VCLD-70-000012 - VAMI must explicitly disable Multipurpose Internet Mail Extensions (MIME) mime mappings based on 'Content-Type'.

Information

Controlling what a user of a hosted application can access is part of the security posture of the web server. Any time a user can access more functionality than is needed for the operation of the hosted application poses a security issue. A user with too much access can view information that is not needed for the user's job role, or the user could use the function in an unintentional manner.

A MIME tells the web server what type of program various file types and extensions are and what external utilities or programs are needed to execute the file type. A limited number of MIME types must be configured manually, and automatic mapping must be disabled.

Solution

Navigate to and open:

/opt/vmware/etc/lighttpd/lighttpd.conf

Add or reconfigure the following value:

mimetype.use-xattr = 'disable'

Restart the service with the following command:

# vmon-cli --restart applmgmt

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_7-0_Y23M07_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7a., CAT|II, CCI|CCI-000381, Rule-ID|SV-256656r888490_rule, STIG-ID|VCLD-70-000012, Vuln-ID|V-256656

Plugin: Unix

Control ID: fcadbc2451a58f3f5e1e64492bcadfa6f22bcfa8dd8bc22d17f2de277d980fed