VMware Cloud Community
JakubSz
Contributor
Contributor

HSTS Missing From HTTPS Server (RFC 6797) on port 9080

I have a problem with nessus scan finding for ESXi host 7.0 U3.

- HSTS Missing From HTTPS Server (RFC 6797) on port 9080

I cannot find any solution for this.

Does anyone have the same problem?

Reply
0 Kudos
11 Replies
maksym007
Expert
Expert

Port 9443 : Is redirected with the strict-transport-security header. Scanner should be adjusted accordingly. Proven by curl command: curl -L -kv https://$HOSTNAME:9443 | grep Strict-Transport-Security

Port 7444 : This port was originally used in vCenter 5.5 by the STS but it is not used in 6.5 onwards.
Customers running 6.5/6.7/7.0 appliances in their environment can disable this port to increase security.

Note:- Port 7444 will no longer be exposed in a future version of 7.x.

Workaround: Disable the firewall configuration exposing port 7444.
1. Remove the firewall configuration file
rm -f /etc/vmware/appliance/firewall/vmware-sso
2. Reboot the system or reload the firewall rules
/usr/lib/applmgmt/networking/bin/firewall-reload

To restore the original configuration that exposes port 7444:
1. Restore the symbolic link to the configuration file
/bin/ln -s -f /usr/lib/vmware-sso/firewall/sso-firewall.json /etc/vmware/appliance/firewall/vmware-sso
2. Reboot the system or reload the firewall rules
/usr/lib/applmgmt/networking/bin/firewall-reload

Port 5443 : This has not been report to VMware security team. Please file a SR with VMware Support and provide the scanner report

Reply
0 Kudos
JakubSz
Contributor
Contributor

@maksym007Where is solution\explanation for port 9080?

Reply
0 Kudos
VidalMen
Contributor
Contributor

@maksym007 Is there any work around? I am facing exactly the same HSTS Missing From HTTPS Server (RFC 6797) on port 9080

Reply
0 Kudos
maksym007
Expert
Expert

I will have a look. Right now I am not able to say.

Summ1111
Contributor
Contributor

I have not seen an update to this thread, and as listed above the 7.0.3 release is reported by Nessus scan with HSTS missing from HTTPS on port 9080.

Beep-Bo00zztzz
Contributor
Contributor

Greetings,

 

 

I am having the same warning from our scans. Any update?

Reply
0 Kudos
reezy
Contributor
Contributor

Recently updated a cluster to ESXi 7u3m and I'm experiencing the same after a post nessus scan over port 9080.

HSTS Missing From HTTPS Server (RFC 6797) - medium

Solution: Configure the remote web server to use HSTS.
See Also: https://tools.ietf.org/html/rfc6797
Output: The remote HTTPS server does not send the HTTP "Strict-Transport-Security" header.
Any fix/update on this by chance? Any insight on how to configure the ESXi hosts to use HSTS over port 9080 is greatly appreciated?
Reply
0 Kudos
sp745p
Contributor
Contributor

I am having the same issue on ESXi 7.0.3
I have not been able to find a recently dated fix that applies to ESXi and 7.0.3 for this issue.

IS there an update/fix for this issue for ESXi 7.0.3?

Reply
0 Kudos
AirheadPilot
Enthusiast
Enthusiast

I had same issue with HSTS on port 9080.  Only vcenter needs to access this port and by default I believe the esx firewall sets it to all allow.  You can modify the incoming 9080 port to only the managing vcenter and the nessus alert will go away.  I used this ugly script to push it out to all my hosts once I got it working though Im sure someone else can pretty this up. Just use powercli to connect to your vcenter and change x.x.x.x with your vcenter ip.

 

$vmhosts = get-vmhost
foreach ($vmhost in $vmhosts) {
$EsxCli = Get-EsxCli –VMhost $vmhost

$EsxCli.network.firewall.ruleset.set($false, $true, "iofiltervp")
$EsxCli.network.firewall.ruleset.allowedip.add("x.x.x.x", "iofiltervp")

$EsxCli.network.firewall.set($false,$true)
$EsxCli.network.firewall.refresh()

}

 

FFSBES
Contributor
Contributor

Any updates?

Reply
0 Kudos
imezra2013
Contributor
Contributor

any update for this HSTS?

Having same issue after updating to U3n.

Reply
0 Kudos