Here is a list of the known reported vulnerability numbers for SSH and how they apply to CacheFlow (CF) appliance software:
CVE-1999-0634. This CVE is listed as "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER" on the NIST site. The indications for it are that "SSH is running". SSH is running, and it is a secure remote access method. This should be considered a "false positive", and given the NIST entry, it should probably be considered a defect in the scanning software. Refer to https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0634
CVE-2011-5000. Not vulnerable. CF does not build with the GSSAPI support.
CVE-2011-0633. This CVE is listed as "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER" on the NIST site. It may be checking that port 80 is open and is accepting connections. If that is the case, that would be because explicit port 80 is being intercepted, likely as part of the recommended health checks performed by the switch. This should likely be considered a "false positive", and given the NIST entry, it should probably be considered a defect in the scanning software.
CVE-2011-4327. Not vulnerable. CF's implementation of OpenSSH does not use a ssh-rand-helper to obtain entropy, nor does the CF software contain ptrace or ptrace-like commands.
OpenSSH (CVE-2010-5107) - The way to mitigate the problem is to restrict access to the management SSH port of the CF via router ACL config (ie; allow only administrator IPs/network to access CF Mgt Console on TCP_22)
OpenSSH 'schnorr.c'(CVE-2014-1692) - CF is not vulnerable because J-PAKE is not enabled.
OpenSSH J-PAKE (CVE-2010-4478) - CF is not vulnerable because J-PAKE is not enabled
OpenSSH verify_host_key SSHFP DNS RR(CVE-2014-2653) - This is a problem with the OpenSSH client behaviour when the server sends an unrecognized certificate. The server code is not impacted thus CF is not vulnerable.
OpenSSH (CVE-2014-2532)- The CF CLI has no environment variables or allow environment variables to be configured from CLI. None of vulnerable code is enabled on CF and therefore the CF is not vulnerable.
OpenSSH (CVE-2011-0539) - CF is not vulnerable because OpenSSH code is only used as SSH server. The vulnerable function, key_certify() is not used by the CF.
Imported Document ID: 000024974
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
Subscribed to the Article.
Unable to subscribe
Thanks for your additional feedback !!!
Enterprise Support Virtual Agent
Rate Me :
Tell us more:
Welcome! My name is Sami, the Enterprise Support Virtual Agent answering technical support questions.