VCUI-67-000003 - vSphere UI must limit the maximum size of a POST request.

Gavin M. Dennis

22 April 2022 15:09

Details

The 'maxPostSize' value is the maximum size in bytes of the POST that will be handled by the container FORM URL parameter parsing. Limit its size to reduce exposure to a denial-of-service attack.

If 'maxPostSize' is not set, the default value of 2097152 (2MB) is used. Security Token Service is configured in its shipping state to not set a value for 'maxPostSize''.

Solution

Navigate to and open /usr/lib/vmware-vsphere-ui/server/conf/server.xml.

Navigate to each of the nodes.

Remove any configuration for 'maxPostSize'.

Supportive Information

The following resource is also helpful.

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.

References

800-53|AC-10
CAT|II
CCI|CCI-000054
Rule-ID|SV-239684r679158_rule
STIG-ID|VCUI-67-000003
Vuln-ID|V-239684

Source

Tenable.com/audits

PS. Before you go.

Request a quote to protect your organisation from cyber attacks and breaches.

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.

Articles in this section