Hello,
My Nessus scanner returned me 3 new vulnerabilities for my vCenter 6.7 (Windows version) =>
9443/tcp - HSTS Missing From HTTPS Server
Description: The remote HTTPS server does not send the HTTP "Strict-Transport-Security" header.
7444/tcp - HSTS Missing From HTTPS Server
Description: The remote HTTPS server does not send the HTTP "Strict-Transport-Security" header.
5443/tcp - HSTS Missing From HTTPS Server
Description: The remote HTTPS server does not send the HTTP "Strict-Transport-Security" header.
I'm looking for a way to fix that.
i didn't find any information into the Vmware KB.
Port 9443 => vSphere Web client HTTPS
Port 7444 => vCenter Single-Signe On
Port 5443 => vCenter Server graphical user interface internal
I already tried to modify the Web.xml (C:\ProgramData\VMware\vCenterServer\runtime\vsphere-client\server\configuration\conf) where i have found a section related to enable HSTS but after these changes my vCenter Web client (Flash) didn't start at all.
I have added in the "Filter definitions" section =>
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>30758400</param-value>
</init-param>
<init-param>
<param-name>hstsIncludeSubDomains</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>blockContentTypeSniffingEnabled</param-name>
<param-value>false</param-value>
</init-param>
</filter>
And in the "Filter Mappings" section =>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<url-pattern>*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
In my company, all TCP issues have to be fixed or justified if not possible ... not always easy.
Do you have an idea ???
What you mean is that Nessus should be the one to make adjustment for 9443 port issue, not us, right?
Hello, was there ever a workaround developed for this issue around port 5580?
From an earlier comment in March:
No fix will be out for port 5480 . Other ports reported here are fixed in 6.7 U3m. You need to upgrade to 7.0 U2.
Please specify what ports the scanner picks
I have a problem with nessus scan finding for ESXi host 7.0 U3.
- HSTS Missing From HTTPS Server (RFC 6797) on port 9080
I cannot find any solution for this.
Has anyone ever had the same?
I am having the same issue on ESXi 7.0.3
I have not been able to find a recently dated fix that applies to ESXi and 7.0.3 for this issue.
This is a poor response. Security measures should be implemented even for “internal” communications. This port is obviously used for a communication and responds when external devices hit it, so it should still provide the same modern security best practices to prevent man in the middle attacks from gathering information about hosts.
also we have same issues with 9080 9443 port, but latest version of vcenter(7.0 u3o) solved the false positive issue.
Still and issue on build 22357613
I still have an issue "HSTS Missing From HTTPS Server" on port 5580 in the current 7.0.3 version.
Will there be a fix or is it possible to disable port 5580?
The issue on port 9080 I get rid off by disabling IOFilter port 9080 in ESXi Firewall, my cluster was not using it, but you should ask support before doing it.