ESXi host SSL vulnerability on port 9080
search cancel

ESXi host SSL vulnerability on port 9080

book

Article ID: 392412

calendar_today

Updated On:

Products

VMware vSphere ESXi VMware vSphere ESXi 7.0 VMware vSphere ESXi 8.0

Issue/Introduction

A vulnerability scan returns a "Network-Protocol/TLS/TLS Server Cert" on port 9080/TCP issue on ESXi hosts.

Environment

  • VMware vSphere ESXi 7.x
  • VMware vSphere ESXi 8.x

Cause

The iofiltervp.pem certificate of the hosts doesn't match with the rui.crt ESXi host certificate.

Resolution

  • If the iofiltervp.pem certificate is expired:

  • If the iofiltervp.pem and rui.crt information are different:  
    1. Take a backup of the existing iofiltervp.pem file

      • cd /etc/vmware/ssl
      • mv iofiltervp.pem oldiofiltervp.pem.bak
    2. Copy the information inside rui.crt and rui.key file of the host from the following location

      • /etc/vmware/ssl
    3. Create a new iofiltervp.pem file using vi editor,

      • vi iofiltervp.pem
    4. Paste the rui.crt followed by the rui.key in the blank iofiltervp.pem file and save the file 
    5. Restart the iofilter service with the command:

      • /etc/init.d/iofiltervpd restart
  • Perform the vulnerability scan on the ESXi