| V-259003 | | The vCenter ESX Agent Manager service must limit the number of maximum concurrent connections permitted. | Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a website, facilitating a denial-of-service attack. Unles... |
| V-259004 | | The vCenter ESX Agent Manager service cookies must have secure flag set. | The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of t... |
| V-259005 | | The vCenter ESX Agent Manager service must initiate session logging upon startup. | Logging must be started as soon as possible when a service starts and as late as possible when a service is stopped. Many forms of suspicious actions ... |
| V-259006 | | The vCenter ESX Agent Manager service must produce log records containing sufficient information regarding event details. | Remote access can be exploited by an attacker to compromise the server. By recording all remote access activities, it will be possible to determine th... |
| V-259007 | | The vCenter ESX Agent Manager service logs folder permissions must be set correctly. | Log data is essential in the investigation of events. The accuracy of the information is always pertinent. One of the first steps an attacker will tak... |
| V-259008 | | The vCenter ESX Agent Manager service must limit privileges for creating or modifying hosted application shared files. | Application servers have the ability to specify that the hosted applications use shared libraries. The application server must have a capability to di... |
| V-259009 | | The vCenter ESX Agent Manager service must disable stack tracing. | Stack tracing provides debugging information from the application call stacks when a runtime error is encountered. If stack tracing is left enabled, T... |
| V-259010 | | The vCenter ESX Agent Manager service must be configured to use a specified IP address and port. | The server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for server to use, the server wi... |
| V-259011 | | The vCenter ESX Agent Manager service must be configured to limit data exposure between applications. | If RECYCLE_FACADES is true or if a security manager is in use, a new facade object will be created for each request. This reduces the chances that a b... |
| V-259012 | | The vCenter ESX Agent Manager service must be configured to fail to a known safe state if system initialization fails. | Determining a safe state for failure and weighing that against a potential denial of service for users depends on what type of application the web ser... |
| V-259013 | | The vCenter ESX Agent Manager service must set URIEncoding to UTF-8. | Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared... |
| V-259014 | | The vCenter ESX Agent Manager service "ErrorReportValve showServerInfo" must be set to "false". | The Error Report Valve is a simple error handler for HTTP status codes that will generate and return HTML error pages. It can also be configured to re... |
| V-259015 | | The vCenter ESX Agent Manager service must set an inactive timeout for sessions. | Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted applicat... |
| V-259016 | | The vCenter ESX Agent Manager service must offload log records onto a different system or media from the system being logged. | Information system logging capability is critical for accurate forensic analysis. Log record content that may be necessary to satisfy the requirement ... |
| V-259017 | | The vCenter ESX Agent Manager service must enable STRICT_SERVLET_COMPLIANCE. | Strict Servlet Compliance forces Tomcat to adhere to standards specifications including but not limited to RFC2109. RFC2109 sets the standard for HTTP... |
| V-259018 | | The vCenter ESX Agent Manager service must limit the amount of time that each Transmission Control Protocol (TCP) connection is kept alive. | Denial of service (DoS) is one threat against web servers. Many DoS attacks attempt to consume web server resources in such a way that no more resourc... |
| V-259019 | | The vCenter ESX Agent Manager service must limit the number of times that each Transmission Control Protocol (TCP) connection is kept alive. | KeepAlive provides long lived HTTP sessions that allow multiple requests to be sent over the same connection. Enabling KeepAlive mitigates the effects... |
| V-259020 | | The vCenter ESX Agent Manager service must configure the "setCharacterEncodingFilter" filter. | Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared... |
| V-259021 | | The vCenter ESX Agent Manager service cookies must have the "http-only" flag set. | Cookies are a common way to save session state over the HTTP(S) protocol. If attackers can compromise session data stored in a cookie, they are better... |
| V-259022 | | The vCenter ESX Agent Manager service DefaultServlet must be set to "readonly" for "PUT" and "DELETE" commands. | The default servlet (or DefaultServlet) is a special servlet provided with Tomcat that is called when no other suitable page is found in a particular ... |
| V-259023 | | The vCenter ESX Agent Manager service shutdown port must be disabled. | Tomcat by default listens on TCP port 8005 to accept shutdown requests. By connecting to this port and sending the SHUTDOWN command, all applications ... |
| V-259024 | | The vCenter ESX Agent Manager service debug parameter must be disabled. | Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug... |
| V-259025 | | The vCenter ESX Agent Manager service directory listings parameter must be disabled. | Enumeration techniques, such as URL parameter manipulation, rely on being able to obtain information about the web server's directory structure by loc... |
| V-259026 | | The vCenter ESX Agent Manager service deployXML attribute must be disabled. | The Host element controls deployment. Automatic deployment allows for simpler management but also makes it easier for an attacker to deploy a maliciou... |
| V-259027 | | The vCenter ESX Agent Manager service must have Autodeploy disabled. | Tomcat allows auto-deployment of applications while it is running. This can allow untested or malicious applications to be automatically loaded into p... |
| V-259028 | | The vCenter ESX Agent Manager service xpoweredBy attribute must be disabled. | Individual connectors can be configured to display the Tomcat information to clients. This information can be used to identify server versions that ca... |
| V-259029 | | The vCenter ESX Agent Manager service example applications must be removed. | Tomcat provides example applications, documentation, and other directories in the default installation that do not serve a production use. These files... |
| V-259030 | | The vCenter ESX Agent Manager service default ROOT web application must be removed. | The default ROOT web application includes the version of Tomcat being used, links to Tomcat documentation, examples, FAQs, and mailing lists. The defa... |
| V-259031 | | The vCenter ESX Agent Manager service default documentation must be removed. | Tomcat provides documentation and other directories in the default installation that do not serve a production use. These files must be deleted.... |
| V-259032 | | The vCenter ESX Agent Manager service files must have permissions in an out-of-the-box state. | As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require acco... |
| V-259033 | | The vCenter ESX Agent Manager service must disable "ALLOW_BACKSLASH". | When Tomcat is installed behind a proxy configured to only allow access to certain contexts (web applications), an HTTP request containing "/\../" may... |
| V-259034 | | The vCenter ESX Agent Manager service must enable "ENFORCE_ENCODING_IN_GET_WRITER". | Some clients try to guess the character encoding of text media when the mandated default of ISO-8859-1 should be used. Some browsers will interpret as... |
| V-259035 | | The vCenter ESX Agent Manager service manager webapp must be removed. | Tomcat provides management functionality through either a default manager webapp or through local editing of the configuration files. The manager weba... |
| V-259036 | | The vCenter ESX Agent Manager service host-manager webapp must be removed. | Tomcat provides host management functionality through either a default host-manager webapp or through local editing of the configuration files. The ho... |
