← Back to VMware vSphere 7.0 vCenter Appliance UI Security Technical Implementation Guide

V-256780

CAT II (Medium)

vSphere UI must limit the maximum size of a POST request.

Rule ID

SV-256780r889339_rule

STIG

VMware vSphere 7.0 vCenter Appliance UI Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-000054

Discussion

The "maxPostSize" value is the maximum size in bytes of the POST which will be handled by the container FORM URL parameter parsing. Limit its size to reduce exposure to a denial-of-service attack. If "maxPostSize" is not set, the default value of 2097152 (2MB) is used. The vSphere UI is configured in its shipping state to not set a value for "maxPostSize".

Check Content

At the command prompt, run the following command: 
 
# xmllint --xpath '/Server/Service/Connector[@port="${http.port}"]/@maxPostSize' /usr/lib/vmware-vsphere-ui/server/conf/server.xml 
 
Expected result: 
 
XPath set is empty 
 
If the output does not match the expected result, this is a finding.

Fix Text

Navigate to and open: 
 
/usr/lib/vmware-vsphere-ui/server/conf/server.xml 
 
Navigate to each of the <Connector> nodes. 
 
Remove any configuration for "maxPostSize". 
 
Restart the service with the following command: 
 
# vmon-cli --restart vsphere-ui