Information about the vulnerability "HTTP TRACE / TRACK Methods Allowed".

This vulnerability is reported on vCSA port 9084(tcp). 

Port 9084 is used for vSphere Lifecycle Manager Communications (https://ports.broadcom.com/home/vSphere)

Symptoms:
Security scanner tools such as Nessus may report  vCenter Server 8.0 U1 to be using HTTP TRACE method on port 9084 under "CVE-2003-1567" "CVE-2004-2320" "CVE-2010-0386"

As per the security scanner output, the remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods that are used to debug web server connections.

Security report sample:

Nessus sent the following TRACE request : \n\n------------------------------ snip ------------------------------\nTRACE /Nessus1538785747.html HTTP/1.1
Connection: Close
Host: vcsa_fqdn_ip.example.com
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------\n\nand received the following response from the remote server :\n\n------------------------------ snip ------------------------------\nHTTP/1.1 200 OK
date: Thu, 08 Feb 2024 11:21:18 GMT
content-type: message/http
content-length: 474
x-envoy-upstream-service-time: 0
connection: close


TRACE /Nessus1538785747.html HTTP/1.1
Accept-Charset: iso-8859-1,*,utf-8
x-envoy-internal: true
x-request-id: 566fb03a-85cf-4571-8d58-4dbc84d43bee
x-vmware-remote-port: 40902
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
X-Forwarded-Proto: http
X-Forwarded-For: 10.93.134.178
Host: vcsa_fqdn_ip.example.com
Pragma: no-cache
Accept-Language: en
------------------------------ snip ------------------------------\n

This issue has been addressed in vCSA 8.0 U2 and has also been cross-ported to vCSA 7.0 U3O and later versions.