Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The Security Token Service must limit the maximum size of a POST request.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-256747 | VCST-70-000003 | SV-256747r889211_rule | Medium |
| Description |
|---|
| The "maxPostSize" value is the maximum size in bytes of the POST that will be handled by the container FORM URL parameter parsing. Limit its size to reduce exposure to a denial-of-service (DoS) attack. If "maxPostSize" is not set, the default value of 2097152 (2MB) is used. Security Token Service is configured in its shipping state to not set a value for "maxPostSize". |
| STIG | Date |
|---|---|
| VMware vSphere 7.0 vCenter Appliance STS Security Technical Implementation Guide | 2023-06-15 |
Details
| Check Text ( C-60422r889209_chk ) |
|---|
| At the command prompt, run the following command: # xmllint --xpath '/Server/Service/Connector[@port="${bio-custom.http.port}"]/@maxPostSize' /usr/lib/vmware-sso/vmware-sts/conf/server.xml Expected result: XPath set is empty If the output does not match the expected result, this is a finding. |
| Fix Text (F-60365r889210_fix) |
|---|
| Navigate to and open: /usr/lib/vmware-sso/vmware-sts/conf/server.xml Navigate to each of the Remove any configuration for "maxPostSize". Restart the service with the following command: # vmon-cli --restart sts |