V-220339
MarkLogic Server v9 Security Technical Implementation Guide
Title
MarkLogic Server must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types.
Description
<VulnDiscussion>Database management includes the ability to control the number of users and user sessions utilizing a DBMS. Unlimited concurrent connections to the DBMS could allow a successful Denial of Service (DoS) attack by exhausting connection resources and a system can also fail or be degraded by an overload of legitimate users. Limiting the number of concurrent sessions per user is helpful in reducing these risks. This requirement addresses concurrent session control for a single accoun...
Fix Text (Documentation Requirement)
Determine whether the system documentation specifies limits on the number of concurrent DBMS sessions per account by type of user. If it does not, assume a limit of 10 for database administrators and 2 for all other users. Fix the concurrent-sessions settings in MarkLogic. Perform the fix from the MarkLogic Server Admin Interface with a user that holds administrative-level privileges. 1. Click the Groups icon. 2. Click the group in which the App Server to be fixed resides (e.g., Default). 3. Click the App Servers icon on the left tree menu. 4. Select the App Server in which in which to fix session limits. The App Server Configuration page displays. 5. In the concurrent request limit field, enter a value corresponding to the organization-defined maximum number of concurrent user sessions...