Penetration test False-Positive Security Vulnerability warnings

Version 2

    Verified Product Versions

    AppSense DataNow 3.6AppSense DataNow 3.5AppSense DataNow 3.0AppSense DataNow 4.0AppSense DataNow 4.1AppSense Insight 10.0AppSense Insight 1.3AppSense Insight 1.4AppSense DataNow 4.2AppSense File Director 4.3

    Introduction

    The following CVE references may be flagged against DataNow or Insight following a penetration test. These have been investigated by our development team who have deemed that they do not present a security risk to our platform:

     

     

     

    CVE-2004-0230 - TCP Sequence Number Approximation Based Denial of Service affecting SSH

     

    CVE-2015-3194 - Certificate verify crash with missing PSS parameter - OpenSSL vulnerability in 1.0.2d

     

    CVE-2015-3196 - Race condition handling PSK identify hint - OpenSSL vulnerability in 1.0.2d

     

    CVE-2015-1794 - Anon DH ServerKeyExchange with 0 p parameter - OpenSSL vulnerability in 1.0.2d

     

    CVE-2016-3115 - OpenSSH Xauth Command Injection Vulnerability

     

    CVE-2014-0231 - Apache HTTP Server before 2.4.10 does not have a Timeout Mechanism

     

    CVE-2013-5704 - Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives

     

    CVE-2014-0118 - Apache HTTP Server before 2.4.10 request body decompression is enabled

     

    CVE-2016-1238 - FreeBSD : perl -- local arbitrary code execution

     

    CVE-2016-5419,CVE-2016-5420,CVE-2016-5421,CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE-2016-8618,CVE-2016-8619,CVE-2016-8620,CVE-2016-8621,CVE-2016-8622,CVE-2016-8623,CVE-2016-8624,CVE-2016-8625

    - FreeBSD : Vulnerabilities in Curl

     

    CVE-2016-7167 - FreeBSD : cURL -- Escape and unescape integer overflows

     

    CVE-2016-8745 - FreeBSD : tomcat -- information disclosure vulnerability

     

    CVE-2017-3732 - FreeBSD : OpenSSL -- BN_mod_exp may produce incorrect results on x86_64

     

     

     

    Detail

    The above security warnings can be safely ignored