NSX Intelligence 1.2 port 8080 open for login and unencrypted
search cancel

NSX Intelligence 1.2 port 8080 open for login and unencrypted

book

Article ID: 345812

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

When accessing port 8080 on the NSX Intelligence appliance 1.2, it is presented with a login screen, and which is not an encrypted channel. 

Web Server Uses Plain-Text Form Based Authentication:

The Web server uses plain-text form-based authentication. A web page exists on the target host which uses an HTML login form. This data is sent from the client to the server in plain text. An attacker with access to the network traffic to and from the target host may be able to obtain login credentials for other users by sniffing the network traffic.

 

Environment

VMware NSX-T

Cause

This issue is happening because the spark-job-scheduler spring app is listening on port 8080. The issue is not present in NAPP platform.

Resolution

Steps to resolve:

1. Make the server listen on a non-standard port like 9888.
 

add this property : -Dserver.port=9888 to the JVM options in /opt/vmware/pace/spark-job-scheduler/spark-job-scheduler-start.sh

For example :

cat /opt/vmware/pace/spark-job-scheduler/spark-job-scheduler-start.sh

#!/usr/bin/env bash 

set -xe 

source /opt/vmware/pace/spark-job-scheduler/spark-job-scheduler-start-conf.sh

export SPARK_HOME=/opt/apache-spark
 

# Starting NSX PACE Spark job scheduler application

java $SERVER_JVM_OPTS -Dserver.port=9888 -jar $APPLICATION_DIR/spark-job-scheduler-app_springboot.jar
 

Restart spark job scheduler service :

systemctl restart spark-job-scheduler
 

Verify it is back up :

systemctl status spark-job-scheduler

You should see Active: active (running)

Verify no listeners on 8080:

netstat -lntp | grep -w 8080

Verify it is listening on 9888 instead : (Note : the pid will vary)

netstat -lntp | grep -w 9888

tcp 0 0 0.0.0.0:9888 0.0.0.0:* LISTEN 14260/java

 

Verify that 'http://Intelligence-ip:8080/login' or 'http://Intelligence-ip:9888/login' is blocked

 

2. Prevent the app from binding to any port.
 

add this property: -Dspring.main.web-application-type=none to the JVM options in /opt/vmware/pace/spark-job-scheduler/spark-job-scheduler-start.sh

For example:

cat /opt/vmware/pace/spark-job-scheduler/spark-job-scheduler-start.sh

#!/usr/bin/env bash

set -xe 

source /opt/vmware/pace/spark-job-scheduler/spark-job-scheduler-start-conf.sh

export SPARK_HOME=/opt/apache-spark
 

# Starting NSX PACE Spark job scheduler application

java $SERVER_JVM_OPTS -Dspring.main.web-application-type=none -jar $APPLICATION_DIR/spark-job-scheduler-app_springboot.jar
 

Restart spark job scheduler service:

systemctl restart spark-job-scheduler
 

Verify it is back up:

systemctl status spark-job-scheduler

You should see Active: active (running)
 

Verify no listeners on 8080:

netstat -lntp | grep -w 8080

 

Verify that 'http://Intelligence-ip:8080/login' is blocked

 

 

Additional Information

For ports needed by various VMware products, solutions, and services, please refer VMware Ports and Protocols

Powered by Wolken Software