Check: VCST-67-000013
VMware vSphere 6.7 STS Tomcat STIG:
VCST-67-000013
(in versions v1 r3 through v1 r2)
Title
The Security Token Service must have mappings set for Java servlet pages. (Cat II impact)
Discussion
Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client and identify which file types are not to be delivered to a client. By not specifying which files can and cannot be served to a user, the web server could deliver to a user web server configuration files, log files, password files, etc. As Tomcat is a Java-based web server, the main file extension used is *.jsp. This check ensures that the *.jsp and *.jspx file types have been properly mapped to servlets.
Check Content
Connect to the PSC, whether external or embedded. At the command prompt, execute the following command: # xmllint --format /usr/lib/vmware-sso/vmware-sts/conf/web.xml | sed '2 s/xmlns=".*"//g' | xmllint --xpath '/web-app/servlet-mapping/servlet-name[text()="jsp"]/parent::servlet-mapping' - Expected result: <servlet-mapping> <servlet-name>jsp</servlet-name> <url-pattern>*.jsp</url-pattern> <url-pattern>*.jspx</url-pattern> </servlet-mapping> If the output of the command does not match the expected result, this is a finding.
Fix Text
Connect to the PSC, whether external or embedded. Navigate to and open /usr/lib/vmware-sso/vmware-sts/conf/web.xml. Inside the <web-app> parent node, add the following: <servlet-mapping> <servlet-name>jsp</servlet-name> <url-pattern>*.jsp</url-pattern> <url-pattern>*.jspx</url-pattern> </servlet-mapping>
Additional Identifiers
Rule ID: SV-239664r879587_rule
Vulnerability ID: V-239664
Group Title: SRG-APP-000141-WSR-000083
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000381 |
The organization configures the information system to provide only essential capabilities. |
Controls
Number | Title |
---|---|
CM-7 |
Least Functionality |