Qualsys Vulnerabilities on ZRS

Document ID:7023358
Creation Date:17-Sep-2018
Modified Date:29-Jan-2020
- Micro Focus Products:
  ZENworks Configuration Management

Environment

ZENworks Reporting Server

Situation

Qualsys reporting vulnerabilities against ZENworks Reporting Service appliance v6.2.3
This article is for ZRS appliances.

QualSysID Level        Vulnerability
42366         High         SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Server Side Vulnerability (BEAST)
38601         High         SSL/TLS use of weak RC4 cipher
38657       Medium   Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)
38628         Medium   SSL/TLS Server supports TLSv1.0

38173         High         SSL Certificate - Signature Verification Failed Vulnerability
38169         High         SSL Certificate - Self-Signed Certificate
38172         Medium   SSL Certificate - Improper Usage Vulnerability

86763         Medium   Web Server Uses Plain Text Basic Authentication
82054         Medium   TCP Sequence Number Approximation Based Denial of Service

Resolution

This is fixed in ZRS 2020 (v7.2 and above)

Qualys ID 42366, 38601, 38657 & 38628 - The ZENworks Reporting Appliance web server Appliance should be updated to address the vulnerabilities in SSL Communication

Qualys ID 82054 - This is an Operating System level issue and is fixed in Linux Kernel 3.5 and newer (i.e. SuSE Linux Enterprise 12 and newer) per information provided by SuSE.

ZRS 6.4.3 run on top of SLES 12 SP3, so these will be fixed in ZRS v6.4.3 (aka ZRS 2018)