UCF STIG Viewer Logo

The vCenter STS service must disable "ALLOW_BACKSLASH".


Overview

Finding ID Version Rule ID IA Controls Severity
V-258999 VCST-80-000151 SV-258999r961863_rule Medium
Description
When Tomcat is installed behind a proxy configured to only allow access to certain contexts (web applications), an HTTP request containing "/\../" may allow attackers to work around the proxy restrictions using directory traversal attack methods. If "allow_backslash" is "true", the "\" character will be permitted as a path delimiter. The default value for the setting is "false", but Tomcat must always be configured as if no proxy restricting context access was used, and "allow_backslash" should be set to "false" to prevent directory-traversal-style attacks. This setting can create operability issues with noncompliant clients.
STIG Date
VMware vSphere 8.0 vCenter Appliance Secure Token Service (STS) Security Technical Implementation Guide 2024-07-11

Details

Check Text ( C-62739r934653_chk )
At the command line, run the following command:

# grep ALLOW_BACKSLASH /usr/lib/vmware-sso/vmware-sts/conf/catalina.properties

Example result:

org.apache.catalina.connector.ALLOW_BACKSLASH=false

If "org.apache.catalina.connector.ALLOW_BACKSLASH" is not set to "false", this is a finding.

If the "org.apache.catalina.connector.ALLOW_BACKSLASH" setting does not exist, this is not a finding.
Fix Text (F-62648r934654_fix)
Navigate to and open:

/usr/lib/vmware-sso/vmware-sts/conf/catalina.properties

Update or remove the following line:

org.apache.catalina.connector.ALLOW_BACKSLASH=false

Restart the service with the following command:

# vmon-cli --restart sts