The Security Token Service must not enable support for TRACE requests.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-239676	VCST-67-000025	SV-239676r816753_rule		Medium

Description
"Trace" is a technique for a user to request internal information about Tomcat. This is useful during product development but should not be enabled in production. Allowing an attacker to conduct a Trace operation against the Security Token Service will expose information that would be useful to perform a more targeted attack. The Security Token Service provides the "allowTrace" parameter as a means to disable responding to Trace requests.

Description

"Trace" is a technique for a user to request internal information about Tomcat. This is useful during product development but should not be enabled in production. Allowing an attacker to conduct a Trace operation against the Security Token Service will expose information that would be useful to perform a more targeted attack. The Security Token Service provides the "allowTrace" parameter as a means to disable responding to Trace requests.

STIG	Date
VMware vSphere 6.7 STS Tomcat Security Technical Implementation Guide	2022-01-03

Details

Check Text ( C-42909r816751_chk )
Connect to the PSC, whether external or embedded. At the command prompt, execute the following command: # grep allowTrace /usr/lib/vmware-sso/vmware-sts/conf/server.xml If "allowTrace" is set to "true", this is a finding. If no line is returned, this is NOT a finding.

Fix Text (F-42868r816752_fix)
Connect to the PSC, whether external or embedded. Navigate to and open /usr/lib/vmware-sso/vmware-sts/conf/server.xml. Navigate to and locate: 'allowTrace="true"' Remove the 'allowTrace="true"' setting.