Check: VCPF-67-000029
VMware vSphere 6.7 Perfcharts Tomcat STIG:
VCPF-67-000029
(in versions v1 r3 through v1 r1)
Title
Performance Charts must disable the shutdown port. (Cat II impact)
Discussion
An attacker has at least two reasons to stop a web server. The first is to cause a denial of service, and the second is to put in place changes the attacker made to the web server configuration. If the Tomcat shutdown port feature is enabled, a shutdown signal can be sent to Performance Chart through this port. To ensure availability, the shutdown port must be disabled.
Check Content
At the command prompt, execute the following command: # grep base.shutdown.port /usr/lib/vmware-perfcharts/tc-instance/conf/catalina.properties Expected result: base.shutdown.port=-1 If the output of the command does not match the expected result, this is a finding.
Fix Text
Navigate to and open /etc/vmware-eam/catalina.properties. Navigate to the ports specification section. Add or modify the following line: base.shutdown.port=-1
Additional Identifiers
Rule ID: SV-239430r879806_rule
Vulnerability ID: V-239430
Group Title: SRG-APP-000435-WSR-000147
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002385 |
The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards. |
Controls
Number | Title |
---|---|
SC-5 |
Denial Of Service Protection |