VMware Cloud Community
amsteen60
Contributor
Contributor

Missing `httpOnly` Cookie Attribute

I have ESXI 6.7 U2 on HP Blade Server.

When I scan my system for Vulnerabilities I get this 

 

I google it but I can not find a solution to remove this Vulnerability.

Can Any one help Please ??

Reply
0 Kudos
16 Replies
Alex_Romeo
Leadership
Leadership

Hi,
are you using an HP customized ESXI 6.7U2 image or VMware original?

 

Alex_Romeo

Blog: https://www.aleadmin.it/
Reply
0 Kudos
amsteen60
Contributor
Contributor

 

Thanks for your response

I am using an HP customized ESXI 6.7U2 image

Reply
0 Kudos
amsteen60
Contributor
Contributor

Is there any way to remove Missing `httpOnly` Cookie Attribute

Reply
0 Kudos
e_espinel
Virtuoso
Virtuoso

Hello.
Here is a link that may be useful

https://github.com/opnsense/core/issues/4253

 

 

Enrique Espinel
Senior Technical Support on IBM, Lenovo, Veeam Backup and VMware vSphere.
VSP-SV, VTSP-SV, VTSP-HCI, VTSP
Please mark my comment as Correct Answer or assign Kudos if my answer was helpful to you, Thank you.
Пожалуйста, отметьте мой комментарий как Правильный ответ или поставьте Кудо, если мой ответ был вам полезен, Спасибо.
Reply
0 Kudos
amsteen60
Contributor
Contributor

I check that link but it is not solving ant thing 

Reply
0 Kudos
PG2410
Contributor
Contributor

Facing the same issue on ESXi host when running the vulnerability scan. Do we have any solution for this

Reply
0 Kudos
e_espinel
Virtuoso
Virtuoso

Hello.
I suggest upgrading to 6.7 Update 3, in update 2 there were several serious problems.
If you can get the update 3 image from the manufacturer it would be good, otherwise you can also use the VMware standard.

https://my.vmware.com/group/vmware/patch#search

 

Enrique Espinel
Senior Technical Support on IBM, Lenovo, Veeam Backup and VMware vSphere.
VSP-SV, VTSP-SV, VTSP-HCI, VTSP
Please mark my comment as Correct Answer or assign Kudos if my answer was helpful to you, Thank you.
Пожалуйста, отметьте мой комментарий как Правильный ответ или поставьте Кудо, если мой ответ был вам полезен, Спасибо.
Reply
0 Kudos
PG2410
Contributor
Contributor

Our Infrastructure is running in ESXi 7.0 U1 and facing the same issue.

Reply
0 Kudos
amsteen60
Contributor
Contributor

That is right 

I setup a new machine with ESXI 7 U1 for testing and find the same issue.

Reply
0 Kudos
PG2410
Contributor
Contributor

Right @amsteen60 ...

Did you manage to figure out the solution for this ? 

Reply
0 Kudos
amsteen60
Contributor
Contributor

No  I did not 

Reply
0 Kudos
VMOuri
Contributor
Contributor

Just received confirmation from VMware team,

The issue is expected to be solved in ESXi 6.7 P06, 7.0.U3

 

Reply
0 Kudos
helplncc
Contributor
Contributor

I just installed ESXi 6.7 P06 and still get the "Missing `httpOnly` Cookie Attribute" alert when I scan my system

Reply
0 Kudos
ESXiClash
Enthusiast
Enthusiast

Well sometimes the Vul Tools scan at Great Level, Gives you a Poor view of what to fix there is nothing that you could do. So Go Back to Vul scan vendor check for what exactly it's looking at and log support with VMware to see if they can help on it.

It would look at the area which is not necessary a Security Constraint, but still, it will flag .. Duhh there is no point. I believe the tool is scanning based on a standard template as Unix/Linux. Rather than a Considering ESXi a Unique Customozied OS

Reply
0 Kudos
kfeps
Contributor
Contributor

Has there ever been a solution to this or any indication of when it will be resolved? Running on a standard vSphere image (7 U2) and also receive this during a vulnerability scan for port 9080 (iofilter) on each ESXi host. I believe it has something to do with the gSOAP version running which needs to be addressed? The set cookie attributes can be seen in your browsers Dev Tools response headers when browsing to the following URL of the ESXi host:

https://ip_of_esxi_host:9080/version.xml

Reply
0 Kudos
kfeps
Contributor
Contributor

For reference to anyone looking for the resolution for this issue:

This is indeed caused by the version of gSOAP running in older ESXi versions. The issue was officially resolved in gSOAP version 2.8.34. The issue is no longer experienced by upgrading to ESXi 7 U3.

Reply
0 Kudos