JakubSz
Contributor
Contributor

HSTS Missing From HTTPS Server (RFC 6797) on port 9080

I have a problem with nessus scan finding for ESXi host 7.0 U3.

- HSTS Missing From HTTPS Server (RFC 6797) on port 9080

I cannot find any solution for this.

Does anyone have the same problem?

0 Kudos
4 Replies
maksym007
Hot Shot
Hot Shot

Port 9443 : Is redirected with the strict-transport-security header. Scanner should be adjusted accordingly. Proven by curl command: curl -L -kv https://$HOSTNAME:9443 | grep Strict-Transport-Security

Port 7444 : This port was originally used in vCenter 5.5 by the STS but it is not used in 6.5 onwards.
Customers running 6.5/6.7/7.0 appliances in their environment can disable this port to increase security.

Note:- Port 7444 will no longer be exposed in a future version of 7.x.

Workaround: Disable the firewall configuration exposing port 7444.
1. Remove the firewall configuration file
rm -f /etc/vmware/appliance/firewall/vmware-sso
2. Reboot the system or reload the firewall rules
/usr/lib/applmgmt/networking/bin/firewall-reload

To restore the original configuration that exposes port 7444:
1. Restore the symbolic link to the configuration file
/bin/ln -s -f /usr/lib/vmware-sso/firewall/sso-firewall.json /etc/vmware/appliance/firewall/vmware-sso
2. Reboot the system or reload the firewall rules
/usr/lib/applmgmt/networking/bin/firewall-reload

Port 5443 : This has not been report to VMware security team. Please file a SR with VMware Support and provide the scanner report

0 Kudos
JakubSz
Contributor
Contributor

@maksym007Where is solution\explanation for port 9080?

0 Kudos
VidalMen
Contributor
Contributor

@maksym007 Is there any work around? I am facing exactly the same HSTS Missing From HTTPS Server (RFC 6797) on port 9080

0 Kudos
maksym007
Hot Shot
Hot Shot

I will have a look. Right now I am not able to say.