Vulnerability scanners may detect the remote web server is not enforcing HSTS.
VMware vCenter Server 7.x
VMware vCenter Server 8.x
VMware vSphere ESXi 7.0
VMware vSphere ESXi 8.0
TCP 9080:
Please be aware that ESXi port 9080/tcp does not send HTTP Strict Transport Security (HSTS) headers. HSTS helps protect browser connections against security downgrades. Some security scanning tools incorrectly flag the absence of HSTS on port 9080/tcp as a vulnerability, assuming that all TLS ports should be browser-compatible. However, port 9080/tcp is not a web server, does not support browser connections, and does not support unencrypted communications. Consequently, HSTS checks are irrelevant for this port. VMware is committed to reducing regulatory compliance friction for vSphere Administrators and plans to address this in future product versions.
TCP 5580:
This port corresponds to the VMware POD API. This API does not support HTTP at all, thus HSTS is not relevant for this port.
VMware vCenter Server 7.0 Update 2 Release Notes
TCP 3128:
This port is an incoming port for smart-card based authentication for vCenter. The connection is redirected to port 3128 during smart card login. This port only supports pre-configured mutual authentication connections and is not intended as a direct browser endpoint. As such, it does not return an HSTS header.
Configure vCenter Server Smart Card Authentication to Request Client Certificates
For more information, please refer to VMware vSphere 8 Default SSL/TLS Cipher Suites and VMware vSphere 7 Default SSL/TLS Cipher Suites
TCP2379:
This is basically a bidirectional TCP port of vSphere- Tanzu
Port description: Expose the etcd server, etcd is a distributed key-value store integral in storing state for the Kubernetes control plane.
If Tanzu is not being utilized, the port may be closed.
Please be noted that starting from vSphere8.0 tcp/2379 (etcdClientComm) is a system-owned firewall and cannot be manually disabled/enabled. Starting from vSphere8.0u2b, the allowed ip list can be modified for this firewall rule.
If the vulnerability scanner detects this behavior, an exception may need to be implemented to the scanner to exclude this alert.