AnsweredAssumed Answered

Qualys Scans VIPs and dups on VULN

Question asked by fgrosswig on Dec 12, 2014
Latest reply on Apr 29, 2015 by djprakash

Hello Community -

 

is there someone who might help me to explain nor understand the follwing scenario / issue. We have more cluster systems in our environment and therefore lot of VIPs as resources on top of them. Lets guess we found an vuln at both cluster components (per example) and their vips assiociated to it. Is there any best practise for reducing those VIPs which leads to multiple VULNs which only exists on the base system (the cluster machine). So how does Qualys recognise those dup vulns and how we could avoid reporting uneccessary more vulns as they really exist?

 

Also, how can interim scans not affect the export at all for misleading informations due the vuln status on each scan? I have recognized on the same cluster host and co-resource cluster different vuln status in one period (e.g. month) for the same vuln (fixed, active, re-open...). Also if a cluster vuln was fixed, how come that the VIPs on the same host report the same vuln as still open as they are already closed? This makes not really sense to me at all. VIPs are not physcally based on a host system, as they tell they are virtual. So 5 IPs listening on (e.g. port 8080). The fix of a vuln to this port and vendor behind should close all vulns on the same host (cluster) at once No? Qualys does report it as still open. Maybe someone can tell me the logic behind this because i dont understand it.

 

thanks and regards.

Falk

Outcomes