vSphere UI must not enable support for TRACE requests.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-239705	VCUI-67-000024	SV-239705r679221_rule		Medium

Description
"Trace" is a technique for a user to request internal information about Tomcat. This is useful during product development but should not be enabled in production. Allowing an attacker to conduct a Trace operation against the Security Token Service will expose information that would be useful to perform a more targeted attack. vSphere UI provides the "allowTrace" parameter as a means to disable responding to Trace requests.

Description

"Trace" is a technique for a user to request internal information about Tomcat. This is useful during product development but should not be enabled in production. Allowing an attacker to conduct a Trace operation against the Security Token Service will expose information that would be useful to perform a more targeted attack. vSphere UI provides the "allowTrace" parameter as a means to disable responding to Trace requests.

STIG	Date
VMware vSphere 6.7 UI Tomcat Security Technical Implementation Guide	2021-04-15

Details

Check Text ( C-42938r679219_chk )
At the command prompt, execute the following command: # grep allowTrace /usr/lib/vmware-vsphere-ui/server/conf/server.xml If "allowTrace" is set to "true", this is a finding. If no line is returned, this is NOT a finding.

Fix Text (F-42897r679220_fix)
Navigate to and open /usr/lib/vmware-vsphere-ui/server/conf/server.xml. Navigate to and locate: 'allowTrace="true"' Remove the 'allowTrace="true"' setting.