08-21-2013 06:50 AM
This request is rather different from my previous request and wondered if anyone has any suggestions.
EV 10.0.3 installed on two trusted domains (one production and one in test) environments. Our security team has run some tools to identify Scripting in our environments and they come up with this Vulnerability issue and they have asked me to resolve it and I have no idea where to go and what to change.
The web server and application found on this host (EV server) is vulnerable to multiple XSS attacks due to improper user input sanitization.
The Quate CMS running on port 7215 on EV server is prone to this common vulnerability.
and the recommendation is:
check with the vendor for patch. for workaround configure the web server to return a customised error or redirection page that properly sanitizes requested URL in the response.
08-21-2013 07:24 AM
Hi,
I did a quick search about 'Quate CMS' and appears to be a Content Manager System (PHP-based content manager). Is this app running in that specific port 7215? If so, I don't think this is a Symantec product (at least not related to EV). If you do not have this product installed, what process is running on this port? Run a netstat -nao, look for 0.0.0.0:7215 and get the PID (last column), then open Task Manager and add the PID column to the Processes tab. Look at the process name and verify if the process is EV related.
I hope this helps.
08-21-2013 07:24 AM
Quate CMS has nothing to do with EV
http://www.juniper.net/security/auto/vulnerabilities/vuln30570.html
Don't know how you have ended up with this app running on your EV servers but removing it would seem to be the obvious solution
08-21-2013 08:18 AM
thank you Guys,
Follwoing Gabev - the PID is belong to query-service.exe description: Velocity Search Service. this is running under EV service account.
In fact there are a few services running: Collection-broker.exe, collection-service-dispatch.exe
search these services I have found this Not sure how to uninstall this:
http://www.symantec.com/business/support/index?page=content&id=TECH172165
since it's part of EV. May be I have installed some kind of troubleshooting tool but somehow I do not have these services in prod environment.
Follwoing Ed - I do not find Quate CMS is a PHP-based content manager installed anywhere in that server.
08-21-2013 08:42 AM
You can't uninstall these services sice they are part of the EV 10 indexing processes. I am wondering if this security tool is seeing that this port is open on the EV server and the tool is **thinking** that the application running should be 'Quate CMS'. If that's the case then you need to confirm with the team that ran this tool if this is the case or not.
I hope this helps.
08-21-2013 09:03 AM
thank you GabeV,
I am not following you with your last comment - sorry.
The thing is that I do not have these services running in the EV production server.
08-21-2013 09:28 AM
I think I misunderstood your previous comment. You mentioned that the PID belongs to query-service.exe but then you mentioned that you do not have these services in production environment. Which services were you referring to?
08-21-2013 11:21 AM
In my little research on internet for this port indicates that in past a this port was used by a known malware. Refer link: http://www.auditmypc.com/tcp-port-7215.asp, then it’s expected that security software will generate alerts when they see this port open.
And Enterprise vault indexing engine query search port also use 7215, so might be your security tools considering it as Vulnerability issue.
I would suggest to change this port via VAC (open VAC \ Expand servers \ select EV SERVER \Properties \ advanced \ indexing - indexing engine query search port) like screenshot.
Regards
EV-C
08-21-2013 11:36 AM
Good catch, but I would NOT recommend changing this setting as described in the help file:
Description |
The internal communication port for the Indexing Engine Query Service.
|
||
Supported values |
|
08-21-2013 11:54 AM
Thanks Gabe for point this out correctly, Yes please contact Tech support to get best advice before you make port changes. As far as I know Velocity webservice only allow VSA to access this port from localhost (127.0.0.1).
08-22-2013 08:37 AM
thank you Guys,
Gabe - what I was trying to explain is that I have EV installed in two separate environments (forests) ie production and test.
I am only seeing these services running in the test environment NOT in production. So in the live environment I am not seeing query-service.exe with port 7215, Collection-broker.exe and collection-service-dispatch.exe
So if EV is using these services then who come I end up EV in production with out them and we do not have indexing issue right now but after two month EV migration we did have major indexing issue for the journaling.
08-22-2013 11:32 PM
Honestly, we are not sure why this happening only in your test environment, As Gabe suggested, input from support would be good option.
08-23-2013 06:44 AM
EVRocks,
If I look at my 10.0.4 lab, I can see these processes running:
If you are running EV 10 on both domains, something is not right because we changed the index engine starting with EV 10.0 base. The only thing I can think of is that you are running EV 9.x in your production environment. If that's the case, then that could explain this situation. Otherwise, go ahead and open a ticket with support so we could review your environment.
I hope this helps.
09-19-2013 07:06 AM
Guys,
below is the response from Symantec support team. I think our security team will suggest to change the port number.
I have researched and found some points regarding the port:-
1. By default, EV uses port 7215.
2. However, little research on internet for this port also indicates that in past a this port was used by a known malware. Refer link: http://www.auditmypc.com/tcp-port-7215.asp . With this, it’s expected that security software will generate alerts when they see this port open.
3. But now that we know EV has opened that port, and not the malware as such, in such case the you should ignore this warning (as it’s a false alert).
4. Fortunately, EV allows you to change the default port number used in this case.
The port can be changed from Vault admin console:-
Open VAC--> Expand to the Indexing EV server--> Right click on the server and select properties-->select Advanced Tab " Change the "IndexingEngineQueryServicePort" = (any new port number Make sure its not inuse by other software).
Once Done Verify if it is updated using the following SQL query on EnterpriseDirectory Database:- select settingName, settingDescription, settingValueNumeric from view_ExtendedSetting where settingName = 'IndexingEngineQueryServicePort'
09-19-2013 08:17 AM
Thanks for update. You may wish to mark the comment as solution which ever best suite your answer.
09-19-2013 08:20 AM
If iti s a false positive and has been identified as such... should that not satisify the security team? This has been confirmed to be a process that is running as part of EV and suspected that the security scanning software is seeking open ports as the trigger for a security concern. IF this is still a valid concern despite appearing to be a false positive... wouldnt changing the ports just shuffle the issue to somewhere the utility doenst find it?
At the point where it is confirmed to be a false positive... I may go to the secuity scanning software and confirm this is what they are looking at and then ask them to enhance their product.
Any security concerns should be logged into a case as dev are the only people who can really address them IMO.
If and when your query is satisified... please dont forget to flag the poster who helped you work it out.
Thanks in advanced.