How-to: Verify automated security scan

How to Verify automated security scan

From time to time we are receiving a long list of vulnerabilities from customers. Mostly these lists are false positives, as the automated security scanner tools do not verify the package versions.

Environment

  1. Vulnerability scan against UCS systems

Note: 1 I will lead you through a manual check of apache2 in the example below.

Note: 2 We assume the report contains CVE-2021-30641

Don’t panic

Step 1: Check the installed package

root@dc0:~ # dpkg -l |grep apache
ii  apache2                                             2.4.25-3+deb9u11A~4.4.8.202110040913                                amd64        Apache HTTP Server
ii  apache2-bin                                         2.4.25-3+deb9u11A~4.4.8.202110040913                                amd64        Apache HTTP Server (modules and other binary files)
ii  apache2-data                                        2.4.25-3+deb9u11A~4.4.8.202110040913                                all          Apache HTTP Server (common files)
ii  apache2-suexec-pristine                             2.4.25-3+deb9u11A~4.4.8.202110040913                                amd64        Apache HTTP Server standard suexec program for mod_suexec
ii  apache2-utils                                       2.4.25-3+deb9u11A~4.4.8.202110040913                                amd64        Apache HTTP Server (utility programs for web servers)
ii  libapache2-mod-authnz-pam                           1.1.0-1                                                             amd64        PAM authorization checker and PAM Basic Authentication provider
ii  libapache2-mod-php7.0                               7.0.33-0+deb9u11                                                    amd64        server-side, HTML-embedded scripting language (Apache 2 module)
ii  libapache2-mod-wsgi                                 4.5.11-1                                                            amd64        Python WSGI adapter module for Apache
ii  univention-apache                                   11.0.2-1A~4.4.0.202012152249                                        all          UCS - Apache2 configuration
ii  univention-apache-vhost                             11.0.2-1A~4.4.0.202012152249                                        all          UCS - Apache2 vhost

The installed version of apache2 (core) is 2.4.25-3+deb9u11A~4.4.8.202110040913
It is a debian package, so we need to…

Step 2: Check via debian homepage

Debian has a great interface to search for patchlevel of packages:

https://security-tracker.debian.org/tracker/

Open the page and enter “apache2” in the “Search for package or bug name:” search field and press “Go”. Alternativly you can enter a CVE Number to check this vulnerabilty direct.

You will see that our installed version “2.4.25-3+deb9u11A~4.4.8.202110040913” matches the latest package “stretch (security) 2.4.25-3+deb9u11” (UCS 4.4 uses Debian strech as upstream; we are receiving security updates)

We double check the given CVE in our example by searching the page and we will find it in the resolved section.