Symptoms
Vulnerability scans might report the HTTP TRACE method on vCenter ports 9084 and 9087 as vulnerable.
Impact / Risks
Some third-party tools for vulnerability scans might report the HTTP TRACE method on vCenter ports 9084 and 9087 as vulnerable.
Resolution
This issue has been resolved in 7.0 U3o.https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u3o-release-notes/index.html#Resolved%20Issues-Security%20Issues
Workaround
Connect to vCenter through SSH and run the following steps:
Backup all the *.war files before editing them. mkdir /tmp/war/cp /usr/lib/vmware-updatemgr/bin/jetty/webapps/root.war /tmp/war/cd /tmp/war/unzip root.warcd WEB-INF/chmod 777 web.xmledit web.xml and ADD the below piece of code after <servlet-mapping>:
<security-constraint> <web-resource-collection> <web-resource-name>Restricted HTTP Methods</web-resource-name> <url-pattern>/*</url-pattern> <http-method>OPTIONS</http-method> <http-method>TRACE</http-method> </web-resource-collection> <auth-constraint /> </security-constraint> 9. cd .. 10. zip -r -u root.war WEB-INF/ 11. cp root.war /usr/lib/vmware-updatemgr/bin/jetty/webapps/ 12. Clean /tmp/war with rm -rf /tmp/war/* 13. Repeat steps 3 to 12 for vum-filedownload.war and vum-fileupload.war 14. Restart updatemgr service using service-control --restart vmware-updatemgr
