Tenable Nessus scanner reports vulnerability, TEN-142960(HSTS Missing From HTTPS Server) on port 8000 for Aria Suite Lifecycle
search cancel

Tenable Nessus scanner reports vulnerability, TEN-142960(HSTS Missing From HTTPS Server) on port 8000 for Aria Suite Lifecycle

book

Article ID: 395729

calendar_today

Updated On:

Products

VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

Vulnerability scanners such as Tenable Nessus may report that the remote web server on TCP port 8000 is not enforcing HTTP Strict Transport Security (HSTS), as defined by RFC 6797. This vulnerability is identified as TEN-142960 (HSTS Missing From HTTPS Server).

Environment

Aria Suite Lifecycle  8.x 

Cause

VMware Aria Suite Lifecycle utilizes the Common Appliance Platform (CAP) (starting VMware Aria Suite Lifecycle 8.12) on port 8000 for backend appliance management, including product installations and upgrades. This service is intended for backend API calls and does not host user-facing webpages. Because it is a management interface, it does not currently enforce the HSTS response header. Hence VMware Aria Suite Lifecycle is not impacted by HSTS Missing From HTTPS Server.

Resolution

To mitigate this detection, administrators can restrict port 8000 access to only allow connections from the localhost (127.0.0.1) by applying firewall rules.

  1. Take a Snapshot: Capture a snapshot of the Aria Suite Lifecycle appliance. A memory snapshot is not required.

  2. Access the Firewall Configuration: Log in to the appliance CLI and open the following file for editing:

    /etc/systemd/scripts/ip4save

  3. Add Restricted Rules: Append the following lines immediately before the COMMIT line:

    -I INPUT -p tcp --dport 8000 -j DROP
    -I INPUT -s 127.0.0.1 -p tcp --dport 8000 -j ACCEPT

  4. Restart the Firewall: Apply the changes by restarting the iptables service:

    systemctl restart iptables.service

  5. Verification: Navigate to the Aria Suite Lifecycle UI and load the System Details page. Confirm the appliance version is correctly displayed to ensure the CAP service remains functional.

Additional Information

In case the above steps do not work.

Remove all duplicate rules related to port 8000.
And have only these two new rules for port 8000.
i.e Have only (for port 8000, retain all other rules for all other ports, we don't want to touch other ports):

-I INPUT -p tcp --dport 8000 -j DROP
-I INPUT -s 127.0.0.1 -p tcp --dport 8000 -j ACCEPT

Powered by Wolken Software