ESXi

 View Only
Expand all | Collapse all

HSTS Missing From HTTPS Server (RFC 6797) on port 9080

  • 1.  HSTS Missing From HTTPS Server (RFC 6797) on port 9080

    Posted Dec 02, 2022 11:56 AM

    I have a problem with nessus scan finding for ESXi host 7.0 U3.

    - HSTS Missing From HTTPS Server (RFC 6797) on port 9080

    I cannot find any solution for this.

    Does anyone have the same problem?



  • 2.  RE: HSTS Missing From HTTPS Server (RFC 6797) on port 9080

    Posted Dec 04, 2022 05:03 PM

    Port 9443 : Is redirected with the strict-transport-security header. Scanner should be adjusted accordingly. Proven by curl command: curl -L -kv https://$HOSTNAME:9443 | grep Strict-Transport-Security

    Port 7444 : This port was originally used in vCenter 5.5 by the STS but it is not used in 6.5 onwards.
    Customers running 6.5/6.7/7.0 appliances in their environment can disable this port to increase security.

    Note:- Port 7444 will no longer be exposed in a future version of 7.x.

    Workaround: Disable the firewall configuration exposing port 7444.
    1. Remove the firewall configuration file
    rm -f /etc/vmware/appliance/firewall/vmware-sso
    2. Reboot the system or reload the firewall rules
    /usr/lib/applmgmt/networking/bin/firewall-reload

    To restore the original configuration that exposes port 7444:
    1. Restore the symbolic link to the configuration file
    /bin/ln -s -f /usr/lib/vmware-sso/firewall/sso-firewall.json /etc/vmware/appliance/firewall/vmware-sso
    2. Reboot the system or reload the firewall rules
    /usr/lib/applmgmt/networking/bin/firewall-reload

    Port 5443 : This has not been report to VMware security team. Please file a SR with VMware Support and provide the scanner report



  • 3.  RE: HSTS Missing From HTTPS Server (RFC 6797) on port 9080

    Posted Dec 05, 2022 08:12 AM

    Where is solution\explanation for port 9080?



  • 4.  RE: HSTS Missing From HTTPS Server (RFC 6797) on port 9080

    Posted Jan 19, 2023 03:45 PM

     Is there any work around? I am facing exactly the same HSTS Missing From HTTPS Server (RFC 6797) on port 9080



  • 5.  RE: HSTS Missing From HTTPS Server (RFC 6797) on port 9080

    Posted Jan 19, 2023 03:48 PM

    I will have a look. Right now I am not able to say.



  • 6.  RE: HSTS Missing From HTTPS Server (RFC 6797) on port 9080

    Posted Apr 27, 2023 02:09 AM

    I have not seen an update to this thread, and as listed above the 7.0.3 release is reported by Nessus scan with HSTS missing from HTTPS on port 9080.



  • 7.  RE: HSTS Missing From HTTPS Server (RFC 6797) on port 9080

    Posted May 15, 2023 08:31 PM

    Greetings,

     

     

    I am having the same warning from our scans. Any update?



  • 8.  RE: HSTS Missing From HTTPS Server (RFC 6797) on port 9080

    Posted May 24, 2023 08:34 PM

    Recently updated a cluster to ESXi 7u3m and I'm experiencing the same after a post nessus scan over port 9080.

    HSTS Missing From HTTPS Server (RFC 6797) - medium

    Solution: Configure the remote web server to use HSTS.
    See Also: https://tools.ietf.org/html/rfc6797
    Output: The remote HTTPS server does not send the HTTP "Strict-Transport-Security" header.
    Any fix/update on this by chance? Any insight on how to configure the ESXi hosts to use HSTS over port 9080 is greatly appreciated?


  • 9.  RE: HSTS Missing From HTTPS Server (RFC 6797) on port 9080

    Posted May 30, 2023 04:42 PM

    I am having the same issue on ESXi 7.0.3
    I have not been able to find a recently dated fix that applies to ESXi and 7.0.3 for this issue.

    IS there an update/fix for this issue for ESXi 7.0.3?



  • 10.  RE: HSTS Missing From HTTPS Server (RFC 6797) on port 9080

    Posted Jul 21, 2023 02:43 PM

    I had same issue with HSTS on port 9080.  Only vcenter needs to access this port and by default I believe the esx firewall sets it to all allow.  You can modify the incoming 9080 port to only the managing vcenter and the nessus alert will go away.  I used this ugly script to push it out to all my hosts once I got it working though Im sure someone else can pretty this up. Just use powercli to connect to your vcenter and change x.x.x.x with your vcenter ip.

     

    $vmhosts = get-vmhost
    foreach ($vmhost in $vmhosts) {
    $EsxCli = Get-EsxCli –VMhost $vmhost
    
    $EsxCli.network.firewall.ruleset.set($false, $true, "iofiltervp")
    $EsxCli.network.firewall.ruleset.allowedip.add("x.x.x.x", "iofiltervp")
    
    $EsxCli.network.firewall.set($false,$true)
    $EsxCli.network.firewall.refresh()
    
    }

     



  • 11.  RE: HSTS Missing From HTTPS Server (RFC 6797) on port 9080

    Posted Dec 12, 2023 11:12 PM

    Any updates?



  • 12.  RE: HSTS Missing From HTTPS Server (RFC 6797) on port 9080

    Posted Feb 25, 2024 01:48 PM

    any update for this HSTS?

    Having same issue after updating to U3n.



  • 13.  RE: HSTS Missing From HTTPS Server (RFC 6797) on port 9080

    Posted Apr 12, 2024 01:15 PM

    any updates for HSTS? How to remove this vulnerability?



  • 14.  RE: HSTS Missing From HTTPS Server (RFC 6797) on port 9080

    Posted 3 days ago

    Is there an update for this?