Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-256795 | VCUI-70-000018 | SV-256795r889384_rule | Medium |
Description |
---|
Cookies are used to exchange data between the web server and the client. Cookies, such as a session cookie, may contain session information and user credentials used to maintain a persistent connection between the user and the hosted application since HTTP/HTTPS is a stateless protocol. vSphere UI is bound to the "/ui" virtual path behind the reverse proxy, and its cookies are configured as such. This configuration must be confirmed and maintained. |
STIG | Date |
---|---|
VMware vSphere 7.0 vCenter Appliance UI Security Technical Implementation Guide | 2023-06-15 |
Check Text ( C-60470r889382_chk ) |
---|
At the command prompt, run the following command: # xmllint --format /usr/lib/vmware-vsphere-ui/server/conf/context.xml | xmllint --xpath '/Context/@sessionCookiePath' - Expected result: sessionCookiePath="/ui" If the output does not match the expected result, this is a finding. |
Fix Text (F-60413r889383_fix) |
---|
Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/context.xml Add the following configuration to the sessionCookiePath="/ui" Example: Restart the service with the following command: # vmon-cli --restart vsphere-ui |