Vulnerability "HSTS Missing From HTTPS Server" reported for Site Recovery Manager or vSphere Replication
Article ID: 312800
Updated On:
Products
VMware Live Recovery
Issue/Introduction
***This article is specifically for versions prior to 8.7.0.2. If the issue is seen on a later version, please open a technical support request with VMware.***
Symptoms:
- Vulnerability scanner reports "HSTS Missing From HTTPS Server" for Site Recovery Manager appliance.
- Vulnerability scanner reports "HSTS Missing From HTTPS Server" for vSphere Replication appliance.
Environment
VMware vSphere Replication 8.5.x
VMware vSphere Replication 8.6.x
VMware vSphere Replication 8.7.x
VMware Site Recovery Manager 8.5.x
VMware Site Recovery Manager 8.6.x
VMware Site Recovery Manager 8.7.x
Cause
Prior to 8.7.0.2, the HTTP Strict Transport Security (HSTS) header was not included for port 443. HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS.
Not including this header potentially makes the server vulnerable to RFC 6797, which is linked below.
HTTP Strict Transport Security (HSTS)
Resolution
This issue is fixed in version 8.7.0.2 for both Site Recovery Manager and vSphere Replication.
vSphere Replication 8.7.0.2 Release Notes
VMware Site Recovery Manager 8.7.0.2 Release Notes
NOTE: After upgrading to 8.7.0.2, the envoy-proxy service must be restarted via the command "systemctl restart envoy-proxy" for the fix to take effect. The user must be logged in as root, or be in sudo mode to run the command. Alternatively, customer can reboot the appliance to restart all services.
Additional Information
Internet Engineering Task Force (IETF) - RFC 6797 - HTTP Strict Transport Security (HSTS)
vSphere Replication 8.7.0.2 Release Notes
VMware Site Recovery Manager 8.7.0.2 Release Notes
Feedback
Yes
No
Powered by
