AnsweredAssumed Answered

OpenSSL ASN.1 Parsing Vulnerabilities false positive from tomcat

Question asked by alyo on Aug 17, 2012
Latest reply on Mar 20, 2013 by QM_SSJ4

Hi,

 

Doing a scan on our site which is running Tomcat 6.0.20.0, gave us the vulnerability:

 

OpenSSL ASN.1 Parsing Vulnerabilities

QID: 38224CVE Base: 8Port:  443
CVSS Temporal: 7.3Category: General remote services
CVE ID: CVE-2003-0543, CVE-2003-0544, CVE-2003-0545, CVE-2005-173

 

 

Solution: The OpenSSL Project released OpenSSL versions 0.9.6k and 0.9.7c to address these issues.

 

We do have a version of OpenSSL running but it's OpenSSL 1.0.0j-fips

 

Tomcat is listening on port 443 (the SSL port) BUT it's not even using the OpenSSL libraries, it's using the standard JSSE libraries. The only way for tomcat to be using OpenSSL in the first place is if we're using the Apache Portable Runtime (APR) which we're not. And even if we were, it'll be using the 1.0.0j-fips version of OpenSSL and wouldn't have generated the above vulnerability in the first place.

 

Can Qualys tell me how they're exactly testing for this vulnerability as I think the test is giving us a false positive.

 

 

Thanks

 

Al

Outcomes