UCF STIG Viewer Logo

The vCenter VAMI service must explicitly disable Multipurpose Internet Mail Extensions (MIME) mime mappings based on "Content-Type".


Finding ID Version Rule ID IA Controls Severity
V-259143 VCLD-80-000031 SV-259143r935333_rule Medium
Controlling what a user of a hosted application can access is part of the security posture of the web server. Any time a user can access more functionality than is needed for the operation of the hosted application poses a security issue. A user with too much access can view information that is not needed for the user's job role, or the user could use the function in an unintentional manner. A MIME tells the web server what type of program various file types and extensions are and what external utilities or programs are needed to execute the file type. A limited number of MIME types must be configured manually, and automatic mapping must be disabled.
VMware vSphere 8.0 vCenter Appliance Management Interface (VAMI) Security Technical Implementation Guide 2023-10-29


Check Text ( C-62883r935331_chk )
At the command prompt, run the following command:

# /opt/vmware/sbin/vami-lighttpd -p -f /opt/vmware/etc/lighttpd/lighttpd.conf 2>/dev/null|grep "mimetype.use-xattr"

Expected result:


If the output does not match the expected result, this is a finding.

Note: The command must be run from a bash shell and not from a shell generated by the "appliance shell". Use the "chsh" command to change the shell for the account to "/bin/bash". Refer to KB Article 2100508 for more details:

Fix Text (F-62792r935332_fix)
Navigate to and open:


Add or reconfigure the following value:

mimetype.use-xattr = "disable"

Restart the service with the following command:

# vmon-cli --restart applmgmt