← Back to VMware vSphere 7.0 vCenter Appliance STS Security Technical Implementation Guide

V-256747

CAT II (Medium)

The Security Token Service must limit the maximum size of a POST request.

Rule ID

SV-256747r889211_rule

STIG

VMware vSphere 7.0 vCenter Appliance STS Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-000054

Discussion

The "maxPostSize" value is the maximum size in bytes of the POST that will be handled by the container FORM URL parameter parsing. Limit its size to reduce exposure to a denial-of-service (DoS) attack. If "maxPostSize" is not set, the default value of 2097152 (2MB) is used. Security Token Service is configured in its shipping state to not set a value for "maxPostSize".

Check Content

At the command prompt, run the following command: 
 
# xmllint --xpath '/Server/Service/Connector[@port="${bio-custom.http.port}"]/@maxPostSize' /usr/lib/vmware-sso/vmware-sts/conf/server.xml 
 
Expected result: 
 
XPath set is empty 
 
If the output does not match the expected result, this is a finding.

Fix Text

Navigate to and open: 
 
/usr/lib/vmware-sso/vmware-sts/conf/server.xml 
 
Navigate to each of the <Connector> nodes. 
 
Remove any configuration for "maxPostSize". 
 
Restart the service with the following command: 
 
# vmon-cli --restart sts