Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
VMware vSphere 8.0 vCenter Appliance User Interface (UI) Security Technical Implementation Guide
SRG-APP-000516-AS-000237
The vCenter UI service must enable "STRICT_SERVLET_COMPLIANCE".
The vCenter UI service must enable "STRICT_SERVLET_COMPLIANCE".
An XCCDF Rule
Details
Profiles
Prose
The vCenter UI service must enable "STRICT_SERVLET_COMPLIANCE".
Medium Severity
<VulnDiscussion>Strict Servlet Compliance forces Tomcat to adhere to standards specifications including but not limited to RFC2109. RFC2109 sets the standard for HTTP session management. This setting affects several other settings that primarily pertain to cookie headers, cookie values, and sessions. Cookies will be parsed for strict adherence to specifications. Note that changing a number of these default settings may break some systems, as some browsers are unable to correctly handle the cookie headers that result from a strict adherence to the specifications. This one setting changes the default values for the following settings: org.apache.catalina.core.ApplicationContext.GET_RESOURCE_REQUIRE_SLASH org.apache.catalina.core.ApplicationDispatcher.WRAP_SAME_OBJECT org.apache.catalina.core.StandardHostValve.ACCESS_SESSION org.apache.catalina.session.StandardSession.ACTIVITY_CHECK org.apache.catalina.session.StandardSession.LAST_ACCESS_AT_START org.apache.tomcat.util.http.ServerCookie.ALWAYS_ADD_EXPIRES org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR org.apache.tomcat.util.http.ServerCookie.PRESERVE_COOKIE_HEADER org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING The "resourceOnlyServlets" attribute of any Context element. The "tldValidation" attribute of any Context element. The "useRelativeRedirects" attribute of any Context element. The "xmlNamespaceAware" attribute of any Context element. The "xmlValidation" attribute of any Context element.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>