The vCenter STS service shutdown port must be disabled.

An XCCDF Rule

Description

<VulnDiscussion>Tomcat by default listens on TCP port 8005 to accept shutdown requests. By connecting to this port and sending the SHUTDOWN command, all applications within Tomcat are halted. The shutdown port is not exposed to the network as it is bound to the loopback interface. Setting the port to "-1" in $CATALINA_BASE/conf/server.xml instructs Tomcat to not listen for the shutdown command.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-258990r960963_rule
Severity: Medium
References: CCI-000381
Updated: 17 days ago

Navigate to and open:

/usr/lib/vmware-sso/vmware-sts/conf/catalina.properties

Add or modify the setting "base.shutdown.port=-1" in the "catalina.properties" file.
Navigate to and open:

/usr/lib/vmware-sso/vmware-sts/conf/server.xml

Configure the <Server> node with the value:

port="${base.shutdown.port}"

Restart the service with the following command:

# vmon-cli --restart sts

The vCenter STS service shutdown port must be disabled.

Description

Remediation - Manual Procedure