PCI Fail - ISC Bind Version No Longer Supported

meljc

Registered
Jan 27, 2016
2
0
1
NC
cPanel Access Level
Root Administrator
Hello,

I am running the lastest version of WHM on a dedicated server and received a PCI Compliance failure as following: after running a PCI Compliance scan the following is flagged:

Title: ISC BIND Unsupported Version Detection

Synopsis: The remote host is running an unsupported version of ISC BIND.

Impact: According to its self-reported version number, the installation of ISC BIND running on the remote name server is 9.8.x or earlier. It is, therefore, no longer supported. Lack of support implies that no new security patches for the product will be released by the vendor. As a result, it is likely to contain security vulnerabilities.

Resolution: Upgrade to a version of ISC BIND that is currently supported.

Installed version: 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.5

Fixed version : 9.9.8 or higher
What is the best way to go about rectifying this issue.

Thanks
Mel
 
Last edited by a moderator:

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Since you are on RHEL/CentOS 6 (or so it seems) your OS is supported and should still be receiving updates.

Run a "yum update" from a root shell, ensure all packages are up to date. Then run this:

Code:
rpm -q --changelog bind > bind_changelog.txt
That text file should show that your bind version is up to date and received updates as recent as Dec 2015. Send the file to your PCI vendor and dispute the findings as your version is receiving backported security fixes.
 

meljc

Registered
Jan 27, 2016
2
0
1
NC
cPanel Access Level
Root Administrator
Thanks Quizknows. I already did a yum update and the version was still the same. I'll try the other command. I think the issue is that the version I have is no longer supported, so even if there are security fixes, they want the next version 9.9.8 or higher.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
Hello :)

You should be able to provide them the output of the RPM command to show that security patches have been backported to the existing version of Bind.

Thank you.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Thanks Quizknows. I already did a yum update and the version was still the same. I'll try the other command. I think the issue is that the version I have is no longer supported, so even if there are security fixes, they want the next version 9.9.8 or higher.
We deal with this all the time with PCI vendors. They only look at the version number and not whether or not it's actively receiving backports. You just need the changelog to prove it to them. Do not try to change/upgrade the installed version beyond what yum update provides. This is standard with a lot of things on RHEL / CentOS including OpenSSH and OpenSSL, and you may have to do the same for those RPMs in the future.