| V-259104 | | The vCenter UI service must limit the number of maximum concurrent connections permitted. | Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a website, facilitating a denial-of-service attack. Unles... |
| V-259105 | | The vCenter UI service cookies must have secure flag set. | The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of t... |
| V-259106 | | The vCenter UI service must initiate session logging upon startup. | Logging must be started as soon as possible when a service starts and as late as possible when a service is stopped. Many forms of suspicious actions ... |
| V-259107 | | The vCenter UI service must produce log records containing sufficient information regarding event details. | Remote access can be exploited by an attacker to compromise the server. By recording all remote access activities, it will be possible to determine th... |
| V-259108 | | The vCenter UI service must protect logs from unauthorized access. | Log data is essential in the investigation of events. The accuracy of the information is always pertinent. One of the first steps an attacker will tak... |
| V-259109 | | The vCenter UI service must limit privileges for creating or modifying hosted application shared files. | Application servers have the ability to specify that the hosted applications use shared libraries. The application server must have a capability to di... |
| V-259110 | | The vCenter UI service must disable stack tracing. | Stack tracing provides debugging information from the application call stacks when a runtime error is encountered. If stack tracing is left enabled, T... |
| V-259111 | | The vCenter UI service must be configured to use a specified IP address and port. | The server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for server to use, the server wi... |
| V-259112 | | The vCenter UI service must be configured to limit data exposure between applications. | If RECYCLE_FACADES is true or if a security manager is in use, a new facade object will be created for each request. This reduces the chances that a b... |
| V-259113 | | The vCenter UI service must be configured to fail to a known safe state if system initialization fails. | Determining a safe state for failure and weighing that against a potential denial of service for users depends on what type of application the web ser... |
| V-259114 | | The vCenter UI service must set URIEncoding to UTF-8. | Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared... |
| V-259115 | | The vCenter UI service "ErrorReportValve showServerInfo" must be set to "false". | The Error Report Valve is a simple error handler for HTTP status codes that will generate and return HTML error pages. It can also be configured to re... |
| V-259116 | | The vCenter UI service must set an inactive timeout for sessions. | Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted applicat... |
| V-259117 | | The vCenter UI service must offload log records onto a different system or media from the system being logged. | Information system logging capability is critical for accurate forensic analysis. Log record content that may be necessary to satisfy the requirement ... |
| V-259118 | | The vCenter UI service must enable "STRICT_SERVLET_COMPLIANCE". | Strict Servlet Compliance forces Tomcat to adhere to standards specifications including but not limited to RFC2109. RFC2109 sets the standard for HTTP... |
| V-259119 | | The vCenter UI service must limit the amount of time that each Transmission Control Protocol (TCP) connection is kept alive. | Denial of service (DoS) is one threat against web servers. Many DoS attacks attempt to consume web server resources in such a way that no more resourc... |
| V-259120 | | The vCenter UI service must limit the number of times that each Transmission Control Protocol (TCP) connection is kept alive. | KeepAlive provides long lived HTTP sessions that allow multiple requests to be sent over the same connection. Enabling KeepAlive mitigates the effects... |
| V-259121 | | The vCenter UI service must configure the "setCharacterEncodingFilter" filter. | Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared... |
| V-259122 | | The vCenter UI service cookies must have "http-only" flag set. | Cookies are a common way to save session state over the HTTP(S) protocol. If attackers can compromise session data stored in a cookie, they are better... |
| V-259123 | | The vCenter UI service DefaultServlet must be set to "readonly" for "PUT" and "DELETE" commands. | The default servlet (or DefaultServlet) is a special servlet provided with Tomcat that is called when no other suitable page is found in a particular ... |
| V-259124 | | The vCenter UI service shutdown port must be disabled. | Tomcat by default listens on TCP port 8005 to accept shutdown requests. By connecting to this port and sending the SHUTDOWN command, all applications ... |
| V-259125 | | The vCenter UI service debug parameter must be disabled. | Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug... |
| V-259126 | | The vCenter UI service directory listings parameter must be disabled. | Enumeration techniques, such as URL parameter manipulation, rely on being able to obtain information about the web server's directory structure by loc... |
| V-259127 | | The vCenter UI service deployXML attribute must be disabled. | The Host element controls deployment. Automatic deployment allows for simpler management but also makes it easier for an attacker to deploy a maliciou... |
| V-259128 | | The vCenter UI service must have Autodeploy disabled. | Tomcat allows auto-deployment of applications while it is running. This can allow untested or malicious applications to be automatically loaded into p... |
| V-259129 | | The vCenter UI service xpoweredBy attribute must be disabled. | Individual connectors can be configured to display the Tomcat information to clients. This information can be used to identify server versions that ca... |
| V-259130 | | The vCenter UI service example applications must be removed. | Tomcat provides example applications, documentation, and other directories in the default installation that do not serve a production use. These files... |
| V-259131 | | The vCenter UI service default ROOT web application must be removed. | The default ROOT web application includes the version of Tomcat being used, links to Tomcat documentation, examples, FAQs, and mailing lists. The defa... |
| V-259132 | | The vCenter UI service default documentation must be removed. | Tomcat provides documentation and other directories in the default installation that do not serve a production use. These files must be deleted.... |
| V-259133 | | The vCenter UI service must disable "ALLOW_BACKSLASH". | When Tomcat is installed behind a proxy configured to only allow access to certain contexts (web applications), an HTTP request containing "/\../" may... |
| V-259134 | | The vCenter UI service must enable "ENFORCE_ENCODING_IN_GET_WRITER". | Some clients try to guess the character encoding of text media when the mandated default of ISO-8859-1 should be used. Some browsers will interpret as... |
| V-259135 | | The vCenter UI service manager webapp must be removed. | Tomcat provides management functionality through either a default manager webapp or through local editing of the configuration files. The manager weba... |
| V-259136 | | The vCenter UI service host-manager webapp must be removed. | Tomcat provides host management functionality through either a default host-manager webapp or through local editing of the configuration files. The ho... |
