The Security Token Service must have mappings set for Java servlet pages.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-256757 | VCST-70-000013 | SV-256757r889241_rule | CCI-000381 | medium |
| Description | ||||
| Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client and identify which file types are not to be delivered to a client. By not specifying which files can and cannot be served to a user, the web server could deliver to a user web server configuration files, log files, password files, etc. As Tomcat is a Java-based web server, the main file extension used is *.jsp. This check ensures the *.jsp and *.jspx file types have been properly mapped to servlets. | ||||
| STIG | Date | |||
| VMware vSphere 7.0 vCenter Appliance STS Security Technical Implementation Guide | 2023-06-15 | |||
Details
Check Text (C-256757r889241_chk)
At the command prompt, run the following command:
# xmllint --format /usr/lib/vmware-sso/vmware-sts/conf/web.xml | sed '2 s/xmlns=".*"//g' | xmllint --xpath '/web-app/servlet-mapping/servlet-name[text()="jsp"]/parent::servlet-mapping' -
Expected result:
<servlet-mapping>
<servlet-name>jsp</servlet-name>
<url-pattern>*.jsp</url-pattern>
<url-pattern>*.jspx</url-pattern>
</servlet-mapping>
If the output of the command does not match the expected result, this is a finding.
Fix Text (F-60375r889240_fix)
Navigate to and open:
/usr/lib/vmware-sso/vmware-sts/conf/web.xml
Inside the <web-app> parent node, add the following:
<servlet-mapping>
<servlet-name>jsp</servlet-name>
<url-pattern>*.jsp</url-pattern>
<url-pattern>*.jspx</url-pattern>
</servlet-mapping>
Restart the service with the following command:
# vmon-cli --restart sts