Solved: Re: Does a WAAS device run an Apache web deamon?

jkeeffe · ‎07-29-2011

If so, how can I find out what version it is? A vulnerability scan of the device returned an "Obsolete version of Apache HTTPD" message and I need to find out if this is a false-positive, or if indeed it is true.

Ahmad Basel Jaber · ‎07-29-2011

We are running Apache on our WAAS, but this vulnerability does not affect WAAS WAAS 4.1.x and later, since mod_proxy is not enabled in the apatch http service that we deploy, so it is false positive. Check this software bug: CSCth42280.

Best regards,

Ahmad

View solution in original post

Ahmad Basel Jaber · ‎07-29-2011

We are running Apache on our WAAS, but this vulnerability does not affect WAAS WAAS 4.1.x and later, since mod_proxy is not enabled in the apatch http service that we deploy, so it is false positive. Check this software bug: CSCth42280.

Best regards,

Ahmad

jkeeffe · ‎08-08-2011

Hi Ahmad -

Thank you for your response. May I ask about a couple of other critical vulnerabilities that a PCI scan found on our upgraded WAAS devices? The devices are running version 4.3.5.

Here are the two highly critical vulnerabilities, each having a risk score of 225:

1: 3.1.2 OpenSSL bn_wexpand()memory allocation failure (ttp-openSSL-cve-2009-3245)

2: 3.1.5 OpenSSH Buffer Management Heap Overflow (ssh-openssh-buffer-heapoverflow)

Are these false positives also, or can they be remediated in anyway?

Thanks -

Jim Keeffe | Network Engineering/Telecoms Consultant

IS Telecoms, Group Health Cooperative

206-901-6551 | CDS 600-6551

www.ghc.org

Bhavin Yadav · ‎08-08-2011

Hi,

Answers for you:

1: 3.1.2 OpenSSL bn_wexpand()memory allocation failure (ttp-openSSL-cve-2009-3245)

According to bug fix:

https://bugzilla.redhat.com/show_bug.cgi?id=570924#c2\\ One set of patches appear to be needed only if Elliptic Curve Public-Key Crypto is used and one patch if some specific crypto hardware is used. WAAS uses neither, so WAAS is not affected. DDTS CSCtg32685 was logged for this issue and will be left open to bring in this patch for a future version of WAAS to avoid any future concerns and questions

DDTS:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?caller=pluginredirector&method=fetchBugDetails&bugId=CSCtg32685

2: 3.1.5 OpenSSH Buffer Management Heap Overflow (ssh-openssh-buffer-heapoverflow)

CVE: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0693 This was fixed before WAAS: CSCsw24026

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?caller=pluginredirector&method=fetchBugDetails&bugId=CSCsw24026

Hope this helps.

Regards.

PS: If this answers your question, please mark this as Answered.

jkeeffe · ‎08-09-2011

Hi Brian -

Thanks for the information. However, your link concerning the second vulnerability points to what looks to be another bug that doesn't relate to the vulnerability. Here is the sympton of that bug:

SSH Vulnerabilities found with Qualys scan

Symptom:

It has been found that the WAE 612 shows the following vulnerability.

This vulnerability is found only when SSH is enabled on the WAE.

SSH Protocol Version 1 Supported.

This is a false positive and device is not vulnerable.

Is this the right bug?

Jim Keeffe | Network Engineering/Telecoms Consultant

IS Telecoms, Group Health Cooperative

206-901-6551 | CDS 600-6551

www.ghc.org