VCUI-67-000024 - vSphere UI must not enable support for TRACE requests.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


'Trace' is a technique for a user to request internal information about Tomcat. This is useful during product development but should not be enabled in production. Allowing an attacker to conduct a Trace operation against the Security Token Service will expose information that would be useful to perform a more targeted attack. vSphere UI provides the 'allowTrace' parameter as a means to disable responding to Trace requests.


Navigate to and open /usr/lib/vmware-vsphere-ui/server/conf/server.xml.

Navigate to and locate:


Remove the 'allowTrace='true'' setting.

See Also

Item Details

References: CAT|II, CCI|CCI-001312, Rule-ID|SV-239705r679221_rule, STIG-ID|VCUI-67-000024, Vuln-ID|V-239705

Plugin: Unix

Control ID: bd8674e87710634ebb5df189ba2ef1115628192cad9e5707abb9404a44aa9e95