| V-258970 | | The vCenter STS service must limit the number of maximum concurrent connections permitted. | Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a website, facilitating a denial-of-service attack. Unles... |
| V-258971 | | The vCenter STS service must be configured to use strong encryption ciphers. | Tomcat has several remote communications channels. Examples are user requests via http/https, communication to a backend database, or communication to... |
| V-258972 | | The vCenter STS service cookies must have secure flag set. | The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of t... |
| V-258973 | | The vCenter STS service must initiate session logging upon startup. | Logging must be started as soon as possible when a service starts and as late as possible when a service is stopped. Many forms of suspicious actions ... |
| V-258974 | | The vCenter STS service must produce log records containing sufficient information regarding event details. | Remote access can be exploited by an attacker to compromise the server. By recording all remote access activities, it will be possible to determine th... |
| V-258975 | | The vCenter STS service logs folder permissions must be set correctly. | Log data is essential in the investigation of events. The accuracy of the information is always pertinent. One of the first steps an attacker will tak... |
| V-258976 | | The vCenter STS service must limit privileges for creating or modifying hosted application shared files. | Application servers have the ability to specify that the hosted applications use shared libraries. The application server must have a capability to di... |
| V-258977 | | The vCenter STS service must disable stack tracing. | Stack tracing provides debugging information from the application call stacks when a runtime error is encountered. If stack tracing is left enabled, T... |
| V-258978 | | The vCenter STS service must be configured to use a specified IP address and port. | The server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for server to use, the server wi... |
| V-258979 | | The vCenter STS service must be configured to limit data exposure between applications. | If RECYCLE_FACADES is true or if a security manager is in use, a new facade object will be created for each request. This reduces the chances that a b... |
| V-258980 | | The vCenter STS service must be configured to fail to a known safe state if system initialization fails. | Determining a safe state for failure and weighing that against a potential denial of service for users depends on what type of application the web ser... |
| V-258981 | | The vCenter STS service must set URIEncoding to UTF-8. | Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared... |
| V-258982 | | The vCenter STS service "ErrorReportValve showServerInfo" must be set to "false". | The Error Report Valve is a simple error handler for HTTP status codes that will generate and return HTML error pages. It can also be configured to re... |
| V-258983 | | The vCenter STS service must set an inactive timeout for sessions. | Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted applicat... |
| V-258984 | | The vCenter STS service must offload log records onto a different system or media from the system being logged. | Information system logging capability is critical for accurate forensic analysis. Log record content that may be necessary to satisfy the requirement ... |
| V-258985 | | The vCenter STS service must limit the amount of time that each Transmission Control Protocol (TCP) connection is kept alive. | Denial of service (DoS) is one threat against web servers. Many DoS attacks attempt to consume web server resources in such a way that no more resourc... |
| V-258986 | | The vCenter STS service must limit the number of times that each Transmission Control Protocol (TCP) connection is kept alive. | KeepAlive provides long lived HTTP sessions that allow multiple requests to be sent over the same connection. Enabling KeepAlive mitigates the effects... |
| V-258987 | | The vCenter STS service must configure the "setCharacterEncodingFilter" filter. | Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared... |
| V-258988 | | The vCenter STS service cookies must have "http-only" flag set. | Cookies are a common way to save session state over the HTTP(S) protocol. If attackers can compromise session data stored in a cookie, they are better... |
| V-258989 | | The vCenter STS service DefaultServlet must be set to "readonly" for "PUT" and "DELETE" commands. | The default servlet (or DefaultServlet) is a special servlet provided with Tomcat that is called when no other suitable page is found in a particular ... |
| V-258990 | | The vCenter STS service shutdown port must be disabled. | Tomcat by default listens on TCP port 8005 to accept shutdown requests. By connecting to this port and sending the SHUTDOWN command, all applications ... |
| V-258991 | | The vCenter STS service debug parameter must be disabled. | Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug... |
| V-258992 | | The vCenter STS service directory listings parameter must be disabled. | Enumeration techniques, such as URL parameter manipulation, rely on being able to obtain information about the web server's directory structure by loc... |
| V-258993 | | The vCenter STS service must have Autodeploy disabled. | Tomcat allows auto-deployment of applications while it is running. This can allow untested or malicious applications to be automatically loaded into p... |
| V-258994 | | The vCenter STS service xpoweredBy attribute must be disabled. | Individual connectors can be configured to display the Tomcat information to clients. This information can be used to identify server versions that ca... |
| V-258995 | | The vCenter STS service example applications must be removed. | Tomcat provides example applications, documentation, and other directories in the default installation that do not serve a production use. These files... |
| V-258996 | | The vCenter STS service default ROOT web application must be removed. | The default ROOT web application includes the version of Tomcat being used, links to Tomcat documentation, examples, FAQs, and mailing lists. The defa... |
| V-258997 | | The vCenter STS service default documentation must be removed. | Tomcat provides documentation and other directories in the default installation that do not serve a production use. These files must be deleted.... |
| V-258998 | | The vCenter STS service files must have permissions in an out-of-the-box state. | As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require acco... |
| V-258999 | | The vCenter STS service must disable "ALLOW_BACKSLASH". | When Tomcat is installed behind a proxy configured to only allow access to certain contexts (web applications), an HTTP request containing "/\../" may... |
| V-259000 | | The vCenter STS service must enable "ENFORCE_ENCODING_IN_GET_WRITER". | Some clients try to guess the character encoding of text media when the mandated default of ISO-8859-1 should be used. Some browsers will interpret as... |
| V-259001 | | The vCenter STS service manager webapp must be removed. | Tomcat provides management functionality through either a default manager webapp or through local editing of the configuration files. The manager weba... |
| V-259002 | | The vCenter STS service host-manager webapp must be removed. | Tomcat provides host management functionality through either a default host-manager webapp or through local editing of the configuration files. The ho... |
