Check: VCST-67-000025
VMware vSphere 6.7 STS Tomcat STIG:
VCST-67-000025
(in versions v1 r3 through v1 r2)
Title
The Security Token Service must not enable support for TRACE requests. (Cat II impact)
Discussion
"Trace" is a technique for a user to request internal information about Tomcat. This is useful during product development but should not be enabled in production. Allowing an attacker to conduct a Trace operation against the Security Token Service will expose information that would be useful to perform a more targeted attack. The Security Token Service provides the "allowTrace" parameter as a means to disable responding to Trace requests.
Check Content
Connect to the PSC, whether external or embedded. At the command prompt, execute the following command: # grep allowTrace /usr/lib/vmware-sso/vmware-sts/conf/server.xml If "allowTrace" is set to "true", this is a finding. If no line is returned, this is NOT a finding.
Fix Text
Connect to the PSC, whether external or embedded. Navigate to and open /usr/lib/vmware-sso/vmware-sts/conf/server.xml. Navigate to and locate: 'allowTrace="true"' Remove the 'allowTrace="true"' setting.
Additional Identifiers
Rule ID: SV-239676r879655_rule
Vulnerability ID: V-239676
Group Title: SRG-APP-000266-WSR-000160
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001312 |
The information system generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. |
Controls
Number | Title |
---|---|
SI-11 |
Error Handling |