The vCenter STS service must enable "ENFORCE_ENCODING_IN_GET_WRITER".
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-259000 | VCST-80-000152 | SV-259000r934658_rule | CCI-000366 | medium |
| Description | ||||
| Some clients try to guess the character encoding of text media when the mandated default of ISO-8859-1 should be used. Some browsers will interpret as UTF-7 when the characters are safe for ISO-8859-1. This can create the potential for a XSS attack. To defend against this, enforce_encoding_in_get_writer must be set to true. | ||||
| STIG | Date | |||
| VMware vSphere 8.0 vCenter Appliance Secure Token Service (STS) Security Technical Implementation Guide | 2023-10-29 | |||
Details
Check Text (C-259000r934658_chk)
At the command line, run the following command:
# grep ENFORCE_ENCODING_IN_GET_WRITER /usr/lib/vmware-sso/vmware-sts/conf/catalina.properties
Example result:
org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER=true
If "org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER" is not set to "true", this is a finding.
If the "org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER" setting does not exist, this is not a finding.
Fix Text (F-62649r934657_fix)
Navigate to and open:
/usr/lib/vmware-sso/vmware-sts/conf/catalina.properties
Update or remove the following line:
org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER=true
Restart the service with the following command:
# vmon-cli --restart sts