Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The vCenter UI service must disable "ALLOW_BACKSLASH".
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-259133 | VCUI-80-000151 | SV-259133r935303_rule | Medium |
| Description |
|---|
| When Tomcat is installed behind a proxy configured to only allow access to certain contexts (web applications), an HTTP request containing "/\../" may allow attackers to work around the proxy restrictions using directory traversal attack methods. If "allow_backslash" is "true", the "\" character will be permitted as a path delimiter. The default value for the setting is "false", but Tomcat must always be configured as if no proxy restricting context access was used, and "allow_backslash" should be set to "false" to prevent directory-traversal-style attacks. This setting can create operability issues with noncompliant clients. |
| STIG | Date |
|---|---|
| VMware vSphere 8.0 vCenter Appliance User Interface (UI) Security Technical Implementation Guide | 2023-10-29 |
Details
| Check Text ( C-62873r935301_chk ) |
|---|
| At the command line, run the following command: # grep ALLOW_BACKSLASH /usr/lib/vmware-vsphere-ui/server/conf/catalina.properties Example result: org.apache.catalina.connector.ALLOW_BACKSLASH=false If "org.apache.catalina.connector.ALLOW_BACKSLASH" is not set to "false", this is a finding. If the "org.apache.catalina.connector.ALLOW_BACKSLASH" setting does not exist, this is not a finding. |
| Fix Text (F-62782r935302_fix) |
|---|
| Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/catalina.properties Update or remove the following line: org.apache.catalina.connector.ALLOW_BACKSLASH=false Restart the service with the following command: # vmon-cli --restart vsphere-ui |