| V-256778 | | vSphere UI must limit the amount of time that each Transmission Control Protocol (TCP) connection is kept alive. | Denial of service (DoS) is one threat against web servers. Many DoS attacks attempt to consume web server resources in such a way that no more resourc... |
| V-256779 | | vSphere UI must limit the number of concurrent connections permitted. | Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a website, facilitating a denial-of-service attack. Unles... |
| V-256780 | | vSphere UI must limit the maximum size of a POST request. | The "maxPostSize" value is the maximum size in bytes of the POST which will be handled by the container FORM URL parameter parsing. Limit its size to ... |
| V-256781 | | vSphere UI must protect cookies from cross-site scripting (XSS). | Cookies are a common way to save session state over the HTTP(S) protocol. If an attacker can compromise session data stored in a cookie, they are bett... |
| V-256782 | | vSphere UI must record user access in a format that enables monitoring of remote access. | Remote access can be exploited by an attacker to compromise the server. By recording all remote access activities, it will be possible to determine th... |
| V-256783 | | vSphere UI must generate log records for system startup and shutdown. | Logging must be started as soon as possible when a service starts and when a service is stopped. Many forms of suspicious actions can be detected by a... |
| V-256784 | | vSphere UI log files must only be accessible by privileged users. | Log data is essential in the investigation of events. If log data were to become compromised, competent forensic analysis and discovery of the true so... |
| V-256785 | | vSphere UI application files must be verified for their integrity. | Verifying the vSphere UI application code is unchanged from its shipping state is essential for file validation and nonrepudiation of the vSphere UI. ... |
| V-256786 | | vSphere UI plugins must be authorized before use. | The vSphere UI ships with a number of plugins out of the box. Any additional plugins may affect the availability and integrity of the system and must ... |
| V-256787 | | vSphere UI must not be configured with the "UserDatabaseRealm" enabled. | The vSphere UI performs user authentication at the application level and not through Tomcat. By default, there is no configuration for the "UserDataba... |
| V-256788 | | vSphere UI must be configured to limit access to internal packages. | The "package.access" entry in the "catalina.properties" file implements access control at the package level. When properly configured, a Security Exce... |
| V-256789 | | vSphere UI must have Multipurpose Internet Mail Extensions (MIME) that invoke operating system shell programs disabled. | MIME mappings tell the vSphere UI what type of program various file types and extensions are and what external utilities or programs are needed to exe... |
| V-256790 | | vSphere UI must have mappings set for Java servlet pages. | Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client... |
| V-256791 | | vSphere UI must not have the Web Distributed Authoring (WebDAV) servlet installed. | WebDAV is an extension to the HTTP protocol that, when developed, was meant to allow users to create, change, and move documents on a server, typicall... |
| V-256792 | | vSphere UI must be configured with memory leak protection. | The Java Runtime environment can cause a memory leak or lock files under certain conditions. Without memory leak protection, vSphere UI can continue t... |
| V-256793 | | vSphere UI must not have any symbolic links in the web content directory tree. | A web server is designed to deliver content and execute scripts or applications on the request of a client or user. Containing user requests to files ... |
| V-256794 | | The vSphere UI directory tree must have permissions in an out-of-the-box state. | As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require acco... |
| V-256795 | | vSphere UI must restrict its cookie path. | Cookies are used to exchange data between the web server and the client. Cookies, such as a session cookie, may contain session information and user c... |
| V-256796 | | vSphere UI must fail to a known safe state if system initialization fails, shutdown fails, or aborts fail. | Determining a safe state for failure and weighing that against a potential denial of service for users depends on what type of application the web ser... |
| V-256797 | | vSphere UI must limit the number of allowed connections. | Limiting the number of established connections is a basic denial-of-service protection and a best practice. Servers where the limit is too high or unl... |
| V-256798 | | vSphere UI must set URIEncoding to UTF-8. | Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared... |
| V-256799 | | vSphere UI must set the welcome-file node to a default web page. | Enumeration techniques, such as URL parameter manipulation, rely on being able to obtain information about the web server's directory structure by loc... |
| V-256800 | | The vSphere UI must not show directory listings. | Enumeration techniques, such as URL parameter manipulation, rely on being able to obtain information about the web server's directory structure by loc... |
| V-256801 | | vSphere UI must be configured to hide the server version. | Web servers will often display error messages to client users with enough information to aid in the debugging of the error. The information given back... |
| V-256802 | | vSphere UI must be configured to show error pages with minimal information. | Web servers will often display error messages to client users with enough information to aid in the debugging of the error. The information given back... |
| V-256803 | | vSphere UI must not enable support for TRACE requests. | "TRACE" is a technique for a user to request internal information about Tomcat. This is useful during product development but should not be enabled in... |
| V-256804 | | vSphere UI must have the debug option turned off. | Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug... |
| V-256805 | | vSphere UI must use a logging mechanism that is configured to allocate log record storage capacity large enough to accommodate the logging requirements of the web server. | To ensure the logging mechanism used by the web server has sufficient storage capacity in which to write the logs, the logging mechanism must be able ... |
| V-256806 | | vSphere UI log files must be moved to a permanent repository in accordance with site policy. | vSphere UI produces several logs that must be offloaded from the originating system. This information can then be used for diagnostic, forensics, or o... |
| V-256807 | | vSphere UI must be configured with the appropriate ports. | Web servers provide numerous processes, features, and functionalities that use TCP/IP ports. Some of these processes may be deemed unnecessary or too ... |
| V-256808 | | vSphere UI must disable the shutdown port. | An attacker has at least two reasons to stop a web server. The first is to cause a denial of service, and the second is to put in place changes the at... |
| V-256809 | | vSphere UI must set the secure flag for cookies. | The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP response. The purpose of t... |
| V-256810 | | The vSphere UI default servlet must be set to "readonly". | The default servlet (or DefaultServlet) is a special servlet provided with Tomcat that is called when no other suitable page is found in a particular ... |
