Penetration test False-Positive Security Vulnerability warnings

Version 2

    Verified Product Versions

    File Director 3.6File Director 3.5File Director 3.0File Director 4.0File Director 4.1Insight 10.0Insight 1.3Insight 1.4File Director 4.2File Director 4.3


    The following CVE references may be flagged against DataNow or Insight following a penetration test. These have been investigated by our development team who have deemed that they do not present a security risk to our platform:




    CVE-2004-0230 - TCP Sequence Number Approximation Based Denial of Service affecting SSH


    CVE-2015-3194 - Certificate verify crash with missing PSS parameter - OpenSSL vulnerability in 1.0.2d


    CVE-2015-3196 - Race condition handling PSK identify hint - OpenSSL vulnerability in 1.0.2d


    CVE-2015-1794 - Anon DH ServerKeyExchange with 0 p parameter - OpenSSL vulnerability in 1.0.2d


    CVE-2016-3115 - OpenSSH Xauth Command Injection Vulnerability


    CVE-2014-0231 - Apache HTTP Server before 2.4.10 does not have a Timeout Mechanism


    CVE-2013-5704 - Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives


    CVE-2014-0118 - Apache HTTP Server before 2.4.10 request body decompression is enabled


    CVE-2016-1238 - FreeBSD : perl -- local arbitrary code execution



    - FreeBSD : Vulnerabilities in Curl


    CVE-2016-7167 - FreeBSD : cURL -- Escape and unescape integer overflows


    CVE-2016-8745 - FreeBSD : tomcat -- information disclosure vulnerability


    CVE-2017-3732 - FreeBSD : OpenSSL -- BN_mod_exp may produce incorrect results on x86_64





    The above security warnings can be safely ignored