VCLD-67-000018 - VAMI must explicitly disable Multipurpose Internet Mail Extensions (MIME) mappings based on 'Content-Type' - Content-Type.

Information

Controlling what a user of a hosted application can access is part of the security posture of the web server. Any time a user can access more functionality than is needed for the operation of the hosted application poses a security issue. A user with too much access can view information that is not needed for the user's job role, or the user could use the function in an unintentional manner.

A MIME tells the web server what type of program various file types and extensions are and what external utilities or programs are needed to execute the file type. A limited number of MIME types must be configured manually and automatic mapping must be disabled.

Solution

Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf.

Add or reconfigure the following value:

mimetype.use-xattr = 'disable'

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_Y23M07_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7a., CAT|II, CCI|CCI-000381, Rule-ID|SV-239726r879587_rule, STIG-ID|VCLD-67-000018, Vuln-ID|V-239726

Plugin: Unix

Control ID: 5114c5538101cd9ce8cfa575a39f6338ef6d867879a367a846894d296f407b4d