8:54 a.m.
Carlos Oliva [https://community.jboss.org/people/ramboid] created the discussion
"JBOSS7: ASV Scan Report Attestation of Scan Compliance"
To view the discussion, visit: https://community.jboss.org/message/739038#739038
--------------------------------------------------------------
How should I report a problem with an attestation scan? ComplyGuard Networks ran a
security scan in a server running JBOSS7. Vulnerabilites were reported for the two ports
in whihc JBoss is listening (80 and 443). The attestation scan produced a pdf report that
I could post for further clarification.
The OS release is CentOS 5.7 (Final)
kernel 2.6.18-274.3.1.el5
jboss-as-7.0.2.Final
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/739038#739038]
Start a new discussion in Beginner's Corner at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
3:46 p.m.
New subject: [Beginner's Corner] - Re: JBOSS7: ASV Scan Report Attestation of Scan Compliance
Peter Johnson [https://community.jboss.org/people/peterj] created the discussion
"Re: JBOSS7: ASV Scan Report Attestation of Scan Compliance"
To view the discussion, visit: https://community.jboss.org/message/739433#739433
--------------------------------------------------------------
You are using a community release. Community releases are "developer friendly".
About the only security-related consideration for community edition is that by default it
connects to localhost, thus it will accept only traffic from that same PC. If you change
that, then *you have to lock it down*. So the fact that there are security alerts is
expected for a community release.
The EAP releases, on the other hand, are locked down out-of-the-box. If a security scanner
find problems with that, then I suspect the EAP team would want to hear about it .
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/739433#739433]
Start a new discussion in Beginner's Corner at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
8:16 p.m.
New subject: [Beginner's Corner] - Re: JBOSS7: ASV Scan Report Attestation of Scan Compliance
jaikiran pai [https://community.jboss.org/people/jaikiran] created the discussion
"Re: JBOSS7: ASV Scan Report Attestation of Scan Compliance"
To view the discussion, visit: https://community.jboss.org/message/739456#739456
--------------------------------------------------------------
For those who are watching this thread, Carlos has created a AS7 JIRA where this was
discussed https://issues.jboss.org/browse/AS7-4929
https://issues.jboss.org/browse/AS7-4929
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/739456#739456]
Start a new discussion in Beginner's Corner at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
6:52 a.m.
New subject: [Beginner's Corner] - Re: JBOSS7: ASV Scan Report Attestation of Scan Compliance
Carlos Oliva [https://community.jboss.org/people/ramboid] created the discussion
"Re: JBOSS7: ASV Scan Report Attestation of Scan Compliance"
To view the discussion, visit: https://community.jboss.org/message/739655#739655
--------------------------------------------------------------
Hi Peter,
Could you mention areas for locking down and getting rid of the error? Trying to identify
these areas, it has been impossible to reproduce the error with the information in the
error report. In AS7 JIRA (AS7-4929), Darran Lofthouse reported his attempts to reproduce
the error by issuing the requests that the report describes. My Systems Manager is tryign
to reach to the makers of the scanning tool and get more information. We are waiting for
their response. It is difficult to fathom what else should be locked without further
information.
Could this be "a false positive"? Darran explained to me that this error seems
to belong to a different server, and that given the information at hand, Darran thought
that it could be a "false positive". Moreover, a google search on the main
description of the error "myserver 1.2.0" revealed just one result for JBoss
with a different scanner and it was deemed to be a "false positive".
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/739655#739655]
Start a new discussion in Beginner's Corner at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
1:39 p.m.
New subject: [Beginner's Corner] - Re: JBOSS7: ASV Scan Report Attestation of Scan Compliance
Peter Johnson [https://community.jboss.org/people/peterj] created the discussion
"Re: JBOSS7: ASV Scan Report Attestation of Scan Compliance"
To view the discussion, visit: https://community.jboss.org/message/739779#739779
--------------------------------------------------------------
The information for locking down JBoss AS can be found at:
https://community.jboss.org/docs/DOC-12188 https://community.jboss.org/wiki/SecureJBoss
If the scanning tool is finding something beyond that, and the report it is giving you is
not clear, you'll have to find out from the scanning tools owner exactly what it is
looking at and what it is complaining about.
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/739779#739779]
Start a new discussion in Beginner's Corner at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
4562
days inactive
4566
days old
4 comments
3 participants
participants (3)
-
Carlos Oliva -
jaikiran pai
-
Peter Johnson