vSphere UI must disable the shutdown port.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-239710	VCUI-67-000029	SV-239710r679236_rule		Medium

Description
An attacker has at least two reasons to stop a web server. The first is to cause a denial of service, and the second is to put in place changes the attacker made to the web server configuration. If the Tomcat shutdown port feature is enabled, a shutdown signal can be sent to vSphere UI through this port. To ensure availability, the shutdown port must be disabled.

STIG	Date
VMware vSphere 6.7 UI Tomcat Security Technical Implementation Guide	2021-04-15

Details

Check Text ( C-42943r679234_chk )
At the command prompt, execute the following commands: # xmllint --format /usr/lib/vmware-vsphere-ui/server/conf/server.xml \| sed '2 s/xmlns=".*"//g' \| xmllint --xpath '/Server/@port' - Expected result: port="${shutdown.port}" If the output does not match the expected result, this is a finding. # grep shutdown /etc/vmware/vmware-vmon/svcCfgfiles/vsphere-ui.json Expected result: "-Dshutdown.port=-1", If the output does not match the expected result, this is a finding.

Check Text ( C-42943r679234_chk )

At the command prompt, execute the following commands:

# xmllint --format /usr/lib/vmware-vsphere-ui/server/conf/server.xml | sed '2 s/xmlns=".*"//g' | xmllint --xpath '/Server/@port' -

Expected result:

port="${shutdown.port}"

If the output does not match the expected result, this is a finding.

# grep shutdown /etc/vmware/vmware-vmon/svcCfgfiles/vsphere-ui.json

Expected result:

"-Dshutdown.port=-1",

If the output does not match the expected result, this is a finding.

Fix Text (F-42902r679235_fix)
Navigate to and open /usr/lib/vmware-vsphere-ui/server/conf/server.xml. Make sure that the server port is disabled: