Overview
Your security specialist has run a Security Scan against your environment and has provided you with several identified vulnerabilities. You want to take steps to address these but are uncertain which packages are related to Xinet and which can be safely disabled or updated.
When receiving reports of security vulnerabilities from your security specialist, these often appear as Common Vulnerability and Exposure (CVE) record codes in the form CVE-1234-5678. These identifiers are linked to descriptions within the CVE List for the publicly reported vulnerability for a particular software package. Many security audit tools and providers will also include suggested remediations steps, such as updating the package.
Solution
As new releases of Xinet are published, they will often include fixes to security concerns that have been identified from past releases. As such, it is suggested that you take steps to Upgrade Xinet to the latest release whenever possible.
In many cases, the reported vulnerabilities can be traced back to 3rd-party packages used by Xinet or pre-installed on the Host OS. While many dependencies can be updated separately from Xinet, if there are any libraries within Xinet that will require a code change, our Development Team will handle this request as a Product Enhancement.
If there is a Xinet component or a 3rd-Party package reported in the Security Audit that is not included within the table below, please submit a Support Ticket.
<supportagent>
If a customer reports a security vulnerability, reference the steps within Troubleshooting Article: Security Vulnerabilities to help isolate and mitigate the impact.
</supportagent>
Known Safe Upgrade Paths for Commonly Reported 3rd-Party Package
Below, we have detailed a number of the most common 3rd-party packages included within reports that we have received and any remediation steps that you can safely take.
Package / Issue |
Remediation Steps |
Safe to Update/Modify? |
Apache |
As part of the Xinet installation process, the newest version of Apache (httpd) will always be installed. As such, it is generally safe to update this package as part of a Vulnerability mitigation strategy via your package manager. |
Yes |
Oracle MySQL |
Xinet comes packaged with a pre-configured version of MySQL 5.6 that is tightly integrated. At this time, system admins cannot easily upgrade the MySQL version.
A Feature Request for this upgrade is currently under review by the Development Team. Currently, no ETA is available for when we expect this package to be upgraded. |
No |
PHP |
Newer releases of Xinet will tend to use more up-to-date versions of PHP. Due to previous requests, some older releases of Xinet have had specific custom installers packaged with support for newer PHP versions. |
Yes, but it may require a custom Xinet Installer. |
VNC |
Xinet does not make use of VNC or any of its components to function. Most often, this is included as part of the base OS. Making changes to this package will have no impact on Xinet. |
Yes |
CIFS NULL Session Permitted |
Xinet does not make use of anonymous sessions to CIF shares. Making changes to this configuration will have no impact on Xinet. |
Yes |
Comments
0 comments
Please sign in to leave a comment.