UCF STIG Viewer Logo

The Security Token Service must not enable support for TRACE requests.


Finding ID Version Rule ID IA Controls Severity
V-239676 VCST-67-000025 SV-239676r816753_rule Medium
"Trace" is a technique for a user to request internal information about Tomcat. This is useful during product development but should not be enabled in production. Allowing an attacker to conduct a Trace operation against the Security Token Service will expose information that would be useful to perform a more targeted attack. The Security Token Service provides the "allowTrace" parameter as a means to disable responding to Trace requests.
VMware vSphere 6.7 STS Tomcat Security Technical Implementation Guide 2022-01-03


Check Text ( C-42909r816751_chk )
Connect to the PSC, whether external or embedded.

At the command prompt, execute the following command:

# grep allowTrace /usr/lib/vmware-sso/vmware-sts/conf/server.xml

If "allowTrace" is set to "true", this is a finding.

If no line is returned, this is NOT a finding.
Fix Text (F-42868r816752_fix)
Connect to the PSC, whether external or embedded.

Navigate to and open /usr/lib/vmware-sso/vmware-sts/conf/server.xml.

Navigate to and locate:

Remove the 'allowTrace="true"' setting.