Tenable Nessus scanner reports vulnerability, TEN-142960 on port 8000 for Aria Suite Lifecycle
Article ID: 374227
Updated On:
Products
Issue/Introduction
Tenable Nessus reports security vulnerability, TEN-142960. The remote web server is not enforcing HSTS, as defined by RFC 6797. HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections.
Environment
Aria Suite Lifecycle 8.x
Cause
VMware Aria Suite Lifecycle is empowered with Common Appliance Platform (CAP), which replaces the VMware Appliance Management Interface (VAMI) for product installations and upgrades. CAP is an approach to standardize appliance management for all VMware appliances. CAP uses port 8000.
This is appliance management backend server and doesn't host any webpages, this only accepts API calls.
Resolution
At the moment the workaround is to stop the " cap-appliance-management " service on the Aria Auite Lifecycle appliance by modifying interface-ip-address key to 127.0.0.1 in "/etc/vmware/cap/cap_am/cap-appliance-management.conf" and restart cap-appliance-management service by running "service cap-appliance-management stop or restart ".
This is how the " interface-ip-address " looks like in /etc/vmware/cap/cap_am/cap-appliance-management.conf , as suggested in the workaround we are adding the loopback IP 127.0.0.1
And this is how the updated file looks like
Then execute the command - service cap-appliance-management stop or restart
This will change the " cap-appliance-management " service to Failed as seen in this screenshot .
The Aria Suite Lifecycle portal will still continue to work as expected and there will be no impact with the production environment.
Feedback
