← Back to VMware vSphere 7.0 vCenter Appliance Lookup Service Security Technical Implementation Guide

V-256708

CAT II (Medium)

Lookup Service must limit the maximum size of a POST request.

Rule ID

SV-256708r888715_rule

STIG

VMware vSphere 7.0 vCenter Appliance Lookup Service Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-000054

Discussion

The "maxPostSize" value is the maximum size in bytes of the POST that will be handled by the container FORM URL parameter parsing. Limit its size to reduce exposure to a denial-of-service attack. If "maxPostSize" is not set, the default value of 2097152 (2MB) is used. Lookup Service is configured in its shipping state to not set a value for "maxPostSize".

Check Content

At the command prompt, run the following command:

# xmllint --xpath '/Server/Service/Connector[@port="${bio-custom.http.port}"]/@maxPostSize' /usr/lib/vmware-lookupsvc/conf/server.xml

Expected result:

XPath set is empty

If the output does not match the expected result, this is a finding.

Fix Text

Navigate to and open:

/usr/lib/vmware-lookupsvc/conf/server.xml

In the <Connector> node, remove the "maxPostSize" key/value pair.

Restart the service with the following command:

# vmon-cli --restart lookupsvc