Check: VCUI-67-000032
VMware vSphere 6.7 UI Tomcat STIG:
VCUI-67-000032
(in versions v1 r3 through v1 r1)
Title
vSphere UI must restrict its cookie path. (Cat II impact)
Discussion
When the cookie parameters are not set properly (i.e., domain and path parameters), cookies can be shared within hosted applications residing on the same web server or to applications hosted on different web servers residing on the same domain. vSphere UI is bound to the "/ui" virtual path behind the reverse proxy, and its cookies are configured as such. This configuration must be confirmed and maintained.
Check Content
At the command prompt, execute the following command: # xmllint --format /usr/lib/vmware-vsphere-ui/server/conf/context.xml | xmllint --xpath '/Context/@sessionCookiePath' - Expected result: sessionCookiePath="/ui" If the output does not match the expected result, this is a finding.
Fix Text
Navigate to and open /usr/lib/vmware-vsphere-ui/server/conf/context.xml. Add the following configuration to the <Context> node: sessionCookiePath="/ui" Example: <Context useHttpOnly="true" sessionCookieName="VSPHERE-UI-JSESSIONID" sessionCookiePath="/ui">
Additional Identifiers
Rule ID: SV-239713r879638_rule
Vulnerability ID: V-239713
Group Title: SRG-APP-000223-WSR-000011
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001664 |
The information system recognizes only session identifiers that are system-generated. |
Controls
Number | Title |
---|---|
SC-23 (3) |
Unique Session Identifiers With Randomization |