All,
I apologize that it has taken me so long to post a follow-up on this problem.
Thank you to everyone on the list who provided input and especially to George
Theall for his support of this group! He was instrumental in helping me get
this one resolved.
We had new server built and the primary application was Veritas NetBackup NOM.
There were several pcsync-https vulnerabilities found and what appeared to be
numerous false-positives for cross-site scripting vulnerabilities (hope I said
that correctly).
In the end my co-worker responsible for the server worked with Veritas (now
Symantec). Their suggestion was to just change the port that the server was
running on. ...nice try! The issue was escalated at Veritas and that engineer
came back with the same answer. We tried it and the number of vulnerabilities
decreased slightly. But, it was only the "minors" that were no longer showing
up on the scans.
The final resolution did not come from Veritas. We were pretty sure that a
newer version of Apache needed to be used; but we were told that it was not
available from Veritas. They were not updating it and they didn't see why a
"cross site scripting vulnerability" in Apache was a problem for the
functionality of Veritas NetBackup. We could do it on our own but it would
void any support from Veritas for their product. Nice Catch-22!!
About two weeks ago my co-worker was looking on the Veritas website for
something else and saw that the build number on NOM had been incremented
although the version number had not. He downloaded it, uninstalled the old
version and installed the new version. BINGO! All of the vulnerabilities went
away. Checked the version of Apache installed with the newer build of the NOM
and it had been updated.
Thanks,
eric
____________________________________________________________________________________
Fussy? Opinionated? Impossible to please? Perfect. Join Yahoo!'s user panel
and lay it on us. http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7
_______________________________________________
Nessus mailing list
[email protected]
http://mail.nessus.org/mailman/listinfo/nessus
