vSphere Client must not enable support for TRACE requests.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-239766	VCFL-67-000025	SV-239766r679525_rule		Medium

Description
"Trace" is a technique for a user to request internal information about Tomcat. This is useful during product development but should not be enabled in production. Allowing an attacker to conduct a Trace operation against the Security Token Service will expose information that would be useful to perform a more targeted attack. vSphere Client provides the "allowTrace" parameter as a means to disable responding to Trace requests.

Description

"Trace" is a technique for a user to request internal information about Tomcat. This is useful during product development but should not be enabled in production. Allowing an attacker to conduct a Trace operation against the Security Token Service will expose information that would be useful to perform a more targeted attack. vSphere Client provides the "allowTrace" parameter as a means to disable responding to Trace requests.

STIG	Date
VMware vSphere 6.7 Virgo-Client Security Technical Implementation Guide	2021-03-18

Details

Check Text ( C-42999r679523_chk )
At the command prompt, execute the following command: # grep allowTrace /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml If "allowTrace" is set to "true", this is a finding. If no line is returned, this is NOT a finding.

Fix Text (F-42958r679524_fix)
Navigate to and open /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml. Navigate to and locate: 'allowTrace="true"' Remove the 'allowTrace="true"' setting.