The Security Token Service must limit the maximum size of a POST request.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-256747 | VCST-70-000003 | SV-256747r889211_rule | CCI-000054 | medium |
| Description | ||||
| The "maxPostSize" value is the maximum size in bytes of the POST that will be handled by the container FORM URL parameter parsing. Limit its size to reduce exposure to a denial-of-service (DoS) attack. If "maxPostSize" is not set, the default value of 2097152 (2MB) is used. Security Token Service is configured in its shipping state to not set a value for "maxPostSize". | ||||
| STIG | Date | |||
| VMware vSphere 7.0 vCenter Appliance STS Security Technical Implementation Guide | 2023-06-15 | |||
Details
Check Text (C-256747r889211_chk)
At the command prompt, run the following command:
# xmllint --xpath '/Server/Service/Connector[@port="${bio-custom.http.port}"]/@maxPostSize' /usr/lib/vmware-sso/vmware-sts/conf/server.xml
Expected result:
XPath set is empty
If the output does not match the expected result, this is a finding.
Fix Text (F-60365r889210_fix)
Navigate to and open:
/usr/lib/vmware-sso/vmware-sts/conf/server.xml
Navigate to each of the <Connector> nodes.
Remove any configuration for "maxPostSize".
Restart the service with the following command:
# vmon-cli --restart sts