Vulnerabilites in product
-
jacobriversiii
- Posts: 11
- Joined: Thu Nov 13, 2014 8:41 pm
Vulnerabilites in product
What is the plan to address the php and apache vulnerabilities in the product? The attached image are the results of a recently vulnerability scan with Nexpose against version 2015R1.3
You do not have the required permissions to view the files attached to this post.
Re: Vulnerabilites in product
I'll address this post with three points:
1.) Any bugs found within our own code would be in-scope for what we can fix, but we neither maintain nor contribute to the PHP or Apache projects so we cannot provide patches or fixes to that software
2.) System-level maintenance is up to your sysadmin or security teams - our SLA doesn't apply to system-level changes, but we sometimes will make such changes if needed to ensure proper functioning of our software
3.) Scanner results must be taken with a grain of salt - they can yield a lot of false positives and edge-case vulnerabilities ("X function used with Y parameters on Z operating system causes a crash")
The results you posted are not necessarily specific to Logserver, but rather they reference for the most part the PHP and Apache stacks that are installed. You can update PHP and Apache, but make sure you follow proper backup procedure beforehand in case there are incompatibilities between newer versions of PHP/Apache and our software. Functions may be deprecated, modified, or renamed and break functionality.
1.) Any bugs found within our own code would be in-scope for what we can fix, but we neither maintain nor contribute to the PHP or Apache projects so we cannot provide patches or fixes to that software
2.) System-level maintenance is up to your sysadmin or security teams - our SLA doesn't apply to system-level changes, but we sometimes will make such changes if needed to ensure proper functioning of our software
3.) Scanner results must be taken with a grain of salt - they can yield a lot of false positives and edge-case vulnerabilities ("X function used with Y parameters on Z operating system causes a crash")
The results you posted are not necessarily specific to Logserver, but rather they reference for the most part the PHP and Apache stacks that are installed. You can update PHP and Apache, but make sure you follow proper backup procedure beforehand in case there are incompatibilities between newer versions of PHP/Apache and our software. Functions may be deprecated, modified, or renamed and break functionality.
Former Nagios employee