The Security Token Service must not enable support for TRACE requests.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-256769 | SRG-APP-000266-WSR-000160 | VCST-70-000025 | SV-256769r889277_rule | 2023-06-15 | 1 |
Description
"TRACE" is a technique for a user to request internal information about Tomcat. This is useful during product development but should not be enabled in production. Allowing an attacker to conduct a TRACE operation against the Security Token Service will expose information that would be useful to perform a more targeted attack.
The Security Token Service provides the "allowTrace" parameter as means to disable responding to TRACE requests.
ℹ️ Check
At the command prompt, run the following command:
# grep allowTrace /usr/lib/vmware-sso/vmware-sts/conf/server.xml
If "allowTrace" is set to "true", this is a finding.
If no line is returned, this is not a finding.
✔️ Fix
Navigate to and open:
/usr/lib/vmware-sso/vmware-sts/conf/server.xml
Locate and remove the 'allowTrace="true"' setting.
Restart the service with the following command:
# vmon-cli --restart sts