4 Replies Latest reply on Jun 4, 2012 2:39 PM by peterj

    JBOSS7: ASV Scan Report Attestation of Scan Compliance

    ramboid

      How should I report a problem with an attestation scan?  ComplyGuard Networks ran a security scan in a server running JBOSS7.  Vulnerabilites were reported for the two ports in whihc JBoss is listening (80 and 443).  The attestation scan produced a pdf report that I could post for further clarification.

       

      The OS release is CentOS 5.7  (Final)

      kernel  2.6.18-274.3.1.el5

      jboss-as-7.0.2.Final

        • 1. Re: JBOSS7: ASV Scan Report Attestation of Scan Compliance
          peterj

          You are using a community release. Community releases are "developer friendly". About the only security-related consideration for community edition is that  by default it connects to localhost, thus it will accept only traffic from that same PC. If you change that, then you have to lock it down. So the fact that there are security alerts is expected for a community release.

           

          The EAP releases, on the other hand, are locked down out-of-the-box. If a security scanner find problems with that, then I suspect the EAP team would want to hear about it .

          • 2. Re: JBOSS7: ASV Scan Report Attestation of Scan Compliance
            jaikiran

            For those who are watching this thread, Carlos has created a AS7 JIRA where this was discussed https://issues.jboss.org/browse/AS7-4929

            • 3. Re: JBOSS7: ASV Scan Report Attestation of Scan Compliance
              ramboid

              Hi Peter,

              Could you mention areas for locking down and getting rid of the error?  Trying to identify these areas, it has been impossible to reproduce the error with the information in the error report.  In AS7 JIRA (AS7-4929), Darran Lofthouse reported his attempts to reproduce the error by issuing the requests that the report describes.  My Systems Manager is tryign to reach to the makers of the scanning tool and get more information.  We are waiting for their response.  It is difficult to fathom what else should be locked without further information.

               

              Could this be "a false positive"?  Darran explained to me that this error seems to belong to a different server, and that given the information at hand, Darran thought that it could be a "false positive".  Moreover, a google search on the main description of the error "myserver 1.2.0" revealed just one result for JBoss with a different scanner and it was deemed to be a "false positive".

              • 4. Re: JBOSS7: ASV Scan Report Attestation of Scan Compliance
                peterj

                The information for locking down JBoss AS can be found at: https://community.jboss.org/wiki/SecureJBoss

                If the scanning tool is finding something beyond that, and the report it is giving you is not clear, you'll have to find out from the scanning tools owner exactly what it is looking at and what it is complaining about.