Managing Vulnerabilities
I have some questions about vulnerability management which I have been struggling with that hopefully someone can help with. Sometimes our vulnerability management system (Nexpose) shows assets under a particular vulnerability of a virtual server but then shows the operating system such as Microsoft. I am trying to figure out or understand better what to expect in vulnerability management as the F5 proxies the connectivity to real servers. Are those exploits something I should consider or should they belong to the owners of the app or servers? As an example, I have an ADC that Nexpose reports multiple virtual servers are vulnerable to CVE-2011-3192. It actually has an F5 entry and an Apache entry with the Apache entry being the one that reports all the virtual servers (on only 1 ADC). It says, Server responded with partial content to a request with Malicious Range Headers. Now the F5 vuln shows no assets: F5 Networks: K13114 (CVE-2011-3192): Apache Range header vulnerability - CVE-2011-3192 No assets have this vulnerability.
But as mentioned this other entry list multiple virtual servers: Apache HTTPD: Range header remote DoS (CVE-2011-3192) Server responded with partial content to a request with malicious Range headers
Is the virtual server responding with this or is it being proxied to the real server and that is responding and I need to advise our vuln mgmt. team to have nexpose stop reporting this. Thanks for any help. We are on 12.1.1 HF1 right now but will be upgrading eventually to 13.1.X which will remediate almost all the open ones we have currently, but I am not sure how to tell my vuln mgmt. team, hey this isn't the f5 (unless it is). Thanks!