I have a system running 389-ds that was scanned using retna. Retna showed vulnerabilities which are fairly old. Can anyone confirm that these were fixed. Only thing using port 9830 is the admin-serv. Below are the rpm versions I have installed and the CVE's retna supposidly detected.
389-adminutil-1.1.19-1.el6.x86_64 389-ds-console-doc-1.2.6-1.el6.noarch 389-admin-1.1.35-1.el6.x86_64 389-admin-console-1.1.8-5.fc19.noarch 389-console-1.1.7-1.el6.noarch 389-ds-1.2.2-1.el6.noarch 389-ds-base-libs-1.2.11.25-1.el6.x86_64 389-ds-base-1.2.11.25-1.el6.x86_64 389-dsgw-1.1.11-1.el6.x86_64 389-ds-console-1.2.6-1.el6.noarch 389-admin-console-doc-1.1.8-5.fc19.noarch
Audit ID: 6310 Vul ID: N/A Risk Level: Medium Sev Code: Category II PCI Level: Medium (Fail) - CVSS Score CVSS Score: 5 [AV:N/AC:L/Au:N/C:N/I:N/A:P] BugTraq ID 27234,26838,27236,27237 CVE: CVE-2008-0005,CVE-2007-6388,CVE-2007-6422,CVE-2007-64 20,CVE-2007-5000,CVE-2007-6421,CVE-2008-1678 CCE: N/A Exploit: No IAV: N/A STIG: Context: TCP:9830 Result: Success Tested Value: BR T WB Server: (Apache(([[]^)]*))?/((2.((2(.[[]0-7])?)|(0(.([[]1-5]?[[]0-9]|6[[]0-2])) ?)|(1(..*)?)))|(1.((3(.([[]1-3]?[[]0-9]|40))?)|([[]0-2](..*)?)))|(0+..*)) ($|[[]^0-9.]([[]^(]*([[]^R][[]^)]*))*[[]^()]*$)) Found Value: Server: Apache/2.2##Content-Length: 301##Connection: close##Content-Type: text/html; charset[=]iso-8859-1####<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">#<html><head>#<title>404 Not Found</title>#</head><body>#<h1>Not Found</h1> (truncated...)
Audit ID: 6059 Vul ID: N/A Risk Level: Medium Sev Code: Category II PCI Level: Medium (Fail) - CVSS Score CVSS Score: 5 [AV:N/AC:L/Au:N/C:P/I:N/A:N] BugTraq ID 24215,24645,25489,24649,24553 CVE: CVE-2007-1862,CVE-2007-3847,CVE-2007-3304,CVE-2006-57 52,CVE-2007-1863 CCE: N/A Exploit: No IAV: N/A STIG: Context: TCP:9830 Result: Success Tested Value: RR T WB (Apache(([[]^)]*))?/(2.2(.[[]0-5])?)($|[[]^0-9.]([[]^(]*([[]^R][[]^)]*) )*[[]^()]*$)) Found Value: Apache/2.2
Audit ID: 9820 Vul ID: N/A Risk Level: Medium Sev Code: Category II PCI Level: High (Fail) - CVSS Score CVSS Score: 7.8 [AV:N/AC:L/Au:N/C:N/I:N/A:C] BugTraq ID 35565,35253,35623,35251,34663,35221,35115 CVE: CVE-2009-1891,CVE-2009-1955,CVE-2009-1191,CVE-2009-00 23,CVE-2009-1956,CVE-2009-1195,CVE-2009-1890 CCE: N/A Exploit: Yes IAV: N/A STIG: Context: TCP:9830 Result: Success Tested Value: APACHE(-ADVANCEDEXTRANETSERVER)?/2.2(.(1[[]01]|[[]0 -9])(.[[]0-9]+)*)?($|[[]^0-9.]) Found Value: APACHE/2.2
Hello, as you mentioned, all of the CVEs are quite old (older than RHEL-6). For instance, the last one CVE-2009-1956 was fixed in apr-util-1.2.7-7.el5_3.1. As long as you use RHEL-6, the CVEs you listed are all fixed. Also, please note that the CVEs are all httpd related, not 389-ds.
CVE: CVE-2008-0005 CVE-2007-6388 CVE-2007-6422 CVE-2007-6420 CVE-2007-5000 CVE-2007-6421 CVE-2008-1678
CVE-2007-1862 CVE-2007-3847 CVE-2007-3304 CVE-2006-5752 CVE-2007-1863
CVE-2009-1891 CVE-2009-1955 CVE-2009-1191 CVE-2009-0023 CVE-2009-1956 CVE-2009-1195 CVE-2009-1890
John Trump wrote:
I have a system running 389-ds that was scanned using retna. Retna showed vulnerabilities which are fairly old. Can anyone confirm that these were fixed. Only thing using port 9830 is the admin-serv. Below are the rpm versions I have installed and the CVE's retna supposidly detected.
389-adminutil-1.1.19-1.el6.x86_64 389-ds-console-doc-1.2.6-1.el6.noarch 389-admin-1.1.35-1.el6.x86_64 389-admin-console-1.1.8-5.fc19.noarch 389-console-1.1.7-1.el6.noarch 389-ds-1.2.2-1.el6.noarch 389-ds-base-libs-1.2.11.25-1.el6.x86_64 389-ds-base-1.2.11.25-1.el6.x86_64 389-dsgw-1.1.11-1.el6.x86_64 389-ds-console-1.2.6-1.el6.noarch 389-admin-console-doc-1.1.8-5.fc19.noarch
Audit ID:6310Vul ID:N/A Risk Level:Medium Sev Code:Category II PCI Level:Medium (Fail) - CVSS Score CVSS Score:5 [AV:N/AC:L/Au:N/C:N/I:N/A:P] BugTraq ID27234,26838,27236,27237 CVE:CVE-2008-0005,CVE-2007-6388,CVE-2007-6422,CVE-2007-64 20,CVE-2007-5000,CVE-2007-6421,CVE-2008-1678 CCE:N/A Exploit:No IAV:N/A STIG: Context:TCP:9830 Result:Success Tested Value:BR T WB Server: (Apache(([[]^)]*))?/((2.((2(.[[]0-7])?)|(0(.([[]1-5]?[[]0-9]|6[[]0-2])) ?)|(1(..*)?)))|(1.((3(.([[]1-3]?[[]0-9]|40))?)|([[]0-2](..*)?)))|(0+..*)) ($|[[]^0-9.]([[]^(]*([[]^R][[]^)]*))*[[]^()]*$)) Found Value:Server: Apache/2.2##Content-Length: 301##Connection: close##Content-Type: text/html; charset[=]iso-8859-1####<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">#<html><head>#<title>404 Not Found</title>#</head><body>#<h1>Not Found</h1> (truncated...)
Audit ID:6059Vul ID:N/A Risk Level:Medium Sev Code:Category II PCI Level:Medium (Fail) - CVSS Score CVSS Score:5 [AV:N/AC:L/Au:N/C:P/I:N/A:N] BugTraq ID24215,24645,25489,24649,24553 CVE:CVE-2007-1862,CVE-2007-3847,CVE-2007-3304,CVE-2006-57 52,CVE-2007-1863 CCE:N/A Exploit:No IAV:N/A STIG: Context:TCP:9830 Result:Success Tested Value:RR T WB (Apache(([[]^)]*))?/(2.2(.[[]0-5])?)($|[[]^0-9.]([[]^(]*([[]^R][[]^)]*) )*[[]^()]*$)) Found Value:Apache/2.2
Audit ID:9820Vul ID:N/A Risk Level:Medium Sev Code:Category II PCI Level:High (Fail) - CVSS Score CVSS Score:7.8 [AV:N/AC:L/Au:N/C:N/I:N/A:C] BugTraq ID35565,35253,35623,35251,34663,35221,35115 CVE:CVE-2009-1891,CVE-2009-1955,CVE-2009-1191,CVE-2009-00 23,CVE-2009-1956,CVE-2009-1195,CVE-2009-1890 CCE:N/A Exploit:Yes IAV:N/A STIG: Context:TCP:9830 Result:Success Tested Value:APACHE(-ADVANCEDEXTRANETSERVER)?/2.2(.(1[[]01]|[[]0 -9])(.[[]0-9]+)*)?($|[[]^0-9.]) Found Value:APACHE/2.2
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
I am running RHEL 6. Why does the scan show the vulnerabilities on the port that directory administration server is using? On May 28, 2014 8:25 PM, "Noriko Hosoi" nhosoi@redhat.com wrote:
Hello, as you mentioned, all of the CVEs are quite old (older than RHEL-6). For instance, the last one CVE-2009-1956 was fixed in apr-util-1.2.7-7.el5_3.1. As long as you use RHEL-6, the CVEs you listed are all fixed. Also, please note that the CVEs are all httpd related, not 389-ds.
CVE: CVE-2008-0005 CVE-2007-6388 CVE-2007-6422 CVE-2007-6420 CVE-2007-5000 CVE-2007-6421 CVE-2008-1678
CVE-2007-1862 CVE-2007-3847 CVE-2007-3304 CVE-2006-5752 CVE-2007-1863
CVE-2009-1891 CVE-2009-1955 CVE-2009-1191 CVE-2009-0023 CVE-2009-1956 CVE-2009-1195 CVE-2009-1890
John Trump wrote:
I have a system running 389-ds that was scanned using retna. Retna showed vulnerabilities which are fairly old. Can anyone confirm that these were fixed. Only thing using port 9830 is the admin-serv. Below are the rpm versions I have installed and the CVE's retna supposidly detected.
389-adminutil-1.1.19-1.el6.x86_64 389-ds-console-doc-1.2.6-1.el6.noarch 389-admin-1.1.35-1.el6.x86_64 389-admin-console-1.1.8-5.fc19.noarch 389-console-1.1.7-1.el6.noarch 389-ds-1.2.2-1.el6.noarch 389-ds-base-libs-1.2.11.25-1.el6.x86_64 389-ds-base-1.2.11.25-1.el6.x86_64 389-dsgw-1.1.11-1.el6.x86_64 389-ds-console-1.2.6-1.el6.noarch 389-admin-console-doc-1.1.8-5.fc19.noarch
Audit ID: 6310 Vul ID: N/A Risk Level: Medium Sev Code: Category II PCI Level: Medium (Fail) - CVSS Score CVSS Score: 5 [AV:N/AC:L/Au:N/C:N/I:N/A:P] BugTraq ID 27234,26838,27236,27237 CVE: CVE-2008-0005,CVE-2007-6388,CVE-2007-6422,CVE-2007-64 20,CVE-2007-5000,CVE-2007-6421,CVE-2008-1678 CCE: N/A Exploit: No IAV: N/A STIG: Context: TCP:9830 Result: Success Tested Value: BR T WB Server:
(Apache(([[]^)]*))?/((2.((2(.[[]0-7])?)|(0(.([[]1-5]?[[]0-9]|6[[]0-2]))
?)|(1(..*)?)))|(1.((3(.([[]1-3]?[[]0-9]|40))?)|([[]0-2](..*)?)))|(0+..*)) ($|[[]^0-9.]([[]^(]*([[]^R][[]^)]*))*[[]^()]*$)) Found Value: Server: Apache/2.2##Content-Length: 301##Connection: close##Content-Type: text/html; charset[=]iso-8859-1####<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">#<html><head>#<title>404 Not Found</title>#</head><body>#<h1>Not Found</h1> (truncated...)
Audit ID: 6059 Vul ID: N/A Risk Level: Medium Sev Code: Category II PCI Level: Medium (Fail) - CVSS Score CVSS Score: 5 [AV:N/AC:L/Au:N/C:P/I:N/A:N] BugTraq ID 24215,24645,25489,24649,24553 CVE: CVE-2007-1862,CVE-2007-3847,CVE-2007-3304,CVE-2006-57 52,CVE-2007-1863 CCE: N/A Exploit: No IAV: N/A STIG: Context: TCP:9830 Result: Success Tested Value: RR T WB
(Apache(([[]^)]*))?/(2.2(.[[]0-5])?)($|[[]^0-9.]([[]^(]*([[]^R][[]^)]*) )*[[]^()]*$)) Found Value: Apache/2.2
Audit ID: 9820 Vul ID: N/A Risk Level: Medium Sev Code: Category II PCI Level: High (Fail) - CVSS Score CVSS Score: 7.8 [AV:N/AC:L/Au:N/C:N/I:N/A:C] BugTraq ID 35565,35253,35623,35251,34663,35221,35115 CVE: CVE-2009-1891,CVE-2009-1955,CVE-2009-1191,CVE-2009-00 23,CVE-2009-1956,CVE-2009-1195,CVE-2009-1890 CCE: N/A Exploit: Yes IAV: N/A STIG: Context: TCP:9830 Result: Success Tested Value: APACHE(-ADVANCEDEXTRANETSERVER)?/2.2(.(1[[]01]|[[]0 -9])(.[[]0-9]+)*)?($|[[]^0-9.]) Found Value: APACHE/2.2
-- 389 users mailing list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Sorry, I don't know what the tool does. You may want to ask the tool's provider the question. Thanks.
John Trump wrote:
I am running RHEL 6. Why does the scan show the vulnerabilities on the port that directory administration server is using?
On May 28, 2014 8:25 PM, "Noriko Hosoi" <nhosoi@redhat.com mailto:nhosoi@redhat.com> wrote:
Hello, as you mentioned, all of the CVEs are quite old (older than RHEL-6). For instance, the last one CVE-2009-1956 was fixed in apr-util-1.2.7-7.el5_3.1. As long as you use RHEL-6, the CVEs you listed are all fixed. Also, please note that the CVEs are all httpd related, not 389-ds. CVE: CVE-2008-0005 CVE-2007-6388 CVE-2007-6422 CVE-2007-6420 CVE-2007-5000 CVE-2007-6421 CVE-2008-1678 CVE-2007-1862 CVE-2007-3847 CVE-2007-3304 CVE-2006-5752 CVE-2007-1863 CVE-2009-1891 CVE-2009-1955 CVE-2009-1191 CVE-2009-0023 CVE-2009-1956 CVE-2009-1195 CVE-2009-1890 John Trump wrote:I have a system running 389-ds that was scanned using retna. Retna showed vulnerabilities which are fairly old. Can anyone confirm that these were fixed. Only thing using port 9830 is the admin-serv. Below are the rpm versions I have installed and the CVE's retna supposidly detected. 389-adminutil-1.1.19-1.el6.x86_64 389-ds-console-doc-1.2.6-1.el6.noarch 389-admin-1.1.35-1.el6.x86_64 389-admin-console-1.1.8-5.fc19.noarch 389-console-1.1.7-1.el6.noarch 389-ds-1.2.2-1.el6.noarch 389-ds-base-libs-1.2.11.25-1.el6.x86_64 389-ds-base-1.2.11.25-1.el6.x86_64 389-dsgw-1.1.11-1.el6.x86_64 389-ds-console-1.2.6-1.el6.noarch 389-admin-console-doc-1.1.8-5.fc19.noarch Audit ID:6310Vul ID:N/A Risk Level:Medium Sev Code:Category II PCI Level:Medium (Fail) - CVSS Score CVSS Score:5 [AV:N/AC:L/Au:N/C:N/I:N/A:P] BugTraq ID27234,26838,27236,27237 CVE:CVE-2008-0005,CVE-2007-6388,CVE-2007-6422,CVE-2007-64 20,CVE-2007-5000,CVE-2007-6421,CVE-2008-1678 CCE:N/A Exploit:No IAV:N/A STIG: Context:TCP:9830 Result:Success Tested Value:BR T WB Server: (Apache(\([[]^)]*\))?/((2\.((2(\.[[]0-7])?)|(0(\.([[]1-5]?[[]0-9]|6[[]0-2])) ?)|(1(\..*)?)))|(1\.((3(\.([[]1-3]?[[]0-9]|40))?)|([[]0-2](\..*)?)))|(0+\..*)) ($|[[]^0-9.]([[]^(]*\([[]^R][[]^)]*\))*[[]^()]*$)) Found Value:Server: Apache/2.2##Content-Length: 301##Connection: close##Content-Type: text/html; charset[=]iso-8859-1####<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">#<html><head>#<title>404 Not Found</title>#</head><body>#<h1>Not Found</h1> (truncated...) Audit ID:6059Vul ID:N/A Risk Level:Medium Sev Code:Category II PCI Level:Medium (Fail) - CVSS Score CVSS Score:5 [AV:N/AC:L/Au:N/C:P/I:N/A:N] BugTraq ID24215,24645,25489,24649,24553 CVE:CVE-2007-1862,CVE-2007-3847,CVE-2007-3304,CVE-2006-57 52,CVE-2007-1863 CCE:N/A Exploit:No IAV:N/A STIG: Context:TCP:9830 Result:Success Tested Value:RR T WB (Apache(\([[]^)]*\))?/(2\.2(\.[[]0-5])?)($|[[]^0-9.]([[]^(]*\([[]^R][[]^)]*\) )*[[]^()]*$)) Found Value:Apache/2.2 Audit ID:9820Vul ID:N/A Risk Level:Medium Sev Code:Category II PCI Level:High (Fail) - CVSS Score CVSS Score:7.8 [AV:N/AC:L/Au:N/C:N/I:N/A:C] BugTraq ID35565,35253,35623,35251,34663,35221,35115 CVE:CVE-2009-1891,CVE-2009-1955,CVE-2009-1191,CVE-2009-00 23,CVE-2009-1956,CVE-2009-1195,CVE-2009-1890 CCE:N/A Exploit:Yes IAV:N/A STIG: Context:TCP:9830 Result:Success Tested Value:APACHE(-ADVANCEDEXTRANETSERVER)?/2\.2(\.(1[[]01]|[[]0 -9])(\.[[]0-9]+)*)?($|[[]^0-9.]) Found Value:APACHE/2.2 -- 389 users mailing list 389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> https://admin.fedoraproject.org/mailman/listinfo/389-users-- 389 users mailing list 389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> https://admin.fedoraproject.org/mailman/listinfo/389-users-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Does the admin server or admin console run a webserver? On May 29, 2014 11:59 AM, "Noriko Hosoi" nhosoi@redhat.com wrote:
Sorry, I don't know what the tool does. You may want to ask the tool's provider the question. Thanks.
John Trump wrote:
I am running RHEL 6. Why does the scan show the vulnerabilities on the port that directory administration server is using? On May 28, 2014 8:25 PM, "Noriko Hosoi" nhosoi@redhat.com wrote:
Hello, as you mentioned, all of the CVEs are quite old (older than RHEL-6). For instance, the last one CVE-2009-1956 was fixed in apr-util-1.2.7-7.el5_3.1. As long as you use RHEL-6, the CVEs you listed are all fixed. Also, please note that the CVEs are all httpd related, not 389-ds.
CVE: CVE-2008-0005 CVE-2007-6388 CVE-2007-6422 CVE-2007-6420 CVE-2007-5000 CVE-2007-6421 CVE-2008-1678
CVE-2007-1862 CVE-2007-3847 CVE-2007-3304 CVE-2006-5752 CVE-2007-1863
CVE-2009-1891 CVE-2009-1955 CVE-2009-1191 CVE-2009-0023 CVE-2009-1956 CVE-2009-1195 CVE-2009-1890
John Trump wrote:
I have a system running 389-ds that was scanned using retna. Retna showed vulnerabilities which are fairly old. Can anyone confirm that these were fixed. Only thing using port 9830 is the admin-serv. Below are the rpm versions I have installed and the CVE's retna supposidly detected.
389-adminutil-1.1.19-1.el6.x86_64 389-ds-console-doc-1.2.6-1.el6.noarch 389-admin-1.1.35-1.el6.x86_64 389-admin-console-1.1.8-5.fc19.noarch 389-console-1.1.7-1.el6.noarch 389-ds-1.2.2-1.el6.noarch 389-ds-base-libs-1.2.11.25-1.el6.x86_64 389-ds-base-1.2.11.25-1.el6.x86_64 389-dsgw-1.1.11-1.el6.x86_64 389-ds-console-1.2.6-1.el6.noarch 389-admin-console-doc-1.1.8-5.fc19.noarch
Audit ID: 6310 Vul ID: N/A Risk Level: Medium Sev Code: Category II PCI Level: Medium (Fail) - CVSS Score CVSS Score: 5 [AV:N/AC:L/Au:N/C:N/I:N/A:P] BugTraq ID 27234,26838,27236,27237 CVE: CVE-2008-0005,CVE-2007-6388,CVE-2007-6422,CVE-2007-64 20,CVE-2007-5000,CVE-2007-6421,CVE-2008-1678 CCE: N/A Exploit: No IAV: N/A STIG: Context: TCP:9830 Result: Success Tested Value: BR T WB Server:
(Apache(([[]^)]*))?/((2.((2(.[[]0-7])?)|(0(.([[]1-5]?[[]0-9]|6[[]0-2]))
?)|(1(..*)?)))|(1.((3(.([[]1-3]?[[]0-9]|40))?)|([[]0-2](..*)?)))|(0+..*)) ($|[[]^0-9.]([[]^(]*([[]^R][[]^)]*))*[[]^()]*$)) Found Value: Server: Apache/2.2##Content-Length: 301##Connection: close##Content-Type: text/html; charset[=]iso-8859-1####<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">#<html><head>#<title>404 Not Found</title>#</head><body>#<h1>Not Found</h1> (truncated...)
Audit ID: 6059 Vul ID: N/A Risk Level: Medium Sev Code: Category II PCI Level: Medium (Fail) - CVSS Score CVSS Score: 5 [AV:N/AC:L/Au:N/C:P/I:N/A:N] BugTraq ID 24215,24645,25489,24649,24553 CVE: CVE-2007-1862,CVE-2007-3847,CVE-2007-3304,CVE-2006-57 52,CVE-2007-1863 CCE: N/A Exploit: No IAV: N/A STIG: Context: TCP:9830 Result: Success Tested Value: RR T WB
(Apache(([[]^)]*))?/(2.2(.[[]0-5])?)($|[[]^0-9.]([[]^(]*([[]^R][[]^)]*) )*[[]^()]*$)) Found Value: Apache/2.2
Audit ID: 9820 Vul ID: N/A Risk Level: Medium Sev Code: Category II PCI Level: High (Fail) - CVSS Score CVSS Score: 7.8 [AV:N/AC:L/Au:N/C:N/I:N/A:C] BugTraq ID 35565,35253,35623,35251,34663,35221,35115 CVE: CVE-2009-1891,CVE-2009-1955,CVE-2009-1191,CVE-2009-00 23,CVE-2009-1956,CVE-2009-1195,CVE-2009-1890 CCE: N/A Exploit: Yes IAV: N/A STIG: Context: TCP:9830 Result: Success Tested Value: APACHE(-ADVANCEDEXTRANETSERVER)?/2.2(.(1[[]01]|[[]0 -9])(.[[]0-9]+)*)?($|[[]^0-9.]) Found Value: APACHE/2.2
-- 389 users mailing list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
John Trump wrote:
Does the admin server or admin console run a webserver?
Yes, the admin server depends upon httpd.
On May 29, 2014 11:59 AM, "Noriko Hosoi" <nhosoi@redhat.com mailto:nhosoi@redhat.com> wrote:
Sorry, I don't know what the tool does. You may want to ask the tool's provider the question. Thanks. John Trump wrote:I am running RHEL 6. Why does the scan show the vulnerabilities on the port that directory administration server is using? On May 28, 2014 8:25 PM, "Noriko Hosoi" <nhosoi@redhat.com <mailto:nhosoi@redhat.com>> wrote: Hello, as you mentioned, all of the CVEs are quite old (older than RHEL-6). For instance, the last one CVE-2009-1956 was fixed in apr-util-1.2.7-7.el5_3.1. As long as you use RHEL-6, the CVEs you listed are all fixed. Also, please note that the CVEs are all httpd related, not 389-ds. CVE: CVE-2008-0005 CVE-2007-6388 CVE-2007-6422 CVE-2007-6420 CVE-2007-5000 CVE-2007-6421 CVE-2008-1678 CVE-2007-1862 CVE-2007-3847 CVE-2007-3304 CVE-2006-5752 CVE-2007-1863 CVE-2009-1891 CVE-2009-1955 CVE-2009-1191 CVE-2009-0023 CVE-2009-1956 CVE-2009-1195 CVE-2009-1890 John Trump wrote:I have a system running 389-ds that was scanned using retna. Retna showed vulnerabilities which are fairly old. Can anyone confirm that these were fixed. Only thing using port 9830 is the admin-serv. Below are the rpm versions I have installed and the CVE's retna supposidly detected. 389-adminutil-1.1.19-1.el6.x86_64 389-ds-console-doc-1.2.6-1.el6.noarch 389-admin-1.1.35-1.el6.x86_64 389-admin-console-1.1.8-5.fc19.noarch 389-console-1.1.7-1.el6.noarch 389-ds-1.2.2-1.el6.noarch 389-ds-base-libs-1.2.11.25-1.el6.x86_64 389-ds-base-1.2.11.25-1.el6.x86_64 389-dsgw-1.1.11-1.el6.x86_64 389-ds-console-1.2.6-1.el6.noarch 389-admin-console-doc-1.1.8-5.fc19.noarch Audit ID:6310Vul ID:N/A Risk Level:Medium Sev Code:Category II PCI Level:Medium (Fail) - CVSS Score CVSS Score:5 [AV:N/AC:L/Au:N/C:N/I:N/A:P] BugTraq ID27234,26838,27236,27237 CVE:CVE-2008-0005,CVE-2007-6388,CVE-2007-6422,CVE-2007-64 20,CVE-2007-5000,CVE-2007-6421,CVE-2008-1678 CCE:N/A Exploit:No IAV:N/A STIG: Context:TCP:9830 Result:Success Tested Value:BR T WB Server: (Apache(\([[]^)]*\))?/((2\.((2(\.[[]0-7])?)|(0(\.([[]1-5]?[[]0-9]|6[[]0-2])) ?)|(1(\..*)?)))|(1\.((3(\.([[]1-3]?[[]0-9]|40))?)|([[]0-2](\..*)?)))|(0+\..*)) ($|[[]^0-9.]([[]^(]*\([[]^R][[]^)]*\))*[[]^()]*$)) Found Value:Server: Apache/2.2##Content-Length: 301##Connection: close##Content-Type: text/html; charset[=]iso-8859-1####<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">#<html><head>#<title>404 Not Found</title>#</head><body>#<h1>Not Found</h1> (truncated...) Audit ID:6059Vul ID:N/A Risk Level:Medium Sev Code:Category II PCI Level:Medium (Fail) - CVSS Score CVSS Score:5 [AV:N/AC:L/Au:N/C:P/I:N/A:N] BugTraq ID24215,24645,25489,24649,24553 CVE:CVE-2007-1862,CVE-2007-3847,CVE-2007-3304,CVE-2006-57 52,CVE-2007-1863 CCE:N/A Exploit:No IAV:N/A STIG: Context:TCP:9830 Result:Success Tested Value:RR T WB (Apache(\([[]^)]*\))?/(2\.2(\.[[]0-5])?)($|[[]^0-9.]([[]^(]*\([[]^R][[]^)]*\) )*[[]^()]*$)) Found Value:Apache/2.2 Audit ID:9820Vul ID:N/A Risk Level:Medium Sev Code:Category II PCI Level:High (Fail) - CVSS Score CVSS Score:7.8 [AV:N/AC:L/Au:N/C:N/I:N/A:C] BugTraq ID35565,35253,35623,35251,34663,35221,35115 CVE:CVE-2009-1891,CVE-2009-1955,CVE-2009-1191,CVE-2009-00 23,CVE-2009-1956,CVE-2009-1195,CVE-2009-1890 CCE:N/A Exploit:Yes IAV:N/A STIG: Context:TCP:9830 Result:Success Tested Value:APACHE(-ADVANCEDEXTRANETSERVER)?/2\.2(\.(1[[]01]|[[]0 -9])(\.[[]0-9]+)*)?($|[[]^0-9.]) Found Value:APACHE/2.2 -- 389 users mailing list 389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> https://admin.fedoraproject.org/mailman/listinfo/389-users-- 389 users mailing list 389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> https://admin.fedoraproject.org/mailman/listinfo/389-users-- 389 users mailing list 389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> https://admin.fedoraproject.org/mailman/listinfo/389-users-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
In /etc/dirsrv/admin-serv there is a httpd.conf file. Does the admin-serv use the httpd system rpm or does it use a http server distributed with the admin-serv rpm? If it is distributed with the admin-serv rpm than I would say the scan is saying that the vulnerabilities exist in that http server. The httpd rpm installed on the system is the latest httpd-2.2.15-30
On Thu, May 29, 2014 at 12:28 PM, Noriko Hosoi nhosoi@redhat.com wrote:
John Trump wrote:
Does the admin server or admin console run a webserver?
Yes, the admin server depends upon httpd.
On May 29, 2014 11:59 AM, "Noriko Hosoi" nhosoi@redhat.com wrote:
Sorry, I don't know what the tool does. You may want to ask the tool's provider the question. Thanks.
John Trump wrote:
I am running RHEL 6. Why does the scan show the vulnerabilities on the port that directory administration server is using? On May 28, 2014 8:25 PM, "Noriko Hosoi" nhosoi@redhat.com wrote:
Hello, as you mentioned, all of the CVEs are quite old (older than RHEL-6). For instance, the last one CVE-2009-1956 was fixed in apr-util-1.2.7-7.el5_3.1. As long as you use RHEL-6, the CVEs you listed are all fixed. Also, please note that the CVEs are all httpd related, not 389-ds.
CVE: CVE-2008-0005 CVE-2007-6388 CVE-2007-6422 CVE-2007-6420 CVE-2007-5000 CVE-2007-6421 CVE-2008-1678
CVE-2007-1862 CVE-2007-3847 CVE-2007-3304 CVE-2006-5752 CVE-2007-1863
CVE-2009-1891 CVE-2009-1955 CVE-2009-1191 CVE-2009-0023 CVE-2009-1956 CVE-2009-1195 CVE-2009-1890
John Trump wrote:
I have a system running 389-ds that was scanned using retna. Retna showed vulnerabilities which are fairly old. Can anyone confirm that these were fixed. Only thing using port 9830 is the admin-serv. Below are the rpm versions I have installed and the CVE's retna supposidly detected.
389-adminutil-1.1.19-1.el6.x86_64 389-ds-console-doc-1.2.6-1.el6.noarch 389-admin-1.1.35-1.el6.x86_64 389-admin-console-1.1.8-5.fc19.noarch 389-console-1.1.7-1.el6.noarch 389-ds-1.2.2-1.el6.noarch 389-ds-base-libs-1.2.11.25-1.el6.x86_64 389-ds-base-1.2.11.25-1.el6.x86_64 389-dsgw-1.1.11-1.el6.x86_64 389-ds-console-1.2.6-1.el6.noarch 389-admin-console-doc-1.1.8-5.fc19.noarch
Audit ID: 6310 Vul ID: N/A Risk Level: Medium Sev Code: Category II PCI Level: Medium (Fail) - CVSS Score CVSS Score: 5 [AV:N/AC:L/Au:N/C:N/I:N/A:P] BugTraq ID 27234,26838,27236,27237 CVE: CVE-2008-0005,CVE-2007-6388,CVE-2007-6422,CVE-2007-64 20,CVE-2007-5000,CVE-2007-6421,CVE-2008-1678 CCE: N/A Exploit: No IAV: N/A STIG: Context: TCP:9830 Result: Success Tested Value: BR T WB Server:
(Apache(([[]^)]*))?/((2.((2(.[[]0-7])?)|(0(.([[]1-5]?[[]0-9]|6[[]0-2]))
?)|(1(..*)?)))|(1.((3(.([[]1-3]?[[]0-9]|40))?)|([[]0-2](..*)?)))|(0+..*)) ($|[[]^0-9.]([[]^(]*([[]^R][[]^)]*))*[[]^()]*$)) Found Value: Server: Apache/2.2##Content-Length: 301##Connection: close##Content-Type: text/html; charset[=]iso-8859-1####<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">#<html><head>#<title>404 Not Found</title>#</head><body>#<h1>Not Found</h1> (truncated...)
Audit ID: 6059 Vul ID: N/A Risk Level: Medium Sev Code: Category II PCI Level: Medium (Fail) - CVSS Score CVSS Score: 5 [AV:N/AC:L/Au:N/C:P/I:N/A:N] BugTraq ID 24215,24645,25489,24649,24553 CVE: CVE-2007-1862,CVE-2007-3847,CVE-2007-3304,CVE-2006-57 52,CVE-2007-1863 CCE: N/A Exploit: No IAV: N/A STIG: Context: TCP:9830 Result: Success Tested Value: RR T WB
(Apache(([[]^)]*))?/(2.2(.[[]0-5])?)($|[[]^0-9.]([[]^(]*([[]^R][[]^)]*) )*[[]^()]*$)) Found Value: Apache/2.2
Audit ID: 9820 Vul ID: N/A Risk Level: Medium Sev Code: Category II PCI Level: High (Fail) - CVSS Score CVSS Score: 7.8 [AV:N/AC:L/Au:N/C:N/I:N/A:C] BugTraq ID 35565,35253,35623,35251,34663,35221,35115 CVE: CVE-2009-1891,CVE-2009-1955,CVE-2009-1191,CVE-2009-00 23,CVE-2009-1956,CVE-2009-1195,CVE-2009-1890 CCE: N/A Exploit: Yes IAV: N/A STIG: Context: TCP:9830 Result: Success Tested Value: APACHE(-ADVANCEDEXTRANETSERVER)?/2.2(.(1[[]01]|[[]0 -9])(.[[]0-9]+)*)?($|[[]^0-9.]) Found Value: APACHE/2.2
-- 389 users mailing list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
John Trump wrote:
In /etc/dirsrv/admin-serv there is a httpd.conf file. Does the admin-serv use the httpd system rpm or does it use a http server distributed with the admin-serv rpm? If it is distributed with the admin-serv rpm than I would say the scan is saying that the vulnerabilities exist in that http server. The httpd rpm installed on the system is the latest httpd-2.2.15-30
389-admin runs a separate instance of the system httpd.
I know nothing about this scanner but based on these logs it is just doing server version string comparisons which are rather meaningless in this context. There seems to be a lot of false-positives merely because the Apache version is 2.2.
rob
On Thu, May 29, 2014 at 12:28 PM, Noriko Hosoi <nhosoi@redhat.com mailto:nhosoi@redhat.com> wrote:
John Trump wrote:Does the admin server or admin console run a webserver?Yes, the admin server depends upon httpd.On May 29, 2014 11:59 AM, "Noriko Hosoi" <nhosoi@redhat.com <mailto:nhosoi@redhat.com>> wrote: Sorry, I don't know what the tool does. You may want to ask the tool's provider the question. Thanks. John Trump wrote:I am running RHEL 6. Why does the scan show the vulnerabilities on the port that directory administration server is using? On May 28, 2014 8:25 PM, "Noriko Hosoi" <nhosoi@redhat.com <mailto:nhosoi@redhat.com>> wrote: Hello, as you mentioned, all of the CVEs are quite old (older than RHEL-6). For instance, the last one CVE-2009-1956 was fixed in apr-util-1.2.7-7.el5_3.1. As long as you use RHEL-6, the CVEs you listed are all fixed. Also, please note that the CVEs are all httpd related, not 389-ds. CVE: CVE-2008-0005 CVE-2007-6388 CVE-2007-6422 CVE-2007-6420 CVE-2007-5000 CVE-2007-6421 CVE-2008-1678 CVE-2007-1862 CVE-2007-3847 CVE-2007-3304 CVE-2006-5752 CVE-2007-1863 CVE-2009-1891 CVE-2009-1955 CVE-2009-1191 CVE-2009-0023 CVE-2009-1956 CVE-2009-1195 CVE-2009-1890 John Trump wrote:I have a system running 389-ds that was scanned using retna. Retna showed vulnerabilities which are fairly old. Can anyone confirm that these were fixed. Only thing using port 9830 is the admin-serv. Below are the rpm versions I have installed and the CVE's retna supposidly detected. 389-adminutil-1.1.19-1.el6.x86_64 389-ds-console-doc-1.2.6-1.el6.noarch 389-admin-1.1.35-1.el6.x86_64 389-admin-console-1.1.8-5.fc19.noarch 389-console-1.1.7-1.el6.noarch 389-ds-1.2.2-1.el6.noarch 389-ds-base-libs-1.2.11.25-1.el6.x86_64 389-ds-base-1.2.11.25-1.el6.x86_64 389-dsgw-1.1.11-1.el6.x86_64 389-ds-console-1.2.6-1.el6.noarch 389-admin-console-doc-1.1.8-5.fc19.noarch Audit ID:6310Vul ID:N/A Risk Level:Medium Sev Code:Category II PCI Level:Medium (Fail) - CVSS Score CVSS Score:5 [AV:N/AC:L/Au:N/C:N/I:N/A:P] BugTraq ID27234,26838,27236,27237 CVE:CVE-2008-0005,CVE-2007-6388,CVE-2007-6422,CVE-2007-64 20,CVE-2007-5000,CVE-2007-6421,CVE-2008-1678 CCE:N/A Exploit:No IAV:N/A STIG: Context:TCP:9830 Result:Success Tested Value:BR T WB Server: (Apache(\([[]^)]*\))?/((2\.((2(\.[[]0-7])?)|(0(\.([[]1-5]?[[]0-9]|6[[]0-2])) ?)|(1(\..*)?)))|(1\.((3(\.([[]1-3]?[[]0-9]|40))?)|([[]0-2](\..*)?)))|(0+\..*)) ($|[[]^0-9.]([[]^(]*\([[]^R][[]^)]*\))*[[]^()]*$)) Found Value:Server: Apache/2.2##Content-Length: 301##Connection: close##Content-Type: text/html; charset[=]iso-8859-1####<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">#<html><head>#<title>404 Not Found</title>#</head><body>#<h1>Not Found</h1> (truncated...) Audit ID:6059Vul ID:N/A Risk Level:Medium Sev Code:Category II PCI Level:Medium (Fail) - CVSS Score CVSS Score:5 [AV:N/AC:L/Au:N/C:P/I:N/A:N] BugTraq ID24215,24645,25489,24649,24553 CVE:CVE-2007-1862,CVE-2007-3847,CVE-2007-3304,CVE-2006-57 52,CVE-2007-1863 CCE:N/A Exploit:No IAV:N/A STIG: Context:TCP:9830 Result:Success Tested Value:RR T WB (Apache(\([[]^)]*\))?/(2\.2(\.[[]0-5])?)($|[[]^0-9.]([[]^(]*\([[]^R][[]^)]*\) )*[[]^()]*$)) Found Value:Apache/2.2 Audit ID:9820Vul ID:N/A Risk Level:Medium Sev Code:Category II PCI Level:High (Fail) - CVSS Score CVSS Score:7.8 [AV:N/AC:L/Au:N/C:N/I:N/A:C] BugTraq ID35565,35253,35623,35251,34663,35221,35115 CVE:CVE-2009-1891,CVE-2009-1955,CVE-2009-1191,CVE-2009-00 23,CVE-2009-1956,CVE-2009-1195,CVE-2009-1890 CCE:N/A Exploit:Yes IAV:N/A STIG: Context:TCP:9830 Result:Success Tested Value:APACHE(-ADVANCEDEXTRANETSERVER)?/2\.2(\.(1[[]01]|[[]0 -9])(\.[[]0-9]+)*)?($|[[]^0-9.]) Found Value:APACHE/2.2 -- 389 users mailing list 389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> https://admin.fedoraproject.org/mailman/listinfo/389-users-- 389 users mailing list 389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> https://admin.fedoraproject.org/mailman/listinfo/389-users-- 389 users mailing list 389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> https://admin.fedoraproject.org/mailman/listinfo/389-users-- 389 users mailing list 389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> https://admin.fedoraproject.org/mailman/listinfo/389-users-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
I believe they are false positives. I am just searching for "proof" to provide to person running sans.
On Thu, May 29, 2014 at 1:23 PM, Rob Crittenden rcritten@redhat.com wrote:
John Trump wrote:
In /etc/dirsrv/admin-serv there is a httpd.conf file. Does the admin-serv use the httpd system rpm or does it use a http server distributed with the admin-serv rpm? If it is distributed with the admin-serv rpm than I would say the scan is saying that the vulnerabilities exist in that http server. The httpd rpm installed on the system is the latest httpd-2.2.15-30
389-admin runs a separate instance of the system httpd.
I know nothing about this scanner but based on these logs it is just doing server version string comparisons which are rather meaningless in this context. There seems to be a lot of false-positives merely because the Apache version is 2.2.
rob
On Thu, May 29, 2014 at 12:28 PM, Noriko Hosoi <nhosoi@redhat.com mailto:nhosoi@redhat.com> wrote:
John Trump wrote:Does the admin server or admin console run a webserver?Yes, the admin server depends upon httpd.On May 29, 2014 11:59 AM, "Noriko Hosoi" <nhosoi@redhat.com <mailto:nhosoi@redhat.com>> wrote: Sorry, I don't know what the tool does. You may want to ask the tool's provider the question. Thanks. John Trump wrote:I am running RHEL 6. Why does the scan show the vulnerabilities on the port that directory administration server is using? On May 28, 2014 8:25 PM, "Noriko Hosoi" <nhosoi@redhat.com <mailto:nhosoi@redhat.com>> wrote: Hello, as you mentioned, all of the CVEs are quite old (older than RHEL-6). For instance, the last one CVE-2009-1956 was fixed in apr-util-1.2.7-7.el5_3.1. As long as you use RHEL-6, the CVEs you listed are all fixed. Also, please note that the CVEs are all httpd related, not 389-ds. CVE: CVE-2008-0005 CVE-2007-6388 CVE-2007-6422 CVE-2007-6420 CVE-2007-5000 CVE-2007-6421 CVE-2008-1678 CVE-2007-1862 CVE-2007-3847 CVE-2007-3304 CVE-2006-5752 CVE-2007-1863 CVE-2009-1891 CVE-2009-1955 CVE-2009-1191 CVE-2009-0023 CVE-2009-1956 CVE-2009-1195 CVE-2009-1890 John Trump wrote:I have a system running 389-ds that was scanned using retna. Retna showed vulnerabilities which are fairly old. Can anyone confirm that these were fixed. Only thing using port 9830 is the admin-serv. Below are the rpm versions I have installed and the CVE's retna supposidly detected. 389-adminutil-1.1.19-1.el6.x86_64 389-ds-console-doc-1.2.6-1.el6.noarch 389-admin-1.1.35-1.el6.x86_64 389-admin-console-1.1.8-5.fc19.noarch 389-console-1.1.7-1.el6.noarch 389-ds-1.2.2-1.el6.noarch 389-ds-base-libs-1.2.11.25-1.el6.x86_64 389-ds-base-1.2.11.25-1.el6.x86_64 389-dsgw-1.1.11-1.el6.x86_64 389-ds-console-1.2.6-1.el6.noarch 389-admin-console-doc-1.1.8-5.fc19.noarch Audit ID:6310Vul ID:N/A Risk Level:Medium Sev Code:Category II PCI Level:Medium (Fail) - CVSS Score CVSS Score:5 [AV:N/AC:L/Au:N/C:N/I:N/A:P] BugTraq ID27234,26838,27236,27237 CVE:CVE-2008-0005,CVE-2007-6388,CVE-2007-6422,CVE-2007-64 20,CVE-2007-5000,CVE-2007-6421,CVE-2008-1678 CCE:N/A Exploit:No IAV:N/A STIG: Context:TCP:9830 Result:Success Tested Value:BR T WB Server:(Apache(([[]^)]*))?/((2.((2(.[[]0-7])?)|(0(.([[]1-5]?[[]0-9]|6[[]0-2]))
?)|(1(..*)?)))|(1.((3(.([[]1-3]?[[]0-9]|40))?)|([[]0-2](..*)?)))|(0+..*))
($|[[]^0-9.]([[]^(]*\([[]^R][[]^)]*\))*[[]^()]*$)) Found Value:Server: Apache/2.2##Content-Length: 301##Connection: close##Content-Type: text/html; charset[=]iso-8859-1####<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">#<html><head>#<title>404 Not Found</title>#</head><body>#<h1>Not Found</h1> (truncated...) Audit ID:6059Vul ID:N/A Risk Level:Medium Sev Code:Category II PCI Level:Medium (Fail) - CVSS Score CVSS Score:5 [AV:N/AC:L/Au:N/C:P/I:N/A:N] BugTraq ID24215,24645,25489,24649,24553 CVE:CVE-2007-1862,CVE-2007-3847,CVE-2007-3304,CVE-2006-57 52,CVE-2007-1863 CCE:N/A Exploit:No IAV:N/A STIG: Context:TCP:9830 Result:Success Tested Value:RR T WB(Apache(([[]^)]*))?/(2.2(.[[]0-5])?)($|[[]^0-9.]([[]^(]*([[]^R][[]^)]*)
)*[[]^()]*$)) Found Value:Apache/2.2 Audit ID:9820Vul ID:N/A Risk Level:Medium Sev Code:Category II PCI Level:High (Fail) - CVSS Score CVSS Score:7.8 [AV:N/AC:L/Au:N/C:N/I:N/A:C] BugTraq ID35565,35253,35623,35251,34663,35221,35115 CVE:CVE-2009-1891,CVE-2009-1955,CVE-2009-1191,CVE-2009-00 23,CVE-2009-1956,CVE-2009-1195,CVE-2009-1890 CCE:N/A Exploit:Yes IAV:N/A STIG: Context:TCP:9830 Result:Success TestedValue:APACHE(-ADVANCEDEXTRANETSERVER)?/2.2(.(1[[]01]|[[]0
-9])(\.[[]0-9]+)*)?($|[[]^0-9.]) Found Value:APACHE/2.2 -- 389 users mailing list 389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org>
https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org>
https://admin.fedoraproject.org/mailman/listinfo/389-users-- 389 users mailing list 389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org>
https://admin.fedoraproject.org/mailman/listinfo/389-users-- 389 users mailing list 389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> https://admin.fedoraproject.org/mailman/listinfo/389-users-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
On 5/29/2014 11:27 AM, John Trump wrote:
I believe they are false positives. I am just searching for "proof" to provide to person running sans.
If it were really testing for the vulnerabilities it would have to be presenting requests that exploit them and checking the the desired outcome (for example that it can crash the httpd process). You could look for evidence of such activity using tcpdump, and also in the httpd access logs.
With the answer Rob gave of "389-admin runs a separate instance of the system httpd" I think this should be proof enough that the hits are false positives. I can show that I have the latest update installed from Red Hat.
I appreciate everyone's help.
On Thu, May 29, 2014 at 1:30 PM, David Boreham david_list@boreham.orgwrote:
On 5/29/2014 11:27 AM, John Trump wrote:
I believe they are false positives. I am just searching for "proof" to provide to person running sans.
If it were really testing for the vulnerabilities it would have to be presenting requests that exploit them and checking the the desired outcome (for example that it can crash the httpd process). You could look for evidence of such activity using tcpdump, and also in the httpd access logs.
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
On 5/29/2014 11:33 AM, John Trump wrote:
With the answer Rob gave of "389-admin runs a separate instance of the system httpd" I think this should be proof enough that the hits are false positives. I can show that I have the latest update installed from Red Hat.
I wouldn't take his word for it ;)
Identify the process listening on the port using netstat -nlp then use lsof -p to verify the location of that process' binary files. Check that those files came from the system httpd package.
David Boreham wrote:
On 5/29/2014 11:33 AM, John Trump wrote:
With the answer Rob gave of "389-admin runs a separate instance of the system httpd" I think this should be proof enough that the hits are false positives. I can show that I have the latest update installed from Red Hat.
I wouldn't take his word for it ;)
Hey now!
Identify the process listening on the port using netstat -nlp then use lsof -p to verify the location of that process' binary files. Check that those files came from the system httpd package.
You can optionally set ServerTokens to Prod in the admin server httpd.conf and restart the server, then re-run the scanner. That should make the version-based errors go away (or it could make matters worse). See http://httpd.apache.org/docs/2.2/mod/core.html#servertokens
rob
Verified the process running is using system httpd:
/usr/sbin/httpd.worker -k start -f /etc/dirsrv/admin-serv/httpd.conf
httpd.worker is provided by system httpd rpm.
On Thu, May 29, 2014 at 1:42 PM, David Boreham david_list@boreham.orgwrote:
On 5/29/2014 11:33 AM, John Trump wrote:
With the answer Rob gave of "389-admin runs a separate instance of the system httpd" I think this should be proof enough that the hits are false positives. I can show that I have the latest update installed from Red Hat.
I wouldn't take his word for it ;)
Identify the process listening on the port using netstat -nlp then use lsof -p to verify the location of that process' binary files. Check that those files came from the system httpd package.
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
389-users@lists.fedoraproject.org
-
David Boreham -
John Trump -
Noriko Hosoi -
Rob Crittenden