Hello,
Our vulnerability scanner detects multiple issues with the VBA appliance nginx service. Could you please investigate.
CVE-2021-23017
CVE-2018-16843
CVE-2019-9511
CVE-2019-9513
CVE-2018-16844
Kind regards,
Bastiaan
-
b.vanhaastrecht
- Service Provider
- Posts: 880
- Liked: 164 times
- Joined: Aug 26, 2013 7:46 am
- Full Name: Bastiaan van Haastrecht
- Location: The Netherlands
- Contact:
VBA appliance vulnerable for multiple CVE's
======================================================
Veeam ProPartner, Service Provider and a proud Veeam Legend
Veeam ProPartner, Service Provider and a proud Veeam Legend
-
nielsengelen
- Product Manager
- Posts: 5797
- Liked: 1215 times
- Joined: Jul 15, 2013 11:09 am
- Full Name: Niels Engelen
- Contact:
Re: VBA appliance vulnerable for multiple CVE's
Hi Bastiaan,
We are not immediately aware of any open issues as we perform regular checks as well. We’ll look into the ones listed.
Could you let us know which version u tested 2 or 2a (build number)?
We are not immediately aware of any open issues as we perform regular checks as well. We’ll look into the ones listed.
Could you let us know which version u tested 2 or 2a (build number)?
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
GitHub: https://github.com/nielsengelen
-
b.vanhaastrecht
- Service Provider
- Posts: 880
- Liked: 164 times
- Joined: Aug 26, 2013 7:46 am
- Full Name: Bastiaan van Haastrecht
- Location: The Netherlands
- Contact:
Re: VBA appliance vulnerable for multiple CVE's
Hi Niels,
I'm on 2.0.0.337, I do have updates availeble and will process them now and retest afterwords.
I'm on 2.0.0.337, I do have updates availeble and will process them now and retest afterwords.
======================================================
Veeam ProPartner, Service Provider and a proud Veeam Legend
Veeam ProPartner, Service Provider and a proud Veeam Legend
-
b.vanhaastrecht
- Service Provider
- Posts: 880
- Liked: 164 times
- Joined: Aug 26, 2013 7:46 am
- Full Name: Bastiaan van Haastrecht
- Location: The Netherlands
- Contact:
Re: VBA appliance vulnerable for multiple CVE's
I've run the updates, but still on 2.0.0.337.
Run a new scan and the same CVE's are still active.
Run a new scan and the same CVE's are still active.
======================================================
Veeam ProPartner, Service Provider and a proud Veeam Legend
Veeam ProPartner, Service Provider and a proud Veeam Legend
-
nielsengelen
- Product Manager
- Posts: 5797
- Liked: 1215 times
- Joined: Jul 15, 2013 11:09 am
- Full Name: Niels Engelen
- Contact:
Re: VBA appliance vulnerable for multiple CVE's
Hi Bastiaan,
Did u also install all the other related security updates via our updater UI? We have just verified this and if you install all the updates accordingly, you will have an Nginx version that has all of this resolved.
Did u also install all the other related security updates via our updater UI? We have just verified this and if you install all the updates accordingly, you will have an Nginx version that has all of this resolved.
Code: Select all
# apt-cache show nginx | grep Version
Version: 1.14.0-0ubuntu1.9
Version: 1.14.0-0ubuntu1
# lsb_release -a
Description: Ubuntu 18.04.5 LTS
Codename: bionic
```
According to the ubuntu references the latest build 1.14.0-0ubuntu1.9 has all needed fixes for the specified CVEs.
```
[+] CVE-2021-23017
https://ubuntu.com/security/CVE-2021-23017
Ubuntu 18.04 LTS (Bionic Beaver) Released (1.14.0-0ubuntu1.9)
[+] CVE-2018-16843
https://ubuntu.com/security/CVE-2018-16843
Ubuntu 18.04 LTS (Bionic Beaver) Released (1.14.0-0ubuntu1.2)
[+] CVE-2019-9511
https://ubuntu.com/security/CVE-2019-9511
Ubuntu 18.04 LTS (Bionic Beaver) Released (1.14.0-0ubuntu1.4)
[+] CVE-2019-9513
https://ubuntu.com/security/CVE-2019-9513
Ubuntu 18.04 LTS (Bionic Beaver) Released (1.14.0-0ubuntu1.4)
[+] CVE-2018-16844
https://ubuntu.com/security/CVE-2018-16844
Ubuntu 18.04 LTS (Bionic Beaver) Released (1.14.0-0ubuntu1.2)Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
GitHub: https://github.com/nielsengelen
-
b.vanhaastrecht
- Service Provider
- Posts: 880
- Liked: 164 times
- Joined: Aug 26, 2013 7:46 am
- Full Name: Bastiaan van Haastrecht
- Location: The Netherlands
- Contact:
Re: VBA appliance vulnerable for multiple CVE's
Apperently the vulnerability scanner does not detect the installed nginx version well enough. It detects:
While installed:
I have raised a ticket at the vulnerability scanner people. They need to determine its a CVE or scanner problem.
Thanks for checking!
Code: Select all
The host carries the product: cpe:/a:nginx:nginx:1.14.0Code: Select all
Version: 1.14.0-0ubuntu1.9
Version: 1.14.0-0ubuntu1.7
Version: 1.14.0-0ubuntu1Thanks for checking!
======================================================
Veeam ProPartner, Service Provider and a proud Veeam Legend
Veeam ProPartner, Service Provider and a proud Veeam Legend
-
nielsengelen
- Product Manager
- Posts: 5797
- Liked: 1215 times
- Joined: Jul 15, 2013 11:09 am
- Full Name: Niels Engelen
- Contact:
Re: VBA appliance vulnerable for multiple CVE's
Hi Bastiaan,
It's mostly a scanner problem from the looks of it. Ubuntu tends to resolve CVE's in a separate way for certain products compared to just updating the build number
. Hopefully it helps for the improvement.
It's mostly a scanner problem from the looks of it. Ubuntu tends to resolve CVE's in a separate way for certain products compared to just updating the build number
. Hopefully it helps for the improvement.Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
GitHub: https://github.com/nielsengelen
Who is online
Users browsing this forum: No registered users and 15 guests