The vCenter UI service deployXML attribute must be disabled.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-259127 | VCUI-80-000138 | SV-259127r935285_rule | CCI-000381 | medium |
| Description | ||||
| The Host element controls deployment. Automatic deployment allows for simpler management but also makes it easier for an attacker to deploy a malicious application. Automatic deployment is controlled by the autoDeploy and deployOnStartup attributes. If both are false, only Contexts defined in server.xml will be deployed, and any changes will require a Tomcat restart. In a hosted environment where web applications may not be trusted, set the deployXML attribute to "false" to ignore any context.xml packaged with the web application that may try to assign increased privileges to the web application. Note that if the security manager is enabled, the deployXML attribute will default to false. | ||||
| STIG | Date | |||
| VMware vSphere 8.0 vCenter Appliance User Interface (UI) Security Technical Implementation Guide | 2023-10-29 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
CM-7
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.4.6
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000381
1.00
- DISA · V1R1 · disa_xccdf · related
Details
Check Text (C-259127r935285_chk)
At the command prompt, run the following command:
# xmllint --xpath "//Host/@deployXML" /usr/lib/vmware-vsphere-ui/server/conf/server.xml
Expected result:
deployXML="false"
If "deployXML" does not equal "false", this is a finding.
Fix Text (F-62776r935284_fix)
Navigate to and open:
/usr/lib/vmware-vsphere-ui/server/conf/server.xml
Navigate to the <Host> node and configure with the value "deployXML="false"".
Restart the service with the following command:
# vmon-cli --restart vsphere-ui