ProxySG & Advanced Secure Gateway

 View Only

 ProxySG S200-10- vulnerability query for QID (650060, 105972)

ProxyAdmin TRG's profile image
ProxyAdmin TRG posted Sep 26, 2023 01:08 PM

Issue : Scanning tool has reported vulnerability with QID (650060, 105972) and there is no CVEs associated with it. for the device ProxySG S200-10 |    SGOS 6.7.3.12 Proxy Edition . 

Detail as per the report: Apache Tomcat software is a web server. EOL/Obsolete Apache Tomcat detected on port 443 over TCP - 

Impact: The system is at high risk of being exposed to security vulnerabilities. Because the vendor no longer provides updates, obsolete software is more vulnerable to viruses and other attacks.

Solution suggested: Upgrade to the latest version of Apache Tomcat. Please refer to <A HREF="http://tomcat.apache.org/index.html" TARGET="_blank">Apache Tomcat Website.

Would like to confirm if device is affected with the reported vulnerability if there is Know CVEs and fix for the same.(ProxySG S200-10 |)

Also, would like to know is there any way to check what is the latest version of Apache Tomact running on the device.

Matthias Geiser's profile image
Broadcom Knight Matthias Geiser

Hi there,

the proxy's admin UI usually runs on port 8082. Per default, there is no service running on port 443. Have you set up a reverse proxy service on port 443? Or is this a transparent proxy deployment?

Please check, what service is active on port 443. But I'm quite sure that there is no Tomcat active on ProxySG.

Best regards, Matthias

ProxyAdmin TRG's profile image
ProxyAdmin TRG

Hi Matthias

Thank you for your response.

How can we verify the services active on port 443

Is there any KB references which mentions that there is no Tomcat active on ProxySG

Since the QID (650060, 105972) are for EOL/Obsolete Apache Software, can this be ignored if the Proxy is not having tomcat services

Klaus Klinge's profile image
Klaus Klinge

Hi,
To check if the proxy is listening on port 443 there are 2 ways:
1) SSH: 
ena
conf t
proxy-services
view
Look for "port 443". 

2) GUI:
Configuration
Services
Proxy services
look for a service listening on port 443.

Then there is the very unusual possibility that someone in Management Services has changed the GUI from 8082 to 443. 
From a security point of view, this is unattractive and even dangerous, because it makes it easier for hackers to do their work, since 443 is frequently enabled on the firewall.


Once you have found a service, the next step is to make sure that you find this service in the rule set.
Then the proxy should have a forwarding to a server in the forward layer - and this server will probably have the reported vulnerability.

If it is a forward proxy, then there is still the possibility that the scanner surfed through the proxy to a website that has this vulnerability.