vSphere UI must restrict its cookie path.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-256795 | VCUI-70-000018 | SV-256795r889384_rule | CCI-001664 | medium |
| Description | ||||
| Cookies are used to exchange data between the web server and the client. Cookies, such as a session cookie, may contain session information and user credentials used to maintain a persistent connection between the user and the hosted application since HTTP/HTTPS is a stateless protocol. vSphere UI is bound to the "/ui" virtual path behind the reverse proxy, and its cookies are configured as such. This configuration must be confirmed and maintained. | ||||
| STIG | Date | |||
| VMware vSphere 7.0 vCenter Appliance UI Security Technical Implementation Guide | 2023-06-15 | |||
Details
Check Text (C-256795r889384_chk)
At the command prompt, run the following command:
# xmllint --format /usr/lib/vmware-vsphere-ui/server/conf/context.xml | xmllint --xpath '/Context/@sessionCookiePath' -
Expected result:
sessionCookiePath="/ui"
If the output does not match the expected result, this is a finding.
Fix Text (F-60413r889383_fix)
Navigate to and open:
/usr/lib/vmware-vsphere-ui/server/conf/context.xml
Add the following configuration to the <Context> node:
sessionCookiePath="/ui"
Example:
<Context useHttpOnly="true" sessionCookieName="VSPHERE-UI-JSESSIONID" sessionCookiePath="/ui">
Restart the service with the following command:
# vmon-cli --restart vsphere-ui