SUMMARY
PCI Compliance Issues
ISSUE
The following table includes Apache and SSL related vulnerabilities that may also show up in a compliance report and resolutions.
Vulnerability
|
Resolution
|
Apache HTTPD: HTTP Trailers processing bypass (CVE-2013-5704)
|
This affects systems running mod_cgid. To disable this, log in to the appliance and use the following commands:
sudo a2dismod cgid service apache2 restart
If you need assistance accessing the VBA, contact support.
|
Apache HTTPD: mod_status buffer overflow (CVE-2014-0226)
|
Only vulnerable if system has public facing IP (which is not recommended). |
Apache HTTPD: XSS due to unescaped hostnames (CVE-2012-3499)
|
Only vulnerable if using mod_ldap (UVB does not use this). |
Apahe HTTPD: XSS in mod_proxy_balancer (CVE-2012-4558) |
Only vulnerable if using mod_proxy_balancer (UVB does not use this). |
OpenSSL SSL/TLS MITM vulnerability (CVE-2014-0224) |
Upgrade OpenSSL to 1.0.1h.
If you need assistance accessing the VBA, contact support.
|
TLS/SSL Server Supports RC4 Cipher Algorithms (CVE-2013-2566)
|
Only vulnerable if public facing ip and 10 to the power of 24 active connections. |
Apache HTTPD: insecure LD_LIBRARY_PATH handling (CVE-2012-0883) |
Vunerability requires public IP and root. Root is not enabled on VBA v6.x. |
Apache HTTPD: mod_rewrite log escape filtering (CVE-2013-1862) |
Only vulnerable if using mod_rewrite and SSL enabled (SSL is not enabled on the VBA by default). |