The vCenter STS service "ErrorReportValve showServerInfo" must be set to "false".

An XCCDF Rule

Description

<VulnDiscussion>The Error Report Valve is a simple error handler for HTTP status codes that will generate and return HTML error pages. It can also be configured to return predefined static HTML pages for specific status codes and/or exception types. Disabling "showServerInfo" will only return the HTTP status code and remove all CSS from the default nonerror-related HTTP responses.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-258982r934604_rule
Severity: Medium
References: CCI-001312
Updated: 8 months ago

Navigate to and open:

/usr/lib/vmware-sso/vmware-sts/conf/server.xml

Locate the following Host block:
<Host ...>
...
</Host>

Inside this block, add or update the following on a new line:

<Valve className="org.apache.catalina.valves.ErrorReportValve" showServerInfo="false" showReport="false"/>

Restart the service with the following command:

# vmon-cli --restart sts

The vCenter STS service "ErrorReportValve showServerInfo" must be set to "false".

Description

Remediation - Manual Procedure