| V-259037 | | The vCenter Lookup service must limit the number of maximum concurrent connections permitted. | Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a website, facilitating a denial-of-service attack. Unles... |
| V-259038 | | The vCenter Lookup service cookies must have secure flag set. | The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of t... |
| V-259039 | | The vCenter Lookup service must initiate session logging upon startup. | Logging must be started as soon as possible when a service starts and as late as possible when a service is stopped. Many forms of suspicious actions ... |
| V-259040 | | The vCenter Lookup service must produce log records containing sufficient information regarding event details. | Remote access can be exploited by an attacker to compromise the server. By recording all remote access activities, it will be possible to determine th... |
| V-259041 | | The vCenter Lookup service logs folder permissions must be set correctly. | Log data is essential in the investigation of events. The accuracy of the information is always pertinent. One of the first steps an attacker will tak... |
| V-259042 | | The vCenter Lookup service must limit privileges for creating or modifying hosted application shared files. | Application servers have the ability to specify that the hosted applications use shared libraries. The application server must have a capability to di... |
| V-259043 | | The vCenter Lookup service must disable stack tracing. | Stack tracing provides debugging information from the application call stacks when a runtime error is encountered. If stack tracing is left enabled, T... |
| V-259044 | | The vCenter Lookup service must be configured to use a specified IP address and port. | The server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for server to use, the server wi... |
| V-259045 | | The vCenter Lookup service must be configured to limit data exposure between applications. | If RECYCLE_FACADES is true or if a security manager is in use, a new facade object will be created for each request. This reduces the chances that a b... |
| V-259046 | | The vCenter Lookup service must be configured to fail to a known safe state if system initialization fails. | Determining a safe state for failure and weighing that against a potential denial of service for users depends on what type of application the web ser... |
| V-259047 | | The vCenter Lookup service must set URIEncoding to UTF-8. | Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared... |
| V-259048 | | The vCenter Lookup service "ErrorReportValve showServerInfo" must be set to "false". | The Error Report Valve is a simple error handler for HTTP status codes that will generate and return HTML error pages. It can also be configured to re... |
| V-259049 | | The vCenter Lookup service must set an inactive timeout for sessions. | Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted applicat... |
| V-259050 | | The vCenter Lookup service must offload log records onto a different system or media from the system being logged. | Information system logging capability is critical for accurate forensic analysis. Log record content that may be necessary to satisfy the requirement ... |
| V-259051 | | The vCenter Lookup service must enable "STRICT_SERVLET_COMPLIANCE". | Strict Servlet Compliance forces Tomcat to adhere to standards specifications including but not limited to RFC2109. RFC2109 sets the standard for HTTP... |
| V-259052 | | The vCenter Lookup service must limit the amount of time that each Transmission Control Protocol (TCP) connection is kept alive. | Denial of service (DoS) is one threat against web servers. Many DoS attacks attempt to consume web server resources in such a way that no more resourc... |
| V-259053 | | The vCenter Lookup service must limit the number of times that each Transmission Control Protocol (TCP) connection is kept alive. | KeepAlive provides long lived HTTP sessions that allow multiple requests to be sent over the same connection. Enabling KeepAlive mitigates the effects... |
| V-259054 | | The vCenter Lookup service must configure the "setCharacterEncodingFilter" filter. | Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared... |
| V-259055 | | The vCenter Lookup service cookies must have "http-only" flag set. | Cookies are a common way to save session state over the HTTP(S) protocol. If attackers can compromise session data stored in a cookie, they are better... |
| V-259056 | | The vCenter Lookup service DefaultServlet must be set to "readonly" for "PUT" and "DELETE" commands. | The default servlet (or DefaultServlet) is a special servlet provided with Tomcat that is called when no other suitable page is found in a particular ... |
| V-259057 | | The vCenter Lookup service shutdown port must be disabled. | Tomcat by default listens on TCP port 8005 to accept shutdown requests. By connecting to this port and sending the SHUTDOWN command, all applications ... |
| V-259058 | | The vCenter Lookup service debug parameter must be disabled. | Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug... |
| V-259059 | | The vCenter Lookup service directory listings parameter must be disabled. | Enumeration techniques, such as URL parameter manipulation, rely on being able to obtain information about the web server's directory structure by loc... |
| V-259060 | | The vCenter Lookup service deployXML attribute must be disabled. | The Host element controls deployment. Automatic deployment allows for simpler management but also makes it easier for an attacker to deploy a maliciou... |
| V-259061 | | The vCenter Lookup service must have Autodeploy disabled. | Tomcat allows auto-deployment of applications while it is running. This can allow untested or malicious applications to be automatically loaded into p... |
| V-259062 | | The vCenter Lookup service xpoweredBy attribute must be disabled. | Individual connectors can be configured to display the Tomcat information to clients. This information can be used to identify server versions that ca... |
| V-259063 | | The vCenter Lookup service example applications must be removed. | Tomcat provides example applications, documentation, and other directories in the default installation that do not serve a production use. These files... |
| V-259064 | | The vCenter Lookup service default ROOT web application must be removed. | The default ROOT web application includes the version of Tomcat being used, links to Tomcat documentation, examples, FAQs, and mailing lists. The defa... |
| V-259065 | | The vCenter Lookup service default documentation must be removed. | Tomcat provides documentation and other directories in the default installation that do not serve a production use. These files must be deleted.... |
| V-259066 | | The vCenter Lookup service files must have permissions in an out-of-the-box state. | As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require acco... |
| V-259067 | | The vCenter Lookup service must disable "ALLOW_BACKSLASH". | When Tomcat is installed behind a proxy configured to only allow access to certain contexts (web applications), an HTTP request containing "/\../" may... |
| V-259068 | | The vCenter Lookup service must enable "ENFORCE_ENCODING_IN_GET_WRITER". | Some clients try to guess the character encoding of text media when the mandated default of ISO-8859-1 should be used. Some browsers will interpret as... |
| V-259069 | | The vCenter Lookup service manager webapp must be removed. | Tomcat provides management functionality through either a default manager webapp or through local editing of the configuration files. The manager weba... |
| V-259070 | | The vCenter Lookup service host-manager webapp must be removed. | Tomcat provides host management functionality through either a default host-manager webapp or through local editing of the configuration files. The ho... |
