The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PCI Compliance

Discussion in 'Security' started by RyanM, Sep 8, 2011.

  1. RyanM

    RyanM Member

    Joined:
    Mar 3, 2005
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    I've been asked by our IT department to address some security vunerabilities on our server. Here are our specs:

    WHM 11.30.2 (build 1)
    CENTOS 5.6 x86_64 standard

    The first vunerability in the list is about openssl.

    Do I need to upgrade to openssl 9.8r or does my version, 0.9e-12.7, include backports making it compliant? How can you tell?

    Code:
    root@naruto [~]# rpm --changelog -q openssl-0.9.8e-12.el5_5.7 | less
    * Tue Dec 07 2010 Tomas Mraz <tmraz@redhat.com> 0.9.8e-12.7
    - fix CVE-2010-4180 - completely disable code for
      SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (#659462)
    
    Thank you,
    Ryan
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,474
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  3. RyanM

    RyanM Member

    Joined:
    Mar 3, 2005
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Thank you for the reply and link.

    The PCI compliance scanning vendor includes multiple CVEs with the most recent being CVE-2011-1945. The changelog lists the most recent CVE of CVE-2010-4180. Should I be concerned about the CVEs since CVE-2010-4180 not being in my changelog?
     
  4. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Hello RyanM,

    I'm confused, the return you show in your first post and the same return on my machine show it was patched for that exact CVE:

    Code:
    root@host [/]# rpm --changelog -q openssl-0.9.8e-12.el5_5.7 | grep CVE-2010-4180
    - fix CVE-2010-4180 - completely disable code for
    - fix CVE-2010-4180 - completely disable code for
    Did you mean a different CVE than that one?
     
  5. RyanM

    RyanM Member

    Joined:
    Mar 3, 2005
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    The scan references the following CVEs
    but my changelog doesn't include anything for the last two.
    Code:
    root@naruto [~]# rpm --changelog -q openssl-0.9.8e-12.el5_5.7 | grep -e CVE-2010-4252 -e CVE-2011-1945
    root@naruto [~]#
    Should I be concerned with that?
     
  6. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    For CVE-2010-4252, RedHat closed it as not a bug:

    https://bugzilla.redhat.com/show_bug.cgi?id=659297

    For CVE-2011-1945, again RedHat closed it as not a bug:

    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1945

    You would need to perform online research for these PCI compliance issues if the CVE isn't listed. If RedHat closes the CVE as not needing to be patched due to not being part of the version shipped, then the PCI compliance company should have dropped that CVE from being checked.

    Here is the direct link to search any CVE that isn't listed as patched for RedHat's bugzilla interface:

    https://bugzilla.redhat.com/query.cgi
     
  7. RyanM

    RyanM Member

    Joined:
    Mar 3, 2005
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Thank you Tristan. I'm new to this PCI stuff. I appreciate the help.
     
Loading...

Share This Page