| V-256673 | | ESX Agent Manager must limit the amount of time that each Transmission Control Protocol (TCP) connection is kept alive. | Denial of service (DoS) is one threat against web servers. Many DoS attacks attempt to consume web server resources in such a way that no more resourc... |
| V-256674 | | ESX Agent Manager must limit the number of concurrent connections permitted. | Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a website, facilitating a denial-of-service attack. Unles... |
| V-256675 | | ESX Agent Manager must limit the maximum size of a POST request. | The "maxPostSize" value is the maximum size in bytes of the POST that will be handled by the container FORM URL parameter parsing. Limit its size to r... |
| V-256676 | | ESX Agent Manager must protect cookies from cross-site scripting (XSS). | Cookies are a common way to save session state over the HTTP(S) protocol. If attackers can compromise session data stored in a cookie, they are better... |
| V-256677 | | ESX Agent Manager must record user access in a format that enables monitoring of remote access. | Remote access can be exploited by an attacker to compromise the server. By recording all remote access activities, it will be possible to determine th... |
| V-256678 | | ESX Agent Manager must generate log records for system startup and shutdown. | Logging must be started as soon as possible when a service starts and as late as possible when a service is stopped. Many forms of suspicious actions ... |
| V-256679 | | ESX Agent Manager log files must only be modifiable by privileged users. | Log data is essential in the investigation of events. The accuracy of the information is always pertinent. One of the first steps an attacker will tak... |
| V-256680 | | ESX Agent Manager application files must be verified for their integrity. | Verifying that ESX Agent Manager application code is unchanged from its shipping state is essential for file validation and nonrepudiation of the ESX ... |
| V-256681 | | ESX Agent Manager must only run one webapp. | VMware ships ESX Agent Managers on the vCenter Server Appliance (VCSA) with one webapp. Any other path is potentially malicious and must be removed.
... |
| V-256682 | | ESX Agent Manager must not be configured with unsupported realms. | ESX Agent Manager performs authentication at the application level and not through Tomcat. To eliminate unnecessary features and ensure ESX Agent Mana... |
| V-256683 | | ESX Agent Manager must be configured to limit access to internal packages. | The "package.access" entry in the "catalina.properties" file implements access control at the package level. When properly configured, a Security Exce... |
| V-256684 | | ESX Agent Manager must have Multipurpose Internet Mail Extensions (MIMEs) that invoke operating system shell programs disabled. | MIME mappings tell ESX Agent Manager what type of program various file types and extensions are and what external utilities or programs are needed to ... |
| V-256685 | | ESX Agent Manager must have mappings set for Java servlet pages. | Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client... |
| V-256686 | | ESX Agent Manager must not have the Web Distributed Authoring (WebDAV) servlet installed. | WebDAV is an extension to the HTTP protocol that, when developed, was meant to allow users to create, change, and move documents on a server, typicall... |
| V-256687 | | ESX Agent Manager must be configured with memory leak protection. | The Java Runtime environment can cause a memory leak or lock files under certain conditions. Without memory leak protection, ESX Agent Manager can con... |
| V-256688 | | ESX Agent Manager must not have any symbolic links in the web content directory tree. | A web server is designed to deliver content and execute scripts or applications at the request of a client or user. Containing user requests to files ... |
| V-256689 | | ESX Agent Manager directory tree must have permissions in an out-of-the-box state. | As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require acco... |
| V-256690 | | ESX Agent Manager must fail to a known safe state if system initialization fails, shutdown fails, or aborts fail. | Determining a safe state for failure and weighing that against a potential denial of service for users depends on what type of application the web ser... |
| V-256691 | | ESX Agent Manager must limit the number of allowed connections. | Limiting the number of established connections to the ESX Agent Manager is a basic denial-of-service protection. Servers where the limit is too high o... |
| V-256692 | | ESX Agent Manager must set URIEncoding to UTF-8. | Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared... |
| V-256693 | | ESX Agent Manager must use the "setCharacterEncodingFilter" filter. | Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared... |
| V-256694 | | ESX Agent Manager must set the welcome-file node to a default web page. | Enumeration techniques, such as URL parameter manipulation, rely on being able to obtain information about the web server's directory structure by loc... |
| V-256695 | | ESX Agent Manager must not show directory listings. | Enumeration techniques, such as URL parameter manipulation, rely on being able to obtain information about the web server's directory structure by loc... |
| V-256696 | | ESX Agent Manager must be configured to show error pages with minimal information. | Web servers will often display error messages to client users, including enough information to aid in the debugging of the error. The information give... |
| V-256697 | | ESX Agent Manager must be configured to not show error reports. | Web servers will often display error messages to client users, including enough information to aid in the debugging of the error. The information give... |
| V-256698 | | ESX Agent Manager must hide the server version. | Web servers will often display error messages to client users, including enough information to aid in the debugging of the error. The information give... |
| V-256699 | | ESX Agent Manager must not enable support for TRACE requests. | "TRACE" is a technique for a user to request internal information about Tomcat. This is useful during product development but should not be enabled in... |
| V-256700 | | ESX Agent Manager must have the debug option disabled. | Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug... |
| V-256701 | | Rsyslog must be configured to monitor and ship ESX Agent Manager log files. | ESX Agent Manager has a number of logs that must be offloaded from the originating system. This information can then be used for diagnostic, forensics... |
| V-256702 | | ESX Agent Manager must set the secure flag for cookies. | The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of t... |
| V-256703 | | ESX Agent Manager must be configured with the appropriate ports. | Web servers provide numerous processes, features, and functionalities that use TCP/IP ports. Some of these processes may be deemed unnecessary or too ... |
| V-256704 | | ESX Agent Manager must disable the shutdown port. | An attacker has at least two reasons to stop a web server. The first is to cause a denial of service, and the second is to put in place changes the at... |
| V-256705 | | ESX Agent Manager default servlet must be set to "readonly". | The default servlet (or DefaultServlet) is a special servlet provided with Tomcat that is called when no other suitable page is found in a particular ... |
