The vCenter STS service must disable "ALLOW_BACKSLASH".
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-258999 | VCST-80-000151 | SV-258999r934655_rule | CCI-000366 | medium |
| Description | ||||
| When Tomcat is installed behind a proxy configured to only allow access to certain contexts (web applications), an HTTP request containing "/\../" may allow attackers to work around the proxy restrictions using directory traversal attack methods. If "allow_backslash" is "true", the "\" character will be permitted as a path delimiter. The default value for the setting is "false", but Tomcat must always be configured as if no proxy restricting context access was used, and "allow_backslash" should be set to "false" to prevent directory-traversal-style attacks. This setting can create operability issues with noncompliant clients. | ||||
| STIG | Date | |||
| VMware vSphere 8.0 vCenter Appliance Secure Token Service (STS) Security Technical Implementation Guide | 2023-10-29 | |||
Details
Check Text (C-258999r934655_chk)
At the command line, run the following command:
# grep ALLOW_BACKSLASH /usr/lib/vmware-sso/vmware-sts/conf/catalina.properties
Example result:
org.apache.catalina.connector.ALLOW_BACKSLASH=false
If "org.apache.catalina.connector.ALLOW_BACKSLASH" is not set to "false", this is a finding.
If the "org.apache.catalina.connector.ALLOW_BACKSLASH" setting does not exist, this is not a finding.
Fix Text (F-62648r934654_fix)
Navigate to and open:
/usr/lib/vmware-sso/vmware-sts/conf/catalina.properties
Update or remove the following line:
org.apache.catalina.connector.ALLOW_BACKSLASH=false
Restart the service with the following command:
# vmon-cli --restart sts