VCUI-70-000018 - vSphere UI must restrict its cookie path.

Information

Cookies are used to exchange data between the web server and the client. Cookies, such as a session cookie, may contain session information and user credentials used to maintain a persistent connection between the user and the hosted application since HTTP/HTTPS is a stateless protocol.

vSphere UI is bound to the '/ui' virtual path behind the reverse proxy, and its cookies are configured as such. This configuration must be confirmed and maintained.

Solution

Navigate to and open:

/usr/lib/vmware-vsphere-ui/server/conf/context.xml

Add the following configuration to the <Context> node:

sessionCookiePath='/ui'

Example:

<Context useHttpOnly='true' sessionCookieName='VSPHERE-UI-JSESSIONID' sessionCookiePath='/ui'>

Restart the service with the following command:

# vmon-cli --restart vsphere-ui

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_7-0_Y23M07_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-23(3), CAT|II, CCI|CCI-001664, Rule-ID|SV-256795r889384_rule, STIG-ID|VCUI-70-000018, Vuln-ID|V-256795

Plugin: Unix

Control ID: 9eab52fedee42093d5ae004461b54539ca93c6e7fb3dba7f54659546ad75339b