Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The vCenter UI service must enable "ENFORCE_ENCODING_IN_GET_WRITER".
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-259134 | VCUI-80-000152 | SV-259134r935306_rule | Medium |
| Description |
|---|
| Some clients try to guess the character encoding of text media when the mandated default of ISO-8859-1 should be used. Some browsers will interpret as UTF-7 when the characters are safe for ISO-8859-1. This can create the potential for a XSS attack. To defend against this, enforce_encoding_in_get_writer must be set to true. |
| STIG | Date |
|---|---|
| VMware vSphere 8.0 vCenter Appliance User Interface (UI) Security Technical Implementation Guide | 2023-10-29 |
Details
| Check Text ( C-62874r935304_chk ) |
|---|
| At the command line, run the following command: # grep ENFORCE_ENCODING_IN_GET_WRITER /usr/lib/vmware-vsphere-ui/server/conf/catalina.properties Example result: org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER=true If "org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER" is not set to "true", this is a finding. If the "org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER" setting does not exist, this is not a finding. |
| Fix Text (F-62783r935305_fix) |
|---|
| Navigate to and open: /usr/lib/vmware-vsphere-ui/server/conf/catalina.properties Update or remove the following line: org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER=true Restart the service with the following command: # vmon-cli --restart vsphere-ui |