UCF STIG Viewer Logo

The Security Token Service must disable the shutdown port.


Finding ID Version Rule ID IA Controls Severity
V-239680 VCST-67-000029 SV-239680r816765_rule Medium
An attacker has at least two reasons to stop a web server. The first is to cause a denial of service, and the second is to put in place changes the attacker made to the web server configuration. If the Tomcat shutdown port feature is enabled, a shutdown signal can be sent to the Security Token Service through this port. To ensure availability, the shutdown port must be disabled.
VMware vSphere 6.7 STS Tomcat Security Technical Implementation Guide 2022-01-03


Check Text ( C-42913r816763_chk )
Connect to the PSC, whether external or embedded.

At the command prompt, execute the following command:

# grep 'base.shutdown.port' /usr/lib/vmware-sso/vmware-sts/conf/catalina.properties

Expected result:


If the output of the command does not match the expected result, this is a finding.
Fix Text (F-42872r816764_fix)
Connect to the PSC, whether external or embedded.

Open /usr/lib/vmware-sso/vmware-sts/conf/catalina.properties in a text editor.

Add or modify the following setting: