I have some questions about vulnerability management which I have been struggling with that hopefully someone can help with. Sometimes our vulnerability management system (Nexpose) shows assets under a particular vulnerability of a virtual server but then shows the operating system such as Microsoft. I am trying to figure out or understand better what to expect in vulnerability management as the F5 proxies the connectivity to real servers. Are those exploits something I should consider or should they belong to the owners of the app or servers? As an example, I have an ADC that Nexpose reports multiple virtual servers are vulnerable to CVE-2011-3192. It actually has an F5 entry and an Apache entry with the Apache entry being the one that reports all the virtual servers (on only 1 ADC). It says, Server responded with partial content to a request with Malicious Range Headers. Now the F5 vuln shows no assets:
F5 Networks: K13114 (CVE-2011-3192): Apache Range header vulnerability - CVE-2011-3192
No assets have this vulnerability.
But as mentioned this other entry list multiple virtual servers:
Apache HTTPD: Range header remote DoS (CVE-2011-3192)
Server responded with partial content to a request with malicious Range headers
Is the virtual server responding with this or is it being proxied to the real server and that is responding and I need to advise our vuln mgmt. team to have nexpose stop reporting this. Thanks for any help. We are on 12.1.1 HF1 right now but will be upgrading eventually to 13.1.X which will remediate almost all the open ones we have currently, but I am not sure how to tell my vuln mgmt. team, hey this isn't the f5 (unless it is). Thanks!
I am going to reply to my own question as I probably should have read the Article a little closer.
Vulnerable component or feature
Virtual servers are not vulnerable, but may proxy exploits to vulnerable servers
I am not on a vulnerable image:
Versions known to be Not Vulnerable
11.1.0 and later
So I think this is a tagging issue with our Vuln Management system.
I guess if anyone responds, do you think this is still an issue with F5 or an issue with Nexpose?
Your vulnerability managing system is correctly reporting that there is a vulnerability, but in this case it's a vulnerability on the back end system that is being exposed through the BigIP. The correct place to patch this is in the back end system. Patching the BigIP, even if possible, would do nothing to patch the vulnerability your scanner is seeing, as we are simply passing on the vulnerable code from the back end.