The vCenter Lookup service must disable "ALLOW_BACKSLASH".

An XCCDF Rule

Description

<VulnDiscussion>When Tomcat is installed behind a proxy configured to only allow access to certain contexts (web applications), an HTTP request containing "/\../" may allow attackers to work around the proxy restrictions using directory traversal attack methods. If "allow_backslash" is "true", the "\" character will be permitted as a path delimiter. The default value for the setting is "false", but Tomcat must always be configured as if no proxy restricting context access was used, and "allow_backslash" should be set to "false" to prevent directory-traversal-style attacks. This setting can create operability issues with noncompliant clients.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-259067r961863_rule
Severity: Medium
References: CCI-000366
Updated: 17 days ago

Navigate to and open:

/usr/lib/vmware-lookupsvc/conf/catalina.properties

Update or remove the following line:
org.apache.catalina.connector.ALLOW_BACKSLASH=false

Restart the service with the following command:

# vmon-cli --restart lookupsvc

The vCenter Lookup service must disable "ALLOW_BACKSLASH".

Description

Remediation - Manual Procedure