Environment
Novell ZENworks 11 Configuration Management
Novell ZENworks 11 Configuration Management Support Pack 1 - ZCM 11 SP1
Novell ZENworks 11 Configuration Management Support Pack 2 - ZCM 11 SP2Novell ZENworks 11 Configuration Management Support Pack 1 - ZCM 11 SP1
Situation
Nessus scan errors when scanning ZENworks Primary Server.
ERROR:
Nessus Scan Report:
The web server is affected by multiple cross-site scripting vulnerabilities and needs to be fixed.
The web server is affected by multiple cross-site scripting vulnerabilities and needs to be fixed.
Resolution
The security vulnerabilities fixed in Apache Tomcat 6.0.30 have been fully analyzed by Novell, and are not relevant to ZENworks Configuration Management.
-
Two XSS-vulnerability issues have been fixed in Tomcat Manager interface in Tomcat 6.0.30. See http://tomcat.apache.org/security-6.html
Nessus report checks the Tomcat version, and if it is less than 6.0.30 then it raises this alert.
Analysis: ZCM does not ship Tomcat Management interface with ZENworks. Therefore the Tomcat version 6.0.29 that we ship with ZENWorks is safe from those vulnerabilities. -
One Remote DoS vulnerability vulnerability related to NIO Connector is also reported as fixed in Tomcat 6.0.30. Applications which use NIO Connector may affect with this vulnerability.
Analysis: ZCM does not use the NIO Connector feature. It uses HTTP and HTTPS connectors only. -
In general, ZENworks Configuration Management server does not use the default server.xml file that comes with Tomcat, it uses a special customized server.xml file.
Additional Information
ZCC already implements XSS filters. Because of the particular implementation of ZCC, it is not possible to filter out scripts or other XSS causing tags from request or response. Instead these characters are "escaped" using their corresponding ascii values. So these will be shown back in response (as shown by Nessus scan), but they are never executed as part of request or response.