| V-259071 | | The vCenter Perfcharts service must limit the number of maximum concurrent connections permitted. | Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a website, facilitating a denial-of-service attack. Unles... |
| V-259072 | | The vCenter Perfcharts service cookies must have secure flag set. | The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of t... |
| V-259073 | | The vCenter Perfcharts service must initiate session logging upon startup. | Logging must be started as soon as possible when a service starts and as late as possible when a service is stopped. Many forms of suspicious actions ... |
| V-259074 | | The vCenter Perfcharts service must produce log records containing sufficient information regarding event details. | Remote access can be exploited by an attacker to compromise the server. By recording all remote access activities, it will be possible to determine th... |
| V-259075 | | The vCenter Perfcharts service logs folder permissions must be set correctly. | Log data is essential in the investigation of events. The accuracy of the information is always pertinent. One of the first steps an attacker will tak... |
| V-259076 | | The vCenter Perfcharts service must limit privileges for creating or modifying hosted application shared files. | Application servers have the ability to specify that the hosted applications use shared libraries. The application server must have a capability to di... |
| V-259077 | | The vCenter Perfcharts service must disable stack tracing. | Stack tracing provides debugging information from the application call stacks when a runtime error is encountered. If stack tracing is left enabled, T... |
| V-259078 | | The vCenter Perfcharts service must be configured to use a specified IP address and port. | The server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for server to use, the server wi... |
| V-259079 | | The vCenter Perfcharts service must be configured to limit data exposure between applications. | If RECYCLE_FACADES is true or if a security manager is in use, a new facade object will be created for each request. This reduces the chances that a b... |
| V-259080 | | The vCenter Perfcharts service must be configured to fail to a known safe state if system initialization fails. | Determining a safe state for failure and weighing that against a potential denial of service for users depends on what type of application the web ser... |
| V-259081 | | The vCenter Perfcharts service must set URIEncoding to UTF-8. | Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared... |
| V-259082 | | The vCenter Perfcharts service "ErrorReportValve showServerInfo" must be set to "false". | The Error Report Valve is a simple error handler for HTTP status codes that will generate and return HTML error pages. It can also be configured to re... |
| V-259083 | | The vCenter Perfcharts service must set an inactive timeout for sessions. | Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted applicat... |
| V-259084 | | The vCenter Perfcharts service must offload log records onto a different system or media from the system being logged. | Information system logging capability is critical for accurate forensic analysis. Log record content that may be necessary to satisfy the requirement ... |
| V-259085 | | The vCenter Perfcharts service must enable "STRICT_SERVLET_COMPLIANCE". | Strict Servlet Compliance forces Tomcat to adhere to standards specifications including but not limited to RFC2109. RFC2109 sets the standard for HTTP... |
| V-259086 | | The vCenter Perfcharts service must limit the amount of time that each Transmission Control Protocol (TCP) connection is kept alive. | Denial of service (DoS) is one threat against web servers. Many DoS attacks attempt to consume web server resources in such a way that no more resourc... |
| V-259087 | | The vCenter Perfcharts service must limit the number of times that each Transmission Control Protocol (TCP) connection is kept alive. | KeepAlive provides long lived HTTP sessions that allow multiple requests to be sent over the same connection. Enabling KeepAlive mitigates the effects... |
| V-259088 | | The vCenter Perfcharts service must configure the "setCharacterEncodingFilter" filter. | Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared... |
| V-259089 | | The vCenter Perfcharts service cookies must have "http-only" flag set. | Cookies are a common way to save session state over the HTTP(S) protocol. If attackers can compromise session data stored in a cookie, they are better... |
| V-259090 | | The vCenter Perfcharts service DefaultServlet must be set to "readonly" for "PUT" and "DELETE" commands. | The default servlet (or DefaultServlet) is a special servlet provided with Tomcat that is called when no other suitable page is found in a particular ... |
| V-259091 | | The vCenter Perfcharts service shutdown port must be disabled. | Tomcat by default listens on TCP port 8005 to accept shutdown requests. By connecting to this port and sending the SHUTDOWN command, all applications ... |
| V-259092 | | The vCenter Perfcharts service debug parameter must be disabled. | Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug... |
| V-259093 | | The vCenter Perfcharts service directory listings parameter must be disabled. | Enumeration techniques, such as URL parameter manipulation, rely on being able to obtain information about the web server's directory structure by loc... |
| V-259094 | | The vCenter Perfcharts service deployXML attribute must be disabled. | The Host element controls deployment. Automatic deployment allows for simpler management but also makes it easier for an attacker to deploy a maliciou... |
| V-259095 | | The vCenter Perfcharts service must have Autodeploy disabled. | Tomcat allows auto-deployment of applications while it is running. This can allow untested or malicious applications to be automatically loaded into p... |
| V-259096 | | The vCenter Perfcharts service xpoweredBy attribute must be disabled. | Individual connectors can be configured to display the Tomcat information to clients. This information can be used to identify server versions that ca... |
| V-259097 | | The vCenter Perfcharts service example applications must be removed. | Tomcat provides example applications, documentation, and other directories in the default installation that do not serve a production use. These files... |
| V-259098 | | The vCenter Perfcharts service default documentation must be removed. | Tomcat provides documentation and other directories in the default installation that do not serve a production use. These files must be deleted.... |
| V-259099 | | The vCenter Perfcharts service files must have permissions in an out-of-the-box state. | As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require acco... |
| V-259100 | | The vCenter Perfcharts service must disable "ALLOW_BACKSLASH". | When Tomcat is installed behind a proxy configured to only allow access to certain contexts (web applications), an HTTP request containing "/\../" may... |
| V-259101 | | The vCenter Perfcharts service must enable "ENFORCE_ENCODING_IN_GET_WRITER". | Some clients try to guess the character encoding of text media when the mandated default of ISO-8859-1 should be used. Some browsers will interpret as... |
| V-259102 | | The vCenter Perfcharts service manager webapp must be removed. | Tomcat provides management functionality through either a default manager webapp or through local editing of the configuration files. The manager weba... |
| V-259103 | | The vCenter Perfcharts service host-manager webapp must be removed. | Tomcat provides host management functionality through either a default host-manager webapp or through local editing of the configuration files. The ho... |
