Check: VCST-67-000001
VMware vSphere 6.7 STS Tomcat STIG:
VCST-67-000001
(in version v1 r1)
Title
The Security Token Service must limit the amount of time that each TCP connection is kept alive. (Cat II impact)
Discussion
Denial of service (DoS) is one threat against web servers. Many DoS attacks attempt to consume web server resources in such a way that no more resources are available to satisfy legitimate requests. In Tomcat, the "connectionTimeout" attribute sets the number of milliseconds the server will wait after accepting a connection for the request URI line to be presented. This timeout will also be used when reading the request body (if any). This prevents idle sockets that are not sending HTTP requests from consuming system resources and potentially denying new connections.
Check Content
At the command prompt, execute the following command: # xmllint --format /usr/lib/vmware-sso/vmware-sts/conf/server.xml | sed '2 s/xmlns=".*"//g' | xmllint --xpath '/Server/Service/Connector[@port="${bio-custom.http.port}"]/@connectionTimeout' - Expected result: connectionTimeout="60000" If the output does not match the expected result, this is a finding.
Fix Text
Navigate to and open /usr/lib/vmware-sso/vmware-sts/conf/server.xml. Navigate to each of the <Connector> nodes. Configure each <Connector> node with the value: connectionTimeout="60000"
Additional Identifiers
Rule ID: SV-239652r679028_rule
Vulnerability ID: V-239652
Group Title: SRG-APP-000001-WSR-000001
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000054 |
The information system limits the number of concurrent sessions for each organization-defined account and/or account type to an organization-defined number of sessions. |
Controls
Number | Title |
---|---|
AC-10 |
Concurrent Session Control |