Solved

VMWare vCenter vulnerability help

Posted on 2014-01-30
2
628 Views
Last Modified: 2014-02-05
I had a vulnerability scan done recently and I'm having trouble finding any information on 1 of the items. My setup is ESXi 5.1 with vCenter Server running on Win2008 R2 SP1.

Web Server Internal IP address or network name available
CVE: CVE-2000-0649 CVE-2002-0419
Location: http://localhost:9090/vsphere-client
Impact: An attacker could determine information about your internal network structure from information in http headers.


Seems like there is some sort of http hearer leak of some kind. I was flagged for a few other vCenter items on port 9090 but I was able to find a VMware KB article which states that "there is no potential to obtain sensitive data from this exploit". I realize that port 9090 and 9443 is needed for the Web Client. Anyone have any info on this?? Thanks a lot.
0
Comment
Question by:cb_it
2 Comments
 
LVL 28

Accepted Solution

by:
asavener earned 500 total points
ID: 39821749
Connecting to the server on 9090 should just redirect you to the SSL-protected site (on port 9443).

If you were actually administering the server over 9090, then a bad guy could sniff your username and password.

Since it's just a redirection, no sensitive information is exposed.
0
 
LVL 117
ID: 39821930
AS it's a vCenter Application, or possibly Apache Web Engine, are you running the latest vCenter Server for 5.1.

if you are, you would need to discuss this security issues with VMware Support for Guidance, if they believe it is a security threat, and could be a false postiive provided by the scanner,
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
VM or Imaging options for a computer 4 69
vswitch question 6 43
Adding JBOD to a VMware host 2 35
Recreate datastore 7 49
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
HOW TO: Connect to the VMware vSphere Hypervisor 6.5 (ESXi 6.5) using the vSphere (HTML5 Web) Host Client 6.5, and perform a simple configuration task of adding a new VMFS 6 datastore.
Teach the user how to install and configure the vCenter Orchestrator virtual appliance Open vSphere Web Client: Deploy vCenter Orchestrator virtual appliance OVA file: Verify vCenter Orchestrator virtual appliance boots successfully: Connect to the …
Teach the user how to use vSphere Update Manager to update the VMware Tools and virtual machine hardware version Open vSphere Client: Review manual processes for updating VMware Tools and virtual hardware versions: Create a new baseline group in vSp…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now