Check: VCRP-67-000004
VMware vSphere 6.7 RhttpProxy STIG:
VCRP-67-000004
(in versions v1 r3 through v1 r2)
Title
The rhttpproxy must use cryptography to protect the integrity of remote sessions. (Cat II impact)
Discussion
The rhttpproxy can be configured to support TLS 1.0, 1.1 and 1.2. Due to intrinsic problems in TLS 1.0 and TLS 1.1, they are disabled by default. The <protocol> block in the rhttproxy configuration is commented out by default, and this configuration forces TLS 1.2. The block may also be set to "tls1.2" in certain upgrade scenarios, but the effect is the same.
Check Content
At the command prompt, execute the following command: # xmllint --xpath '/config/vmacore/ssl/protocols' /etc/vmware-rhttpproxy/config.xml Expected result: <protocols>tls1.2</protocols> OR XPath set is empty If the output does not match the expected result, this is a finding.
Fix Text
Navigate to and open /etc/vmware-rhttpproxy/config.xml. Locate the <config>/<vmacore>/<ssl> block and configure <protocols> as follows: <protocols>tls1.2</protocols> Restart the service for changes to take effect. # vmon-cli --restart rhttpproxy
Additional Identifiers
Rule ID: SV-240719r879520_rule
Vulnerability ID: V-240719
Group Title: SRG-APP-000015-WSR-000014
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001453 |
The information system implements cryptographic mechanisms to protect the integrity of remote access sessions. |
Controls
Number | Title |
---|---|
AC-17 (2) |
Protection Of Confidentiality / Integrity Using Encryption |