PGU94's Posts

"HSTS Missing From HTTPS Server" TCP/IP issue

by Contributor in vCenter™ Server Discussions
‎09-18-2020 06:27 AM
‎09-18-2020 06:27 AM
Hello, My Nessus scanner returned me 3 new vulnerabilities for my vCenter 6.7 (Windows version) => 9443/tcp - HSTS Missing From HTTPS Server Description: The remote HTTPS server does not ... See more...
Hello, My Nessus scanner returned me 3 new vulnerabilities for my vCenter 6.7 (Windows version) => 9443/tcp - HSTS Missing From HTTPS Server Description: The remote HTTPS server does not send the HTTP "Strict-Transport-Security" header. 7444/tcp - HSTS Missing From HTTPS Server Description: The remote HTTPS server does not send the HTTP "Strict-Transport-Security" header. 5443/tcp - HSTS Missing From HTTPS Server Description: The remote HTTPS server does not send the HTTP "Strict-Transport-Security" header. I'm looking for a way to fix that. i didn't find any information into the Vmware KB. Port 9443 =>  vSphere Web client HTTPS Port 7444 => vCenter Single-Signe On Port 5443 => vCenter Server graphical user interface internal I already tried to modify the Web.xml (C:\ProgramData\VMware\vCenterServer\runtime\vsphere-client\server\configuration\conf) where i have found a section related to enable HSTS but after these changes my vCenter Web client (Flash) didn't start at all. I have added in the "Filter definitions" section =>     <filter>         <filter-name>httpHeaderSecurity</filter-name>         <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>         <async-supported>true</async-supported>         <init-param>             <param-name>hstsEnabled</param-name>             <param-value>true</param-value>         </init-param>         <init-param>             <param-name>hstsMaxAgeSeconds</param-name>             <param-value>30758400</param-value>         </init-param>         <init-param>             <param-name>hstsIncludeSubDomains</param-name>             <param-value>true</param-value>         </init-param>         <init-param>             <param-name>antiClickJackingEnabled</param-name>             <param-value>false</param-value>         </init-param>         <init-param>             <param-name>blockContentTypeSniffingEnabled</param-name>             <param-value>false</param-value>         </init-param>     </filter> And in the "Filter Mappings" section =>     <filter-mapping>         <filter-name>httpHeaderSecurity</filter-name>         <url-pattern>/*</url-pattern>         <url-pattern>*</url-pattern>         <dispatcher>REQUEST</dispatcher>     </filter-mapping> In my company, all TCP issues have to be fixed or justified if not possible ... not always easy. Do you have an idea ???

Re: The request failed because remote server took too long to respond

by Contributor in vCenter™ Server Discussions
‎03-28-2018 08:43 AM
‎03-28-2018 08:43 AM
Same problem in my vCenter 6 since i have applied 6u3d update (i guess). I will try to applied 6u3e update tomorrow. Do you have solved this problem ?

Re: vCenter 6u2 - TCP Vulnerabilitiy issues with openssl CVE-2016-2076

by Contributor in VMware vCenter™ Discussions
‎03-08-2017 08:34 AM
‎03-08-2017 08:34 AM
Yes, after applying 6u3 update, my scan TCP is now clean.

Re: vCenter 6u2 - TCP Vulnerabilitiy issues with openssl CVE-2016-2076

by Contributor in VMware vCenter™ Discussions
‎10-17-2016 06:49 AM
‎10-17-2016 06:49 AM
Hi SnowRanger, Do you have received some new informations from Vmware ?

vCenter 6u2 - TCP Vulnerabilitiy issues with openssl CVE-2016-2076

by Contributor in VMware vCenter™ Discussions
‎09-16-2016 08:49 AM
‎09-16-2016 08:49 AM
Hello, I have 2 vulnerabilitiy issues detected on port "ldap (636/tcp)" and "unknow (11712/tcp)" on my vCenter 6 update 2 server => ========= 1) "www (636/tcp)": OpenSSL AES-NI Padding ... See more...
Hello, I have 2 vulnerabilitiy issues detected on port "ldap (636/tcp)" and "unknow (11712/tcp)" on my vCenter 6 update 2 server => ========= 1) "www (636/tcp)": OpenSSL AES-NI Padding Oracle MitM Information Disclosure   Synopsis :  It was possible to obtain sensitive information from the remote host with TLS-enabled services.   Description :  The remote host is affected by a man-in-the-middle (MitM) information disclosure vulnerability due to an error in the implementation of ciphersuites that use AES in CBC mode with HMAC-SHA1 or HMAC-SHA256. The implementation is specially written to use the AES acceleration available in x86/amd64 processors (AES-NI). The error messages returned by the server allow allow a man-in-the-middle attacker to conduct a padding oracle attack, resulting in the ability to decrypt network traffic.   See also :  https://blog.filippo.io/luckyminus20/ http://www.nessus.org/u?37b909b6 https://www.openssl.org/news/secadv/20160503.txt   Solution :  Upgrade to OpenSSL version 1.0.1t / 1.0.2h or later.   Plugin Output :  Nessus was able to trigger a RECORD_OVERFLOW alert in the remote service by sending a crafted SSL "Finished" message.   CVE :  CVE-2016-2107   BID :  BID 89760   Other References :  OSVDB:137896 EDB-ID:39768 IAVA:2016-A-0113   Nessus Plugin ID : 91572   VulnDB ID: 383666 2) "unknow (11712/tcp)": OpenSSL AES-NI Padding Oracle MitM Information Disclosure   Synopsis :  It was possible to obtain sensitive information from the remote host with TLS-enabled services.   Description :  The remote host is affected by a man-in-the-middle (MitM) information disclosure vulnerability due to an error in the implementation of ciphersuites that use AES in CBC mode with HMAC-SHA1 or HMAC-SHA256. The implementation is specially written to use the AES acceleration available in x86/amd64 processors (AES-NI). The error messages returned by the server allow allow a man-in-the-middle attacker to conduct a padding oracle attack, resulting in the ability to decrypt network traffic.   See also :  https://blog.filippo.io/luckyminus20/ http://www.nessus.org/u?37b909b6 https://www.openssl.org/news/secadv/20160503.txt   Solution :  Upgrade to OpenSSL version 1.0.1t / 1.0.2h or later.   Plugin Output :  Nessus was able to trigger a RECORD_OVERFLOW alert in the remote service by sending a crafted SSL "Finished" message.   CVE :  CVE-2016-2107   BID :  BID 89760   Other References :  OSVDB:137896 EDB-ID:39768 IAVA:2016-A-0113   Nessus Plugin ID : 91572   VulnDB ID: 383666 ========= I can't find a fix or a new version, is anyone have an idea? Maybe, I must waiting the next vcenter update? update 3 ???

vCenter services need to be stopped before doing a sql database backup ?

by Contributor in VMware vCenter™ Discussions
‎11-06-2015 07:07 AM
‎11-06-2015 07:07 AM
Hello, Which Vmware services need to be stopped before starting my SQL database backup for my vCenter 6? (vCenter 6u1 + MS SQL 2014) http://kb.vmware.com/selfservice/microsites/search.do?lang... See more...
Hello, Which Vmware services need to be stopped before starting my SQL database backup for my vCenter 6? (vCenter 6u1 + MS SQL 2014) http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2012138 => I can see "Stop all vCenter Server services" http://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=1003895 http://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=2109881 Stopping all services take a few minutes ("service-control --stop --all") ... to minimize time of interruption, i would like to know which services at the minimum must be stopped or if i can start my backup without stop any services.