I have a problem with nessus scan finding for ESXi host 7.0 U3.
- HSTS Missing From HTTPS Server (RFC 6797) on port 9080
I cannot find any solution for this.
Does anyone have the same problem?
Port 9443 : Is redirected with the strict-transport-security header. Scanner should be adjusted accordingly. Proven by curl command: curl -L -kv https://$HOSTNAME:9443 | grep Strict-Transport-Security
Port 7444 : This port was originally used in vCenter 5.5 by the STS but it is not used in 6.5 onwards.
Customers running 6.5/6.7/7.0 appliances in their environment can disable this port to increase security.
Note:- Port 7444 will no longer be exposed in a future version of 7.x.
Workaround: Disable the firewall configuration exposing port 7444.
1. Remove the firewall configuration file
rm -f /etc/vmware/appliance/firewall/vmware-sso
2. Reboot the system or reload the firewall rules
/usr/lib/applmgmt/networking/bin/firewall-reload
To restore the original configuration that exposes port 7444:
1. Restore the symbolic link to the configuration file
/bin/ln -s -f /usr/lib/vmware-sso/firewall/sso-firewall.json /etc/vmware/appliance/firewall/vmware-sso
2. Reboot the system or reload the firewall rules
/usr/lib/applmgmt/networking/bin/firewall-reload
Port 5443 : This has not been report to VMware security team. Please file a SR with VMware Support and provide the scanner report
@maksym007Where is solution\explanation for port 9080?
@maksym007 Is there any work around? I am facing exactly the same HSTS Missing From HTTPS Server (RFC 6797) on port 9080
I will have a look. Right now I am not able to say.
I have not seen an update to this thread, and as listed above the 7.0.3 release is reported by Nessus scan with HSTS missing from HTTPS on port 9080.
Greetings,
I am having the same warning from our scans. Any update?
Recently updated a cluster to ESXi 7u3m and I'm experiencing the same after a post nessus scan over port 9080.
I am having the same issue on ESXi 7.0.3
I have not been able to find a recently dated fix that applies to ESXi and 7.0.3 for this issue.
IS there an update/fix for this issue for ESXi 7.0.3?
I had same issue with HSTS on port 9080. Only vcenter needs to access this port and by default I believe the esx firewall sets it to all allow. You can modify the incoming 9080 port to only the managing vcenter and the nessus alert will go away. I used this ugly script to push it out to all my hosts once I got it working though Im sure someone else can pretty this up. Just use powercli to connect to your vcenter and change x.x.x.x with your vcenter ip.
$vmhosts = get-vmhost
foreach ($vmhost in $vmhosts) {
$EsxCli = Get-EsxCli –VMhost $vmhost
$EsxCli.network.firewall.ruleset.set($false, $true, "iofiltervp")
$EsxCli.network.firewall.ruleset.allowedip.add("x.x.x.x", "iofiltervp")
$EsxCli.network.firewall.set($false,$true)
$EsxCli.network.firewall.refresh()
}
Any updates?
any update for this HSTS?
Having same issue after updating to U3n.
any updates for HSTS? How to remove this vulnerability?