vSphere UI must restrict its cookie path.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-239713	VCUI-67-000032	SV-239713r679245_rule		Medium

Description
When the cookie parameters are not set properly (i.e., domain and path parameters), cookies can be shared within hosted applications residing on the same web server or to applications hosted on different web servers residing on the same domain. vSphere UI is bound to the "/ui" virtual path behind the reverse proxy, and its cookies are configured as such. This configuration must be confirmed and maintained.

Description

When the cookie parameters are not set properly (i.e., domain and path parameters), cookies can be shared within hosted applications residing on the same web server or to applications hosted on different web servers residing on the same domain. vSphere UI is bound to the "/ui" virtual path behind the reverse proxy, and its cookies are configured as such. This configuration must be confirmed and maintained.

STIG	Date
VMware vSphere 6.7 UI Tomcat Security Technical Implementation Guide	2021-04-15

Details

Check Text ( C-42946r679243_chk )
At the command prompt, execute the following command: # xmllint --format /usr/lib/vmware-vsphere-ui/server/conf/context.xml \| xmllint --xpath '/Context/@sessionCookiePath' - Expected result: sessionCookiePath="/ui" If the output does not match the expected result, this is a finding.

Fix Text (F-42905r679244_fix)
Navigate to and open /usr/lib/vmware-vsphere-ui/server/conf/context.xml. Add the following configuration to the node: sessionCookiePath="/ui" Example: