vsphere-ui/server/conf/server.xml Expected result: XPath set is empty If any connectors are returned, this is a finding.

Fix: F-62763r935245_fix

Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/server.xml Configure the <Connector> node with the value: URIEncoding="UTF-8" Restart the service with the following command: # vmon-cli --restart vsphere-ui

b
The vCenter UI service "ErrorReportValve showServerInfo" must be set to "false".
SI-11 - Medium - CCI-001312 - V-259115 - SV-259115r961167_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001312
Version
VCUI-80-000067
Vuln IDs
  • V-259115
Rule IDs
  • SV-259115r961167_rule
The Error Report Valve is a simple error handler for HTTP status codes that will generate and return HTML error pages. It can also be configured to return predefined static HTML pages for specific status codes and/or exception types. Disabling "showServerInfo" will only return the HTTP status code and remove all CSS from the default nonerror-related HTTP responses.
Checks: C-62855r935247_chk

At the command prompt, run the following command: # xmllint --xpath '/Server/Service/Engine/Host/Valve[@className="org.apache.catalina.valves.ErrorReportValve"]' /usr/lib/vmware-vsphere-ui/server/conf/server.xml Example result: &lt;Valve className="org.apache.catalina.valves.ErrorReportValve" showServerInfo="false" showReport="false"/&gt; If the "ErrorReportValve" element is not defined or "showServerInfo" is not set to "false", this is a finding.

Fix: F-62764r935248_fix

Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/server.xml Locate the following Host block: <Host ...> ... </Host> Inside this block, add or update the following on a new line: <Valve className="org.apache.catalina.valves.ErrorReportValve" showServerInfo="false" showReport="false"/> Restart the service with the following command: # vmon-cli --restart vsphere-ui

b
The vCenter UI service must set an inactive timeout for sessions.
- Medium - CCI-004895 - V-259116 - SV-259116r1003678_rule
RMF Control
Severity
Medium
CCI
CCI-004895
Version
VCUI-80-000070
Vuln IDs
  • V-259116
Rule IDs
  • SV-259116r1003678_rule
Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By closing sessions after a set period of inactivity, the web server can make certain that those sessions that are not closed through the user logging out of an application are eventually closed. Satisfies: SRG-APP-000295-AS-000263, SRG-APP-000389-AS-000253
Checks: C-62856r935250_chk

At the command prompt, run the following command: # xmllint --format /usr/lib/vmware-vsphere-ui/server/conf/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '/web-app/session-config/session-timeout' - Example result: &lt;session-timeout&gt;30&lt;/session-timeout&gt; If the value of "session-timeout" is not "30" or less, or is missing, this is a finding.

Fix: F-62765r935251_fix

Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/web.xml Navigate to the <session-config> node and configure the <session-timeout> as follows: <session-config> <session-timeout>30</session-timeout> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> </session-config> Restart the service with the following command: # vmon-cli --restart vsphere-ui

b
The vCenter UI service must offload log records onto a different system or media from the system being logged.
AU-4 - Medium - CCI-001851 - V-259117 - SV-259117r961395_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001851
Version
VCUI-80-000081
Vuln IDs
  • V-259117
Rule IDs
  • SV-259117r961395_rule
Information system logging capability is critical for accurate forensic analysis. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, filenames involved, and access control or flow control rules invoked. Offloading is a common process in information systems with limited log storage capacity. Centralized management of log records provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records. Application servers and their related components are required to offload log records onto a different system or media than the system being logged.
Checks: C-62857r935253_chk

By default, a vmware-services-vsphere-ui.conf rsyslog configuration file that includes the service logs when syslog is configured on vCenter, but it must be verified. At the command prompt, run the following command: # cat /etc/vmware-syslog/vmware-services-vsphere-ui.conf Expected result: #vsphere-ui main log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log" Tag="ui-main" Severity="info" Facility="local0") #vsphere-ui change log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/changelog.log" Tag="ui-changelog" Severity="info" Facility="local0") #vsphere-ui dataservice log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/dataservice.log" Tag="ui-dataservice" Severity="info" Facility="local0") #vsphere-ui apigw log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/apigw.log" Tag="ui-apigw" Severity="info" Facility="local0") #vsphere-ui equinox log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/equinox.log" Tag="ui-equinox" Severity="info" Facility="local0") #vsphere-ui event log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/eventlog.log" Tag="ui-eventlog" Severity="info" Facility="local0") #vsphere-ui op id log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/opId.log" Tag="ui-opid" Severity="info" Facility="local0") #vsphere-ui performance audit log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/performanceAudit.log" Tag="ui-performanceAudit" Severity="info" Facility="local0") #vsphere-ui plugin-medic log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/plugin-medic.log" Tag="ui-plugin-medic" Severity="info" Facility="local0") #vsphere-ui threadmonitor log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/threadmonitor.log" Tag="ui-threadmonitor" Severity="info" Facility="local0") #vsphere-ui threadpools log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/threadpools.log" Tag="ui-threadpools" Severity="info" Facility="local0") #vsphere-ui vspheremessaging log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/vspheremessaging.log" Tag="ui-vspheremessaging" Severity="info" Facility="local0") #vsphere-ui rpm log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/vsphere-ui-rpm.log" Tag="ui-rpm" Severity="info" Facility="local0") #vsphere-ui runtime log stdout input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/vsphere-ui-runtime.log*" Tag="ui-runtime-stdout" Severity="info" Facility="local0") #vsphere-ui runtime log stderr input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/vsphere-ui-runtime.log*" Tag="ui-runtime-stderr" Severity="info" Facility="local0") #vsphere-ui access log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/access/localhost_access_log.txt" Tag="ui-access" Severity="info" Facility="local0") #vsphere-ui gc log input(type="imfile" File="/var/log/vmware/vsphere-ui/vsphere-ui-gc*" Tag="ui-gc" Severity="info" Facility="local0") #vsphere-ui firstboot log input(type="imfile" File="/var/log/firstboot/vsphere_ui_firstboot*" Tag="ui-firstboot" Severity="info" Facility="local0") #vsphere-ui catalina input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/catalina.*.log" Tag="ui-runtime-catalina" Severity="info" Facility="local0") #vsphere-ui endpoint input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/endpoint.log" Tag="ui-runtime-endpoint" Severity="info" Facility="local0") #vsphere-ui localhost input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/localhost.*.log" Tag="ui-runtime-localhost" Severity="info" Facility="local0") #vsphere-ui vsan input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/vsan-plugin.log" Tag="ui-runtime-vsan" Severity="info" Facility="local0") If the output does not match the expected result, this is a finding.

Fix: F-62766r935254_fix

Navigate to and open: vmware-services-vsphere-ui.conf Create the file if it does not exist. Set the contents of the file as follows: #vsphere-ui main log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log" Tag="ui-main" Severity="info" Facility="local0") #vsphere-ui change log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/changelog.log" Tag="ui-changelog" Severity="info" Facility="local0") #vsphere-ui dataservice log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/dataservice.log" Tag="ui-dataservice" Severity="info" Facility="local0") #vsphere-ui apigw log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/apigw.log" Tag="ui-apigw" Severity="info" Facility="local0") #vsphere-ui equinox log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/equinox.log" Tag="ui-equinox" Severity="info" Facility="local0") #vsphere-ui event log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/eventlog.log" Tag="ui-eventlog" Severity="info" Facility="local0") #vsphere-ui op id log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/opId.log" Tag="ui-opid" Severity="info" Facility="local0") #vsphere-ui performance audit log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/performanceAudit.log" Tag="ui-performanceAudit" Severity="info" Facility="local0") #vsphere-ui plugin-medic log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/plugin-medic.log" Tag="ui-plugin-medic" Severity="info" Facility="local0") #vsphere-ui threadmonitor log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/threadmonitor.log" Tag="ui-threadmonitor" Severity="info" Facility="local0") #vsphere-ui threadpools log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/threadpools.log" Tag="ui-threadpools" Severity="info" Facility="local0") #vsphere-ui vspheremessaging log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/vspheremessaging.log" Tag="ui-vspheremessaging" Severity="info" Facility="local0") #vsphere-ui rpm log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/vsphere-ui-rpm.log" Tag="ui-rpm" Severity="info" Facility="local0") #vsphere-ui runtime log stdout input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/vsphere-ui-runtime.log*" Tag="ui-runtime-stdout" Severity="info" Facility="local0") #vsphere-ui runtime log stderr input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/vsphere-ui-runtime.log*" Tag="ui-runtime-stderr" Severity="info" Facility="local0") #vsphere-ui access log input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/access/localhost_access_log.txt" Tag="ui-access" Severity="info" Facility="local0") #vsphere-ui gc log input(type="imfile" File="/var/log/vmware/vsphere-ui/vsphere-ui-gc*" Tag="ui-gc" Severity="info" Facility="local0") #vsphere-ui firstboot log input(type="imfile" File="/var/log/firstboot/vsphere_ui_firstboot*" Tag="ui-firstboot" Severity="info" Facility="local0") #vsphere-ui catalina input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/catalina.*.log" Tag="ui-runtime-catalina" Severity="info" Facility="local0") #vsphere-ui endpoint input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/endpoint.log" Tag="ui-runtime-endpoint" Severity="info" Facility="local0") #vsphere-ui localhost input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/localhost.*.log" Tag="ui-runtime-localhost" Severity="info" Facility="local0") #vsphere-ui vsan input(type="imfile" File="/var/log/vmware/vsphere-ui/logs/vsan-plugin.log" Tag="ui-runtime-vsan" Severity="info" Facility="local0")

b
The vCenter UI service must enable "STRICT_SERVLET_COMPLIANCE".
CM-6 - Medium - CCI-000366 - V-259118 - SV-259118r961863_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCUI-80-000124
Vuln IDs
  • V-259118
Rule IDs
  • SV-259118r961863_rule
Strict Servlet Compliance forces Tomcat to adhere to standards specifications including but not limited to RFC2109. RFC2109 sets the standard for HTTP session management. This setting affects several other settings that primarily pertain to cookie headers, cookie values, and sessions. Cookies will be parsed for strict adherence to specifications. Note that changing a number of these default settings may break some systems, as some browsers are unable to correctly handle the cookie headers that result from a strict adherence to the specifications. This one setting changes the default values for the following settings: org.apache.catalina.core.ApplicationContext.GET_RESOURCE_REQUIRE_SLASH org.apache.catalina.core.ApplicationDispatcher.WRAP_SAME_OBJECT org.apache.catalina.core.StandardHostValve.ACCESS_SESSION org.apache.catalina.session.StandardSession.ACTIVITY_CHECK org.apache.catalina.session.StandardSession.LAST_ACCESS_AT_START org.apache.tomcat.util.http.ServerCookie.ALWAYS_ADD_EXPIRES org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR org.apache.tomcat.util.http.ServerCookie.PRESERVE_COOKIE_HEADER org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING The "resourceOnlyServlets" attribute of any Context element. The "tldValidation" attribute of any Context element. The "useRelativeRedirects" attribute of any Context element. The "xmlNamespaceAware" attribute of any Context element. The "xmlValidation" attribute of any Context element.
Checks: C-62858r935256_chk

At the command line, run the following command: # grep STRICT_SERVLET_COMPLIANCE /usr/lib/vmware-vsphere-ui/server/conf/catalina.properties Example result: org.apache.catalina.STRICT_SERVLET_COMPLIANCE=true If there are no results, or if the "org.apache.catalina.STRICT_SERVLET_COMPLIANCE" is not set to "true", this is a finding.

Fix: F-62767r935257_fix

Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/catalina.properties Add or change the following line: org.apache.catalina.STRICT_SERVLET_COMPLIANCE=true Restart the service with the following command: # vmon-cli --restart vsphere-ui

b
The vCenter UI service must limit the amount of time that each Transmission Control Protocol (TCP) connection is kept alive.
AC-10 - Medium - CCI-000054 - V-259119 - SV-259119r960735_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
VCUI-80-000125
Vuln IDs
  • V-259119
Rule IDs
  • SV-259119r960735_rule
Denial of service (DoS) is one threat against web servers. Many DoS attacks attempt to consume web server resources in such a way that no more resources are available to satisfy legitimate requests. In Tomcat, the "connectionTimeout" attribute sets the number of milliseconds the server will wait after accepting a connection for the request Uniform Resource Identifier (URI) line to be presented. This timeout will also be used when reading the request body (if any). This prevents idle sockets that are not sending HTTP requests from consuming system resources and potentially denying new connections.
Checks: C-62859r935259_chk

The connection timeout should not be disabled by setting it to "-1". At the command prompt, run the following command: # xmllint --xpath "//Connector[@connectionTimeout = '-1']" /usr/lib/vmware-vsphere-ui/server/conf/server.xml Expected result: XPath set is empty If any connectors are returned, this is a finding.

Fix: F-62768r935260_fix

Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/server.xml Configure the <Connector> node with the value: connectionTimeout="300000" Restart the service with the following command: # vmon-cli --restart vsphere-ui

b
The vCenter UI service must limit the number of times that each Transmission Control Protocol (TCP) connection is kept alive.
AC-10 - Medium - CCI-000054 - V-259120 - SV-259120r960735_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
VCUI-80-000126
Vuln IDs
  • V-259120
Rule IDs
  • SV-259120r960735_rule
KeepAlive provides long lived HTTP sessions that allow multiple requests to be sent over the same connection. Enabling KeepAlive mitigates the effects of several types of denial-of-service attacks. An advantage of KeepAlive is the reduced latency in subsequent requests (no handshaking). However, a disadvantage is that server resources are not available to handle other requests while a connection is maintained between the server and the client. Tomcat can be configured to limit the number of subsequent requests that one client can submit to the server over an established connection. This limit helps provide a balance between the advantages of KeepAlive, while not allowing any one connection being held too long by any one client.
Checks: C-62860r935262_chk

The connection timeout should not be unlimited by setting it to "-1". At the command prompt, run the following command: # xmllint --xpath "//Connector[@maxKeepAliveRequests = '-1']" /usr/lib/vmware-vsphere-ui/server/conf/server.xml Expected result: XPath set is empty If any connectors are returned, this is a finding.

Fix: F-62769r935263_fix

Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/server.xml Configure the <Connector> node with the value: maxKeepAliveRequests="100" Restart the service with the following command: # vmon-cli --restart vsphere-ui

b
The vCenter UI service must configure the "setCharacterEncodingFilter" filter.
SI-10 - Medium - CCI-001310 - V-259121 - SV-259121r961158_rule
RMF Control
SI-10
Severity
Medium
CCI
CCI-001310
Version
VCUI-80-000127
Vuln IDs
  • V-259121
Rule IDs
  • SV-259121r961158_rule
Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application. An attacker can also enter Unicode characters into hosted applications in an effort to break out of the document home or root home directory or to bypass security checks. VMware uses the standard Tomcat "SetCharacterEncodingFilter" to provide a layer of defense against character encoding attacks. Filters are Java objects that perform filtering tasks on the request to a resource (a servlet or static content), on the response from a resource, or both.
Checks: C-62861r935265_chk

At the command prompt, run the following command: # xmllint --xpath "//*[contains(text(), 'setCharacterEncodingFilter')]/parent::*" /usr/lib/vmware-vsphere-ui/server/conf/web.xml Expected result: &lt;filter-mapping&gt; &lt;filter-name&gt;setCharacterEncodingFilter&lt;/filter-name&gt; &lt;url-pattern&gt;/*&lt;/url-pattern&gt; &lt;/filter-mapping&gt; &lt;filter&gt; &lt;filter-name&gt;setCharacterEncodingFilter&lt;/filter-name&gt; &lt;filter-class&gt;org.apache.catalina.filters.SetCharacterEncodingFilter&lt;/filter-class&gt; &lt;async-supported&gt;true&lt;/async-supported&gt; &lt;init-param&gt; &lt;param-name&gt;encoding&lt;/param-name&gt; &lt;param-value&gt;UTF-8&lt;/param-value&gt; &lt;/init-param&gt; &lt;init-param&gt; &lt;param-name&gt;ignore&lt;/param-name&gt; &lt;param-value&gt;true&lt;/param-value&gt; &lt;/init-param&gt; &lt;/filter&gt; If the output is does not match the expected result, this is a finding.

Fix: F-62770r935266_fix

Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/web.xml Configure the <web-app> node with the child nodes listed below: <filter-mapping> <filter-name>setCharacterEncodingFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> <filter-name>setCharacterEncodingFilter</filter-name> <filter-class>org.apache.catalina.filters.SetCharacterEncodingFilter</filter-class> <async-supported>true</async-supported> <init-param> <param-name>encoding</param-name> <param-value>UTF-8</param-value> </init-param> <init-param> <param-name>ignore</param-name> <param-value>true</param-value> </init-param> </filter> Restart the service with the following command: # vmon-cli --restart vsphere-ui

b
The vCenter UI service cookies must have "http-only" flag set.
AC-3 - Medium - CCI-000213 - V-259122 - SV-259122r960792_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
VCUI-80-000129
Vuln IDs
  • V-259122
Rule IDs
  • SV-259122r960792_rule
Cookies are a common way to save session state over the HTTP(S) protocol. If attackers can compromise session data stored in a cookie, they are better able to launch an attack against the server and its applications. When a cookie is tagged with the "HttpOnly" flag, it tells the browser this particular cookie should only be accessed by the originating server. Any attempt to access the cookie from client script is strictly forbidden.
Checks: C-62862r935268_chk

At the command prompt, run the following command: # xmllint --format /usr/lib/vmware-vsphere-ui/server/conf/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '/web-app/session-config/cookie-config/http-only' - Expected result: &lt;http-only&gt;true&lt;/http-only&gt; If the output does not match the expected result, this is a finding.

Fix: F-62771r935269_fix

Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/web.xml Navigate to the <session-config> node and configure the <http-only> as follows: <session-config> <session-timeout>30</session-timeout> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> </session-config> Restart the service with the following command: # vmon-cli --restart vsphere-ui

b
The vCenter UI service DefaultServlet must be set to "readonly" for "PUT" and "DELETE" commands.
AC-3 - Medium - CCI-000213 - V-259123 - SV-259123r960792_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
VCUI-80-000130
Vuln IDs
  • V-259123
Rule IDs
  • SV-259123r960792_rule
The default servlet (or DefaultServlet) is a special servlet provided with Tomcat that is called when no other suitable page is found in a particular folder. The DefaultServlet serves static resources as well as directory listings. The DefaultServlet is configured by default with the "readonly" parameter set to "true" where HTTP commands such as "PUT" and "DELETE" are rejected. Changing this to "false" allows clients to delete or modify static resources on the server and to upload new resources. DefaultServlet "readonly" must be set to "true", either literally or by absence (default).
Checks: C-62863r935271_chk

At the command prompt, run the following command: # xmllint --xpath "//*[contains(text(), 'DefaultServlet')]/parent::*" /usr/lib/vmware-vsphere-ui/server/conf/web.xml Example output: &lt;servlet&gt; &lt;description&gt;File servlet&lt;/description&gt; &lt;servlet-name&gt;FileServlet&lt;/servlet-name&gt; &lt;servlet-class&gt;org.apache.catalina.servlets.DefaultServlet&lt;/servlet-class&gt; &lt;/servlet&gt; If the "readOnly" param-value for the "DefaultServlet" servlet class is set to "false", this is a finding. If the "readOnly" param-value does not exist, this is not a finding.

Fix: F-62772r935272_fix

Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/web.xml Navigate to the /<web-apps>/<servlet>/<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>/ node and remove the following node: <init-param> <param-name>readonly</param-name> <param-value>false</param-value> </init-param> Restart the service with the following command: # vmon-cli --restart vsphere-ui

b
The vCenter UI service shutdown port must be disabled.
CM-7 - Medium - CCI-000381 - V-259124 - SV-259124r960963_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VCUI-80-000134
Vuln IDs
  • V-259124
Rule IDs
  • SV-259124r960963_rule
Tomcat by default listens on TCP port 8005 to accept shutdown requests. By connecting to this port and sending the SHUTDOWN command, all applications within Tomcat are halted. The shutdown port is not exposed to the network as it is bound to the loopback interface. Setting the port to "-1" in $CATALINA_BASE/conf/server.xml instructs Tomcat to not listen for the shutdown command.
Checks: C-62864r935274_chk

At the command prompt, run the following commands: # xmllint --xpath "//Server/@port" /usr/lib/vmware-vsphere-ui/server/conf/server.xml # grep shutdown.port /etc/vmware/vmware-vmon/svcCfgfiles/vsphere-ui.json Example results: port="${shutdown.port}" "-Dshutdown.port=-1", If "port" does not equal "${shutdown.port}", this is a finding. If "shutdown.port" does not equal "-1", this is a finding.

Fix: F-62773r935275_fix

Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/catalina.properties Add or modify the setting "shutdown.port=-1" in the "catalina.properties" file. Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/server.xml Configure the <Server> node with the value: port="${shutdown.port}" Restart the service with the following command: # vmon-cli --restart vsphere-ui

b
The vCenter UI service debug parameter must be disabled.
CM-7 - Medium - CCI-000381 - V-259125 - SV-259125r960963_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VCUI-80-000136
Vuln IDs
  • V-259125
Rule IDs
  • SV-259125r960963_rule
Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or trace information is enabled in a production web server, information about the web server, such as web server type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any backends being used for data storage may be displayed. Because this information may be placed in logs and general messages during normal operation of the web server, an attacker does not need to cause an error condition to gain this information.
Checks: C-62865r935277_chk

At the command prompt, run the following command: # xmllint --format /usr/lib/vmware-vsphere-ui/server/conf/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '//param-name[text()="debug"]/parent::init-param' - Example result: &lt;init-param&gt; &lt;param-name&gt;debug&lt;/param-name&gt; &lt;param-value&gt;0&lt;/param-value&gt; &lt;/init-param&gt; If the "debug" parameter is specified and is not "0", this is a finding. If the "debug" parameter does not exist, this is not a finding.

Fix: F-62774r935278_fix

Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/web.xml Navigate to all <debug> nodes that are not set to "0". Set the <param-value> to "0" in all <param-name>debug</param-name> nodes. Note: The debug setting should look like the following: <init-param> <param-name>debug</param-name> <param-value>0</param-value> </init-param> Restart the service with the following command: # vmon-cli --restart vsphere-ui

b
The vCenter UI service directory listings parameter must be disabled.
CM-7 - Medium - CCI-000381 - V-259126 - SV-259126r960963_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VCUI-80-000137
Vuln IDs
  • V-259126
Rule IDs
  • SV-259126r960963_rule
Enumeration techniques, such as URL parameter manipulation, rely on being able to obtain information about the web server's directory structure by locating directories without default pages. In this scenario, the web server will display to the user a listing of the files in the directory being accessed. Ensuring that directory listing is disabled is one approach to mitigating the vulnerability. In Tomcat, directory listing is disabled by default but can be enabled via the "listings" parameter. Ensure this node is not present to have the default effect.
Checks: C-62866r935280_chk

At the command prompt, run the following command: # xmllint --format /usr/lib/vmware-vsphere-ui/server/conf/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '//param-name[text()="listings"]/parent::init-param' - Example result: XPath set is empty If the "listings" parameter is specified and is not "false", this is a finding. If the "listings" parameter does not exist, this is not a finding.

Fix: F-62775r935281_fix

Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/web.xml Find and remove the entire block returned in the check. Example: <init-param> <param-name>listings</param-name> <param-value>true</param-value> </init-param> Restart the service with the following command: # vmon-cli --restart vsphere-ui

b
The vCenter UI service deployXML attribute must be disabled.
CM-7 - Medium - CCI-000381 - V-259127 - SV-259127r960963_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VCUI-80-000138
Vuln IDs
  • V-259127
Rule IDs
  • SV-259127r960963_rule
The Host element controls deployment. Automatic deployment allows for simpler management but also makes it easier for an attacker to deploy a malicious application. Automatic deployment is controlled by the autoDeploy and deployOnStartup attributes. If both are false, only Contexts defined in server.xml will be deployed, and any changes will require a Tomcat restart. In a hosted environment where web applications may not be trusted, set the deployXML attribute to "false" to ignore any context.xml packaged with the web application that may try to assign increased privileges to the web application. Note that if the security manager is enabled, the deployXML attribute will default to false.
Checks: C-62867r935283_chk

At the command prompt, run the following command: # xmllint --xpath "//Host/@deployXML" /usr/lib/vmware-vsphere-ui/server/conf/server.xml Expected result: deployXML="false" If "deployXML" does not equal "false", this is a finding.

Fix: F-62776r935284_fix

Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/server.xml Navigate to the <Host> node and configure with the value "deployXML="false"". Restart the service with the following command: # vmon-cli --restart vsphere-ui

b
The vCenter UI service must have Autodeploy disabled.
CM-7 - Medium - CCI-000381 - V-259128 - SV-259128r960963_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VCUI-80-000139
Vuln IDs
  • V-259128
Rule IDs
  • SV-259128r960963_rule
Tomcat allows auto-deployment of applications while it is running. This can allow untested or malicious applications to be automatically loaded into production. Autodeploy must be disabled in production.
Checks: C-62868r935286_chk

At the command prompt, run the following command: # xmllint --xpath "//Host/@autoDeploy" /usr/lib/vmware-vsphere-ui/server/conf/server.xml Expected result: autoDeploy="false" If "autoDeploy" does not equal "false", this is a finding.

Fix: F-62777r935287_fix

Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/server.xml Navigate to the <Host> node and configure with the value "autoDeploy="false"". Restart the service with the following command: # vmon-cli --restart vsphere-ui

b
The vCenter UI service xpoweredBy attribute must be disabled.
CM-7 - Medium - CCI-000381 - V-259129 - SV-259129r960963_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VCUI-80-000140
Vuln IDs
  • V-259129
Rule IDs
  • SV-259129r960963_rule
Individual connectors can be configured to display the Tomcat information to clients. This information can be used to identify server versions that can be useful to attackers for identifying vulnerable versions of Tomcat. Individual connectors must be checked for the xpoweredBy attribute to ensure they do not pass server information to clients. The default value for xpoweredBy is "false".
Checks: C-62869r935289_chk

At the command prompt, run the following command: # xmllint --xpath "//Connector/@xpoweredBy" /usr/lib/vmware-vsphere-ui/server/conf/server.xml Example result: XPath set is empty If the "xpoweredBy" parameter is specified and is not "false", this is a finding. If the "xpoweredBy" parameter does not exist, this is not a finding.

Fix: F-62778r935290_fix

Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/server.xml Navigate to the <Connector> node and remove the "xpoweredBy" attribute. Restart the service with the following command: # vmon-cli --restart vsphere-ui

b
The vCenter UI service example applications must be removed.
CM-7 - Medium - CCI-000381 - V-259130 - SV-259130r960963_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VCUI-80-000141
Vuln IDs
  • V-259130
Rule IDs
  • SV-259130r960963_rule
Tomcat provides example applications, documentation, and other directories in the default installation that do not serve a production use. These files must be deleted.
Checks: C-62870r935292_chk

At the command prompt, run the following command: # ls -l /usr/lib/vmware-vsphere-ui/server/webapps/examples If the examples folder exists or contains any content, this is a finding.

Fix: F-62779r935293_fix

At the command prompt, run the following command: # rm -rf /usr/lib/vmware-vsphere-ui/server/webapps/examples

b
The vCenter UI service default ROOT web application must be removed.
CM-7 - Medium - CCI-000381 - V-259131 - SV-259131r960963_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VCUI-80-000142
Vuln IDs
  • V-259131
Rule IDs
  • SV-259131r960963_rule
The default ROOT web application includes the version of Tomcat being used, links to Tomcat documentation, examples, FAQs, and mailing lists. The default ROOT web application must be removed from a publicly accessible instance and a more appropriate default page shown to users.
Checks: C-62871r935295_chk

At the command prompt, run the following command: # ls -l /usr/lib/vmware-vsphere-ui/server/webapps/ROOT If the ROOT web application contains any content, this is a finding.

Fix: F-62780r935296_fix

At the command prompt, run the following command: # rm -rf /usr/lib/vmware-vsphere-ui/server/webapps/ROOT/*

b
The vCenter UI service default documentation must be removed.
CM-7 - Medium - CCI-000381 - V-259132 - SV-259132r960963_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VCUI-80-000143
Vuln IDs
  • V-259132
Rule IDs
  • SV-259132r960963_rule
Tomcat provides documentation and other directories in the default installation that do not serve a production use. These files must be deleted.
Checks: C-62872r935298_chk

At the command prompt, run the following command: # ls -l /usr/lib/vmware-vsphere-ui/server/webapps/docs If the "docs" folder exists or contains any content, this is a finding.

Fix: F-62781r935299_fix

At the command prompt, run the following command: # rm -rf /usr/lib/vmware-vsphere-ui/server/webapps/docs

b
The vCenter UI service must disable "ALLOW_BACKSLASH".
CM-6 - Medium - CCI-000366 - V-259133 - SV-259133r961863_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCUI-80-000151
Vuln IDs
  • V-259133
Rule IDs
  • SV-259133r961863_rule
When Tomcat is installed behind a proxy configured to only allow access to certain contexts (web applications), an HTTP request containing "/\../" may allow attackers to work around the proxy restrictions using directory traversal attack methods. If "allow_backslash" is "true", the "\" character will be permitted as a path delimiter. The default value for the setting is "false", but Tomcat must always be configured as if no proxy restricting context access was used, and "allow_backslash" should be set to "false" to prevent directory-traversal-style attacks. This setting can create operability issues with noncompliant clients.
Checks: C-62873r935301_chk

At the command line, run the following command: # grep ALLOW_BACKSLASH /usr/lib/vmware-vsphere-ui/server/conf/catalina.properties Example result: org.apache.catalina.connector.ALLOW_BACKSLASH=false If "org.apache.catalina.connector.ALLOW_BACKSLASH" is not set to "false", this is a finding. If the "org.apache.catalina.connector.ALLOW_BACKSLASH" setting does not exist, this is not a finding.

Fix: F-62782r935302_fix

Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/catalina.properties Update or remove the following line: org.apache.catalina.connector.ALLOW_BACKSLASH=false Restart the service with the following command: # vmon-cli --restart vsphere-ui

b
The vCenter UI service must enable "ENFORCE_ENCODING_IN_GET_WRITER".
CM-6 - Medium - CCI-000366 - V-259134 - SV-259134r961863_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
VCUI-80-000152
Vuln IDs
  • V-259134
Rule IDs
  • SV-259134r961863_rule
Some clients try to guess the character encoding of text media when the mandated default of ISO-8859-1 should be used. Some browsers will interpret as UTF-7 when the characters are safe for ISO-8859-1. This can create the potential for a XSS attack. To defend against this, enforce_encoding_in_get_writer must be set to true.
Checks: C-62874r935304_chk

At the command line, run the following command: # grep ENFORCE_ENCODING_IN_GET_WRITER /usr/lib/vmware-vsphere-ui/server/conf/catalina.properties Example result: org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER=true If "org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER" is not set to "true", this is a finding. If the "org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER" setting does not exist, this is not a finding.

Fix: F-62783r935305_fix

Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/catalina.properties Update or remove the following line: org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER=true Restart the service with the following command: # vmon-cli --restart vsphere-ui

b
The vCenter UI service manager webapp must be removed.
CM-7 - Medium - CCI-000381 - V-259135 - SV-259135r960963_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VCUI-80-000154
Vuln IDs
  • V-259135
Rule IDs
  • SV-259135r960963_rule
Tomcat provides management functionality through either a default manager webapp or through local editing of the configuration files. The manager webapp files must be deleted, and administration must be performed through the local editing of the configuration files.
Checks: C-62875r935307_chk

At the command prompt, run the following command: # ls -l /usr/lib/vmware-vsphere-ui/server/webapps/manager If the manager folder exists or contains any content, this is a finding.

Fix: F-62784r935308_fix

At the command prompt, run the following command: # rm -rf /usr/lib/vmware-vsphere-ui/server/webapps/manager

b
The vCenter UI service host-manager webapp must be removed.
CM-7 - Medium - CCI-000381 - V-259136 - SV-259136r1003680_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VCUI-80-000155
Vuln IDs
  • V-259136
Rule IDs
  • SV-259136r1003680_rule
Tomcat provides host management functionality through either a default host-manager webapp or through local editing of the configuration files. The host-manager webapp files must be deleted, and administration must be performed through the local editing of the configuration files.
Checks: C-62876r1003679_chk

At the command prompt, run the following command: # ls -l /usr/lib/vmware-vsphere-ui/server/webapps/host-manager If the host-manager folder exists or contains any content, this is a finding.

Fix: F-62785r935311_fix

At the command prompt, run the following command: # rm -rf /usr/lib/vmware-vsphere-ui/server/webapps/host-manager