UCF STIG Viewer Logo

ESX Agent Manager must disable the shutdown port.


Overview

Finding ID Version Rule ID IA Controls Severity
V-239401 VCEM-67-000030 SV-239401r674697_rule Medium
Description
An attacker has at least two reasons to stop a web server. The first is to cause a denial of service, and the second is to put in place changes the attacker made to the web server configuration. If the Tomcat shutdown port feature is enabled, a shutdown signal can be sent to the ESX Agent Manager through this port. To ensure availability, the shutdown port must be disabled.
STIG Date
VMware vSphere 6.7 EAM Tomcat Security Technical Implementation Guide 2021-04-15

Details

Check Text ( C-42634r674695_chk )
At the command prompt, execute the following command:

# grep 'base.shutdown.port' /etc/vmware-eam/catalina.properties

Expected result:

base.shutdown.port=-1

If the output of the command does not match the expected result, this is a finding.
Fix Text (F-42593r674696_fix)
Open /etc/vmware-eam/catalina.properties in a text editor.

Add or modify the setting "base.shutdown.port=-1" in the "catalina.properties" file.