Check: VCST-67-000015
VMware vSphere 6.7 STS Tomcat STIG:
VCST-67-000015
(in versions v1 r3 through v1 r2)
Title
The Security Token Service must be configured with memory leak protection. (Cat II impact)
Discussion
The Java Runtime environment can cause a memory leak or lock files under certain conditions. Without memory leak protection, the Security Token Service can continue to consume system resources, which will lead to "OutOfMemoryErrors" when reloading web applications. Memory leaks occur when JRE code uses the context class loader to load a singleton. This will cause a memory leak if a web application class loader happens to be the context class loader at the time. The "JreMemoryLeakPreventionListener" class is designed to initialize these singletons when Tomcat's common class loader is the context class loader. Proper use of JRE memory leak protection will ensure that the hosted application does not consume system resources and cause an unstable environment.
Check Content
Connect to the PSC, whether external or embedded. At the command prompt, execute the following command: # grep JreMemoryLeakPreventionListener /usr/lib/vmware-sso/vmware-sts/conf/server.xml Expected result: <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/> If the output of the command does not match the expected result, this is a finding.
Fix Text
Connect to the PSC, whether external or embedded. Navigate to and open /usr/lib/vmware-sso/vmware-sts/conf/server.xml. Navigate to the <Server> node. Add '<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>' to the <Server> node.
Additional Identifiers
Rule ID: SV-239666r879587_rule
Vulnerability ID: V-239666
Group Title: SRG-APP-000141-WSR-000086
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000381 |
The organization configures the information system to provide only essential capabilities. |
Controls
Number | Title |
---|---|
CM-7 |
Least Functionality |