VCFL-67-000003 - vSphere Client must limit the maximum size of a POST request.


The 'maxPostSize' value is the maximum size in bytes of the POST that will be handled by the container FORM URL parameter parsing. Limit its size to reduce exposure to a denial-of-service attack.

If 'maxPostSize' is not set, the default value of 2097152 (2MB) is used. Security Token Service is configured in its shipping state to not set a value for 'maxPostSize'.


Navigate to and open /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml.

Navigate to each of the nodes.

Remove any configuration for 'maxPostSize'.

Supportive Information

The following resource is also helpful.

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.