VMware Cloud Community
Hr_Ross76
Enthusiast
Enthusiast
‎05-23-2023 01:21 AM

vCenter 8.0.1 - Security issue - HTTP Track and TRACE Method allowed

Hello all,

our company securitry scans found that the HTTP Track and Trace Methods on vcenter are accepted, which means that this is a vulnerability.

Recommdened Fix is to turn off TraceEnable in httpd.conf

Please note that RewriteEngine can be processor intensive and may impact the web server performance. The trace method can also be controlled by use of the TraceEnable directive.

In the httpd.conf add or modify:
TraceEnable Off

Its for this ports:

40920/tcp
44134/tcp
50506/tcp
36672/tcp

I have no idea which service used this ports.

Where can i config TraceEnable off on vcenter - global for every service not just for http and https, also for lifecycle manager, etc..

 

 

Thx,

Michhael

 

 

 

0 Kudos
5 Replies
Kinnison
Commander
Commander
‎05-23-2023 02:28 AM

Comment removed...

0 Kudos
Hr_Ross76
Enthusiast
Enthusiast
‎06-12-2023 11:56 PM

Hello,

 

this is the workaround:

 

Backup all war files!!
Run the command mkdir /tmp/war/
Run the command cp /usr/lib/vmware-updatemgr/bin/jetty/webapps/root.war /tmp/war/
Run the command cd /tmp/war/
Unzip the root.war file.
Run the command cd WEB-INF/
Run the command chmod 777 web.xml
Edit web.xml and add the following code after the last <servlet-mapping> tag:
<security constraint>
       <web resource collection>
          <web-resource-name>Restricted HTTP Methods</web-resource-name>
          <url-pattern>/*</url-pattern>
          <http method>TRACE</http method>
       </web-resource-collection>
       <auth constraint />
</security-constraint>
cd ..
Run the command zip -r -u root.war WEB-INF/
Run the command cp root.war /usr/lib/vmware-updatemgr/bin/jetty/webapps/
Clean /tmp/war with rm -rf /tmp/war/*
Repeat steps 2 to 11 for vum-filedownload.war and vum-fileupload.war
Restart the updatemgr service.

 

0 Kudos
Kinnison
Commander
Commander
‎06-13-2023 12:37 AM

Comment removed...

0 Kudos
Sachchidanand
Expert
Expert
‎06-13-2023 12:49 AM

Hi,

I found this vulnerability in version 7, but not in version 8. For version 7 , go through the below release note document:

https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u3l-release-notes.html#sec...

For version 8, it better to open a ticket with vmware.

Regards,

Sachchidanand

 

0 Kudos
Kinnison
Commander
Commander
‎06-13-2023 12:04 PM

Comment removed...

0 Kudos