STIGQter STIGQter: STIG Summary: VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 28 Sep 2018: tc Server API must be configured with a cross-site scripting (XSS) filter.

DISA Rule

SV-99641r1_rule

Vulnerability Number

V-88991

Group Title

SRG-APP-000246-WSR-000149

Rule Version

VROM-TC-000630

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Navigate to and open /usr/lib/vmware-vcops/tomcat-enterprise/webapps/suite-api/WEB-INF/web.xml.

Configure a <filter> node with the below configuration:

<filter>
<filter-name>xssfilter</filter-name>
<filter-class>com.vmware.vcops.ui.util.XssFilter</filter-class>

<init-param>
<!-- Comma separated list of URLs that will be sanitized by this filter -->
<param-name>fileIncludes</param-name>
<param-value>/vcops/services/api.js,/vcops/services/api-debug.js,/vcops/services/api-debug-doc.js</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>xssfilter</filter-name>
<url-pattern>/vcops/services/*</url-pattern>
</filter-mapping>

Check Contents

At the command prompt, execute the following command:

grep -B 2 -A 7 XssFilter /usr/lib/vmware-vcops/tomcat-enterprise/webapps/suite-api/WEB-INF/web.xml

If the XSS filter is not present and there is no result returned, then this is a finding.

Vulnerability Number

V-88991

Documentable

False

Rule Version

VROM-TC-000630

Severity Override Guidance

At the command prompt, execute the following command:

grep -B 2 -A 7 XssFilter /usr/lib/vmware-vcops/tomcat-enterprise/webapps/suite-api/WEB-INF/web.xml

If the XSS filter is not present and there is no result returned, then this is a finding.

Check Content Reference

M

Target Key

3441

Comments