VCUI-67-000032 - vSphere UI must restrict its cookie path.

Information

When the cookie parameters are not set properly (i.e., domain and path parameters), cookies can be shared within hosted applications residing on the same web server or to applications hosted on different web servers residing on the same domain.

vSphere UI is bound to the '/ui' virtual path behind the reverse proxy, and its cookies are configured as such. This configuration must be confirmed and maintained.

Solution

Navigate to and open /usr/lib/vmware-vsphere-ui/server/conf/context.xml.

Add the following configuration to the <Context> node:

sessionCookiePath='/ui'

Example:

<Context useHttpOnly='true' sessionCookieName='VSPHERE-UI-JSESSIONID' sessionCookiePath='/ui'>

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_Y23M07_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-23(3), CAT|II, CCI|CCI-001664, Rule-ID|SV-239713r879638_rule, STIG-ID|VCUI-67-000032, Vuln-ID|V-239713

Plugin: Unix

Control ID: 49f5d7768f911b585ddfecebdb04eec1c8fc4bc245705da8886e9bc03c44ade0