The Security Token Service must have mappings set for Java servlet pages.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-256757 | VCST-70-000013 | SV-256757r889241_rule | Medium |
| Description |
| Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client and identify which file types are not to be delivered to a client. By not specifying which files can and cannot be served to a user, the web server could deliver to a user web server configuration files, log files, password files, etc. As Tomcat is a Java-based web server, the main file extension used is *.jsp. This check ensures the *.jsp and *.jspx file types have been properly mapped to servlets. |
| STIG | Date |
| VMware vSphere 7.0 vCenter Appliance STS Security Technical Implementation Guide | 2023-06-15 |
Details
| Check Text (C-60432r889239_chk) |
| At the command prompt, run the following command: # xmllint --format /usr/lib/vmware-sso/vmware-sts/conf/web.xml | sed '2 s/xmlns=".*"//g' | xmllint --xpath '/web-app/servlet-mapping/servlet-name[text()="jsp"]/parent::servlet-mapping' - Expected result: <servlet-mapping> <servlet-name>jsp</servlet-name> <url-pattern>*.jsp</url-pattern> <url-pattern>*.jspx</url-pattern> </servlet-mapping> If the output of the command does not match the expected result, this is a finding. |
| Fix Text (F-60375r889240_fix) |
| Navigate to and open: /usr/lib/vmware-sso/vmware-sts/conf/web.xml Inside the <web-app> parent node, add the following: <servlet-mapping> <servlet-name>jsp</servlet-name> <url-pattern>*.jsp</url-pattern> <url-pattern>*.jspx</url-pattern> </servlet-mapping> Restart the service with the following command: # vmon-cli --restart sts |