| V-256706 | | Lookup Service must limit the amount of time that each Transport Control Protocol (TCP) connection is kept alive. | Denial of service (DoS) is one threat against web servers. Many DoS attacks attempt to consume web server resources in such a way that no more resourc... |
| V-256707 | | Lookup Service must limit the number of concurrent connections permitted. | Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a website, facilitating a denial-of-service attack. Unles... |
| V-256708 | | Lookup Service must limit the maximum size of a POST request. | The "maxPostSize" value is the maximum size in bytes of the POST that will be handled by the container FORM URL parameter parsing. Limit its size to r... |
| V-256709 | | Lookup Service must protect cookies from cross-site scripting (XSS). | Cookies are a common way to save session state over the HTTP(S) protocol. If an attacker can compromise session data stored in a cookie, they are bett... |
| V-256710 | | Lookup Service must record user access in a format that enables monitoring of remote access. | Remote access can be exploited by an attacker to compromise the server. By recording all remote access activities, it will be possible to determine th... |
| V-256711 | | Lookup Service must generate log records for system startup and shutdown. | Logging must be started as soon as possible when a service starts and when a service is stopped. Many forms of suspicious actions can be detected by a... |
| V-256712 | | Lookup Service log files must only be accessible by privileged users. | Log data is essential in the investigation of events. If log data were to become compromised, competent forensic analysis and discovery of the true so... |
| V-256713 | | Lookup Service application files must be verified for their integrity. | Verifying the Lookup Service application code is unchanged from its shipping state is essential for file validation and nonrepudiation of the Lookup S... |
| V-256714 | | Lookup Service must only run one webapp. | VMware ships Lookup Service on the vCenter Server Appliance (VCSA) with one webapp. Any other path is potentially malicious and must be removed.... |
| V-256715 | | Lookup Service must not be configured with the "UserDatabaseRealm" enabled. | The Lookup Service performs user authentication at the application level and not through Tomcat. By default, there is no configuration for the "UserDa... |
| V-256716 | | Lookup Service must be configured to limit access to internal packages. | The "package.access" entry in the "catalina.properties" file implements access control at the package level. When properly configured, a Security Exce... |
| V-256717 | | Lookup Service must have Multipurpose Internet Mail Extensions (MIMEs) that invoke operating system shell programs disabled. | MIME mappings tell the Lookup Service what type of program various file types and extensions are and what external utilities or programs are needed to... |
| V-256718 | | Lookup Service must have mappings set for Java servlet pages. | Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client... |
| V-256719 | | Lookup Service must not have the Web Distributed Authoring (WebDAV) servlet installed. | WebDAV is an extension to the HTTP protocol that, when developed, was meant to allow users to create, change, and move documents on a server, typicall... |
| V-256720 | | Lookup Service must be configured with memory leak protection. | The Java Runtime environment can cause a memory leak or lock files under certain conditions. Without memory leak protection, Lookup Service can contin... |
| V-256721 | | Lookup Service must not have any symbolic links in the web content directory tree. | A web server is designed to deliver content and execute scripts or applications on the request of a client or user. Containing user requests to files ... |
| V-256722 | | Lookup Service directory tree must have permissions in an out-of-the-box state. | As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require acco... |
| V-256723 | | Lookup Service must fail to a known safe state if system initialization fails, shutdown fails, or aborts fail. | Determining a safe state for failure and weighing that against a potential denial of service for users depends on what type of application the web ser... |
| V-256724 | | Lookup Service must limit the number of allowed connections. | Limiting the number of established connections is a basic denial-of-service protection and a best practice. Servers where the limit is too high or unl... |
| V-256725 | | Lookup Service must set URIEncoding to UTF-8. | Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared... |
| V-256726 | | Lookup Service must set the welcome-file node to a default web page. | Enumeration techniques, such as URL parameter manipulation, rely on being able to obtain information about the web server's directory structure by loc... |
| V-256727 | | The Lookup Service must not show directory listings. | Enumeration techniques, such as URL parameter manipulation, rely on being able to obtain information about the web server's directory structure by loc... |
| V-256728 | | Lookup Service must be configured to hide the server version. | Web servers will often display error messages to client users, including enough information to aid in the debugging of the error. The information give... |
| V-256729 | | Lookup Service must be configured to show error pages with minimal information. | Web servers will often display error messages to client users, including enough information to aid in the debugging of the error. The information give... |
| V-256730 | | Lookup Service must not enable support for TRACE requests. | "TRACE" is a technique for a user to request internal information about Tomcat. This is useful during product development but should not be enabled in... |
| V-256731 | | Lookup Service must have the debug option turned off. | Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug... |
| V-256732 | | Lookup Service must use a logging mechanism that is configured to allocate log record storage capacity large enough to accommodate the logging requirements of the web server. | To ensure the logging mechanism used by the web server has sufficient storage capacity in which to write the logs, the logging mechanism must be able ... |
| V-256733 | | Lookup Service log files must be offloaded to a central log server in real time. | Lookup Service produces several logs that must be offloaded from the originating system. This information can then be used for diagnostic, forensics, ... |
| V-256734 | | Lookup Service must be configured with the appropriate ports. | Web servers provide numerous processes, features, and functionalities that use TCP/IP ports. Some of these processes may be deemed unnecessary or too ... |
| V-256735 | | Lookup Service must disable the shutdown port. | An attacker has at least two reasons to stop a web server. The first is to cause a denial of service, and the second is to put in place changes the at... |
| V-256736 | | Lookup Service must set the secure flag for cookies. | The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of t... |
