Host header not verified for Http Port 80 in VCF Operations for Networks
search cancel

Host header not verified for Http Port 80 in VCF Operations for Networks

book

Article ID: 410619

calendar_today

Updated On:

Products

VCF Operations for Networks

Issue/Introduction

  • AON does not verify the host header before redirecting the http request when incorrect host headers are injected 
  • Scan tool Tenable Nessus 

Environment

VCF Operations for Networks

Resolution

This issue will be fixed in VCF 9.1 and take the workaround before the fix:

Following the steps to disable HTTP Port 80:

1: Login AON with support user

2: Remove below line from sudo vi /etc/firewall.conf
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

3: Restore iptable from updated conf file
sudo iptables-restore < /etc/firewall.conf

4:Remove below block of code with "sudo vi /etc/nginx/sites-enabled/vnera"
server {
    listen   80 default;
    server_tokens off;
    location / {
        rewrite ^ https://$host$request_uri? permanent;
    }

    #Location for Nginx status check. This url is used by datadog
    location /nginx_status {
        stub_status on;
    }
}

5: Restart service nginx
sudo service nginx restart 

 

Powered by Wolken Software