I believe they are false positives. I am just searching for "proof" to provide to person running sans.
On Thu, May 29, 2014 at 1:23 PM, Rob Crittenden <rcritten@redhat.com> wrote:
John Trump wrote:389-admin runs a separate instance of the system httpd.
> In /etc/dirsrv/admin-serv there is a httpd.conf file. Does the
> admin-serv use the httpd system rpm or does it use a http server
> distributed with the admin-serv rpm? If it is distributed with the
> admin-serv rpm than I would say the scan is saying that the
> vulnerabilities exist in that http server. The httpd rpm installed on
> the system is the latest httpd-2.2.15-30
I know nothing about this scanner but based on these logs it is just
doing server version string comparisons which are rather meaningless in
this context. There seems to be a lot of false-positives merely because
the Apache version is 2.2.
rob
> <mailto:nhosoi@redhat.com>> wrote:
>
> John Trump wrote:
>>
>> Does the admin server or admin console run a webserver?
>>
> Yes, the admin server depends upon httpd.
>
>> On May 29, 2014 11:59 AM, "Noriko Hosoi" <nhosoi@redhat.com
>> <mailto:nhosoi@redhat.com>> wrote:
>>
>> Sorry, I don't know what the tool does. You may want to ask
>> the tool's provider the question.
>> Thanks.
>>
>> John Trump wrote:
>>>
>>> I am running RHEL 6. Why does the scan show the
>>> vulnerabilities on the port that directory administration
>>> server is using?
>>>
>>> On May 28, 2014 8:25 PM, "Noriko Hosoi" <nhosoi@redhat.com
>>>> Audit ID:6310Vul ID:N/A>>> <mailto:nhosoi@redhat.com>> wrote:
>>>
>>> Hello, as you mentioned, all of the CVEs are quite old
>>> (older than RHEL-6). For instance, the last one
>>> CVE-2009-1956 was fixed in apr-util-1.2.7-7.el5_3.1. As
>>> long as you use RHEL-6, the CVEs you listed are all
>>> fixed. Also, please note that the CVEs are all httpd
>>> related, not 389-ds.
>>>
>>> CVE:
>>> CVE-2008-0005
>>> CVE-2007-6388
>>> CVE-2007-6422
>>> CVE-2007-6420
>>> CVE-2007-5000
>>> CVE-2007-6421
>>> CVE-2008-1678
>>>
>>> CVE-2007-1862
>>> CVE-2007-3847
>>> CVE-2007-3304
>>> CVE-2006-5752
>>> CVE-2007-1863
>>>
>>> CVE-2009-1891
>>> CVE-2009-1955
>>> CVE-2009-1191
>>> CVE-2009-0023
>>> CVE-2009-1956
>>> CVE-2009-1195
>>> CVE-2009-1890
>>>
>>> John Trump wrote:
>>>> I have a system running 389-ds that was scanned using
>>>> retna. Retna showed vulnerabilities which are fairly
>>>> old. Can anyone confirm that these were fixed. Only
>>>> thing using port 9830 is the admin-serv. Below are the
>>>> rpm versions I have installed and the CVE's retna
>>>> supposidly detected.
>>>>
>>>> 389-adminutil-1.1.19-1.el6.x86_64
>>>> 389-ds-console-doc-1.2.6-1.el6.noarch
>>>> 389-admin-1.1.35-1.el6.x86_64
>>>> 389-admin-console-1.1.8-5.fc19.noarch
>>>> 389-console-1.1.7-1.el6.noarch
>>>> 389-ds-1.2.2-1.el6.noarch
>>>> 389-ds-base-libs-1.2.11.25-1.el6.x86_64
>>>> 389-ds-base-1.2.11.25-1.el6.x86_64
>>>> 389-dsgw-1.1.11-1.el6.x86_64
>>>> 389-ds-console-1.2.6-1.el6.noarch
>>>> 389-admin-console-doc-1.1.8-5.fc19.noarch
>>>>
>>>> Risk Level:Medium>>>> Audit ID:6059Vul ID:N/A
>>>> Sev Code:Category II
>>>> PCI Level:Medium (Fail) - CVSS Score
>>>> CVSS Score:5 [AV:N/AC:L/Au:N/C:N/I:N/A:P]
>>>> BugTraq ID27234,26838,27236,27237
>>>> CVE:CVE-2008-0005,CVE-2007-6388,CVE-2007-6422,CVE-2007-64
>>>> 20,CVE-2007-5000,CVE-2007-6421,CVE-2008-1678
>>>> CCE:N/A
>>>> Exploit:No
>>>> IAV:N/A
>>>> STIG:
>>>> Context:TCP:9830
>>>> Result:Success
>>>> Tested Value:BR T WB Server:
>>>> (Apache(\([[]^)]*\))?/((2\.((2(\.[[]0-7])?)|(0(\.([[]1-5]?[[]0-9]|6[[]0-2]))
>>>> ?)|(1(\..*)?)))|(1\.((3(\.([[]1-3]?[[]0-9]|40))?)|([[]0-2](\..*)?)))|(0+\..*))
>>>> ($|[[]^0-9.]([[]^(]*\([[]^R][[]^)]*\))*[[]^()]*$))
>>>> Found Value:Server: Apache/2.2##Content-Length:
>>>> 301##Connection:
>>>> close##Content-Type: text/html;
>>>> charset[=]iso-8859-1####<!DOCTYPE HTML PUBLIC
>>>> "-//IETF//DTD HTML 2.0//EN">#<html><head>#<title>404 Not
>>>> Found</title>#</head><body>#<h1>Not Found</h1>
>>>> (truncated...)
>>>>
>>>> Risk Level:Medium>>>> Audit ID:9820Vul ID:N/A
>>>> Sev Code:Category II
>>>> PCI Level:Medium (Fail) - CVSS Score
>>>> CVSS Score:5 [AV:N/AC:L/Au:N/C:P/I:N/A:N]
>>>> BugTraq ID24215,24645,25489,24649,24553
>>>> CVE:CVE-2007-1862,CVE-2007-3847,CVE-2007-3304,CVE-2006-57
>>>> 52,CVE-2007-1863
>>>> CCE:N/A
>>>> Exploit:No
>>>> IAV:N/A
>>>> STIG:
>>>> Context:TCP:9830
>>>> Result:Success
>>>> Tested Value:RR T WB
>>>> (Apache(\([[]^)]*\))?/(2\.2(\.[[]0-5])?)($|[[]^0-9.]([[]^(]*\([[]^R][[]^)]*\)
>>>> )*[[]^()]*$))
>>>> Found Value:Apache/2.2
>>>>
>>>> Risk Level:Medium>>>> 389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org>
>>>> Sev Code:Category II
>>>> PCI Level:High (Fail) - CVSS Score
>>>> CVSS Score:7.8 [AV:N/AC:L/Au:N/C:N/I:N/A:C]
>>>> BugTraq ID35565,35253,35623,35251,34663,35221,35115
>>>> CVE:CVE-2009-1891,CVE-2009-1955,CVE-2009-1191,CVE-2009-00
>>>> 23,CVE-2009-1956,CVE-2009-1195,CVE-2009-1890
>>>> CCE:N/A
>>>> Exploit:Yes
>>>> IAV:N/A
>>>> STIG:
>>>> Context:TCP:9830
>>>> Result:Success
>>>> Tested
>>>> Value:APACHE(-ADVANCEDEXTRANETSERVER)?/2\.2(\.(1[[]01]|[[]0
>>>> -9])(\.[[]0-9]+)*)?($|[[]^0-9.])
>>>> Found Value:APACHE/2.2
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> 389 users mailing list
>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users>>> <mailto:389-users@lists.fedoraproject.org>
>>>
>>>
>>> --
>>> 389 users mailing list
>>> 389-users@lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/389-users>>> 389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org>
>>>
>>>
>>>
>>> --
>>> 389 users mailing list
>>> https://admin.fedoraproject.org/mailman/listinfo/389-users>> <mailto:389-users@lists.fedoraproject.org>
>>
>>
>> --
>> 389 users mailing list
>> 389-users@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users>> 389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org>
>>
>>
>>
>> --
>> 389 users mailing list
>> https://admin.fedoraproject.org/mailman/listinfo/389-users> <mailto:389-users@lists.fedoraproject.org>
>
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
No comments:
Post a Comment