← Back to VMware vSphere 8.0 vCenter Appliance User Interface (UI) Security Technical Implementation Guide

V-259134

CAT II (Medium)

The vCenter UI service must enable "ENFORCE_ENCODING_IN_GET_WRITER".

Rule ID

SV-259134r935306_rule

STIG

VMware vSphere 8.0 vCenter Appliance User Interface (UI) Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000366

Discussion

Some clients try to guess the character encoding of text media when the mandated default of ISO-8859-1 should be used. Some browsers will interpret as UTF-7 when the characters are safe for ISO-8859-1. This can create the potential for a XSS attack. To defend against this, enforce_encoding_in_get_writer must be set to true.

Check Content

At the command line, run the following command:

# grep ENFORCE_ENCODING_IN_GET_WRITER /usr/lib/vmware-vsphere-ui/server/conf/catalina.properties

Example result:

org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER=true

If "org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER" is not set to "true", this is a finding.

If the "org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER" setting does not exist, this is not a finding.

Fix Text

Navigate to and open:

/usr/lib/vmware-vsphere-ui/server/conf/catalina.properties

Update or remove the following line:

org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER=true

Restart the service with the following command:

# vmon-cli --restart vsphere-ui