Technical Note: [Accelops KB] Informational - What happens when I find apache vulnerabilities with Accelops
Description
Summary of Topic
When running vulnerability scanners against accelops you may find that the current version of accelops may show that there are some exploits.
Example:
CVE-2011-3192 - Apache HTTP Server Byte Range DoS
CVE-2009-3555 - SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection
CVE-2012-0053 - Apache HTTP Server httpOnly Cookie Information Disclosure
CVE-2012-4929 - TLS CRIME Vulnerability
CVE-2012-4930 - TLS CRIME Vulnerability
The above apache vulnerabilities are based off of our current version of apache (2.2.3) though there is no real danger of having these exploits present. Accelops Apache will only take connections from authenticated collectors and not any machine on the internet.
Because of system OS dependencies these upgrades will not be a simple task. Accelops' planned resolution to these vulnerabilities will be resolved when AO overhauls the system OS and upgrades to CentOS 6.3. Our current version of CentOS is on 5.2
Version Application
ALL