| V-256611 | | Performance Charts must limit the amount of time that each Transport Control Protocol (TCP) connection is kept alive. | Denial of service (DoS) is one threat against web servers. Many DoS attacks attempt to consume web server resources in such a way that no more resourc... |
| V-256612 | | Performance Charts must limit the number of concurrent connections permitted. | Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a website, facilitating a denial-of-service attack. Unles... |
| V-256613 | | Performance Charts must limit the maximum size of a POST request. | The "maxPostSize" value is the maximum size in bytes of the POST that will be handled by the container FORM URL parameter parsing. Limit its size to r... |
| V-256614 | | Performance Charts must protect cookies from cross-site scripting (XSS). | Cookies are a common way to save session state over the HTTP(S) protocol. If an attacker can compromise session data stored in a cookie, they are bett... |
| V-256615 | | Performance Charts must record user access in a format that enables monitoring of remote access. | Remote access can be exploited by an attacker to compromise the server. By recording all remote access activities, it will be possible to determine th... |
| V-256616 | | Performance Charts must generate log records for system startup and shutdown. | Logging must be started as soon as possible when a service starts and when a service is stopped. Many forms of suspicious actions can be detected by a... |
| V-256617 | | Performance Charts log files must only be modifiable by privileged users. | Log data is essential in the investigation of events. The accuracy of the information is always pertinent. One of the first steps an attacker will und... |
| V-256618 | | Performance Charts application files must be verified for their integrity. | Verifying the Security Token Service application code is unchanged from its shipping state is essential for file validation and nonrepudiation of Perf... |
| V-256619 | | Performance Charts must only run one webapp. | VMware ships Performance Charts on the vCenter Server Appliance (VCSA)with one webapp. Any other path is potentially malicious and must be removed.... |
| V-256620 | | Performance Charts must not be configured with unsupported realms. | Performance Charts performs user authentication at the application level and not through Tomcat. Depending on the vCenter Server Appliance (VCSA) vers... |
| V-256621 | | Performance Charts must be configured to limit access to internal packages. | The "package.access" entry in the "catalina.properties" file implements access control at the package level. When properly configured, a Security Exce... |
| V-256622 | | Performance Charts must have Multipurpose Internet Mail Extensions (MIMEs) that invoke operating system shell programs disabled. | MIME mappings tell Performance Charts what type of program various file types and extensions are and what external utilities or programs are needed to... |
| V-256623 | | Performance Charts must have mappings set for Java servlet pages. | Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client... |
| V-256624 | | Performance Charts must not have the Web Distributed Authoring (WebDAV) servlet installed. | WebDAV is an extension to the HTTP protocol that, when developed, was meant to allow users to create, change, and move documents on a server, typicall... |
| V-256625 | | Performance Charts must be configured with memory leak protection. | The Java Runtime environment can cause a memory leak or lock files under certain conditions. Without memory leak protection, Performance Chart can con... |
| V-256626 | | Performance Charts must not have any symbolic links in the web content directory tree. | A web server is designed to deliver content and execute scripts or applications on the request of a client or user. Containing user requests to files ... |
| V-256627 | | Performance Charts directory tree must have permissions in an out-of-the-box state. | Accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the... |
| V-256628 | | Performance Charts must fail to a known safe state if system initialization fails, shutdown fails, or aborts fail. | Determining a safe state for failure and weighing that against a potential denial of service for users depends on what type of application the web ser... |
| V-256629 | | Performance Charts must limit the number of allowed connections. | Limiting the number of established connections to Performance Charts is a basic denial-of-service protection. Servers where the limit is too high or u... |
| V-256630 | | Performance Charts must set "URIEncoding" to UTF-8. | Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared... |
| V-256631 | | Performance Charts must use the "setCharacterEncodingFilter" filter. | Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared... |
| V-256632 | | Performance Charts must set the welcome-file node to a default web page. | Enumeration techniques, such as URL parameter manipulation, rely on being able to obtain information about the web server's directory structure by loc... |
| V-256633 | | Performance Charts must not show directory listings. | Enumeration techniques, such as URL parameter manipulation, rely on being able to obtain information about the web server's directory structure by loc... |
| V-256634 | | Performance Charts must be configured to show error pages with minimal information. | Web servers will often display error messages to client users, including enough information to aid in the debugging of the error. The information give... |
| V-256635 | | Performance Charts must be configured to not show error reports. | Web servers will often display error messages to client users, including enough information to aid in the debugging of the error. The information give... |
| V-256636 | | Performance Charts must hide the server version. | Web servers will often display error messages to client users, including enough information to aid in the debugging of the error. The information give... |
| V-256637 | | Performance Charts must not enable support for TRACE requests. | "TRACE" is a technique for a user to request internal information about Tomcat. This is useful during product development but should not be enabled in... |
| V-256638 | | Performance Charts must have the debug option turned off. | Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug... |
| V-256639 | | Performance Charts must properly configure log sizes and rotation. | To ensure the logging mechanism used by the web server has sufficient storage capacity in which to write the logs, the logging mechanism must be able ... |
| V-256640 | | Rsyslog must be configured to monitor and ship Performance Charts log files. | Performance Charts produces several logs that must be offloaded from the originating system. This information can then be used for diagnostic purposes... |
| V-256641 | | Performance Charts must be configured with the appropriate ports. | Web servers provide numerous processes, features, and functionalities that use TCP/IP ports. Some of these processes may be deemed unnecessary or too ... |
| V-256642 | | Performance Charts must disable the shutdown port. | An attacker has at least two reasons to stop a web server. The first is to cause a denial of service, and the second is to put in place changes the at... |
| V-256643 | | Performance Charts must set the secure flag for cookies. | The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP response. The purpose of t... |
| V-256644 | | Performance Charts default servlet must be set to "readonly". | The default servlet (or DefaultServlet) is a special servlet provided with Tomcat that is called when no other suitable page is found in a particular ... |
