The vCenter VAMI service must explicitly disable Multipurpose Internet Mail Extensions (MIME) mime mappings based on "Content-Type".

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-259143	VCLD-80-000031	SV-259143r1003697_rule		Medium

Description
Controlling what a user of a hosted application can access is part of the security posture of the web server. Any time a user can access more functionality than is needed for the operation of the hosted application poses a security issue. A user with too much access can view information that is not needed for the user's job role, or the user could use the function in an unintentional manner. A MIME tells the web server what type of program various file types and extensions are and what external utilities or programs are needed to execute the file type. A limited number of MIME types must be configured manually, and automatic mapping must be disabled.

Description

Controlling what a user of a hosted application can access is part of the security posture of the web server. Any time a user can access more functionality than is needed for the operation of the hosted application poses a security issue. A user with too much access can view information that is not needed for the user's job role, or the user could use the function in an unintentional manner. A MIME tells the web server what type of program various file types and extensions are and what external utilities or programs are needed to execute the file type. A limited number of MIME types must be configured manually, and automatic mapping must be disabled.

STIG	Date
VMware vSphere 8.0 vCenter Appliance Management Interface (VAMI) Security Technical Implementation Guide	2024-07-11

Details

Check Text ( C-62883r1003695_chk )
At the command prompt, run the following command: # /opt/vmware/cap_lighttpd/sbin/lighttpd -p -f /var/lib/vmware/cap-lighttpd/lighttpd.conf 2>/dev/null\|grep "mimetype.use-xattr" Example result: mimetype.use-xattr="disable" If "mimetype.use-xattr" is not set to "disable", this is a finding. Note: The command must be run from a bash shell and not from a shell generated by the "appliance shell". Use the "chsh" command to change the shell for the account to "/bin/bash". Refer to KB Article 2100508 for more details: https://kb.vmware.com/s/article/2100508

Check Text ( C-62883r1003695_chk )

At the command prompt, run the following command:

# /opt/vmware/cap_lighttpd/sbin/lighttpd -p -f /var/lib/vmware/cap-lighttpd/lighttpd.conf 2>/dev/null|grep "mimetype.use-xattr"

Example result:

mimetype.use-xattr="disable"

If "mimetype.use-xattr" is not set to "disable", this is a finding.

Note: The command must be run from a bash shell and not from a shell generated by the "appliance shell". Use the "chsh" command to change the shell for the account to "/bin/bash". Refer to KB Article 2100508 for more details:

https://kb.vmware.com/s/article/2100508

Fix Text (F-62792r1003696_fix)
Navigate to and open: /var/lib/vmware/cap-lighttpd/lighttpd.conf Add or reconfigure the following value: mimetype.use-xattr = "disable" Restart the service with the following command: # systemctl restart cap-lighttpd