This question was originally posted on DCIM Support by Antonio Suarez on 2019-06-27
a customer has reported the following vulnerabilities in DCE 7.6:
Open SSH out of date:
Apache HTPP out of date:
OpenSSH out of date:
SSL/TLS supporting TLSv1.0
OPEN SSH Users enumeration:
How can we update DCE server components?
This answer was originally posted on DCIM Support by Jakub Porebski on 2019-06-27
I believe we will have to wait for a new version of the appliance. DCE 7.7 does not seem to address these: https://sxwhelpcenter.ecostruxureit.com/display/public/UADCE725/StruxureWare+Data+Center+Expert+v7.7...
This answer was originally posted on DCIM Support by Steven Marchetti on 2019-06-27
I haven't gone through each one individually. Most of these vulnerabilities you have listed are for SSH. SSH is only used when working with tech support and there is no access required by customers. SSH can be turned off.
I looked at the Apache vulnerability:
The Apache HTTP Server 1.x and 2.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris, related to the lack of the mod_reqtimeout module in versions before 2.2.15.
I checked on DCE 7.6 and found that we are using version:
Server version: Apache/2.2.15 (Unix)
Server built: Jun 19 2018 15:45:13
7.7 uses the same version.
As for TLS versions and SSLv3, these are used for backwards compatibility to communicate with some older devices but can be turned off:
As for updating individual modules, you can't. We don't provide root access. Even if we did, upgrading to an untested version could cause unexpected issues.
I'll still forward your concerns but since these are mostly 2016 or earlier, I'm going to assume they are not being considered vital. I will let you know what more I hear, if anything.
Discuss challenges and get support in energy and automation with 30,000+ experts and peers.
Over 10,000+ support articles are available to help you find answers to your product and business challenges.
Find peer based solutions to your questions. Provide answers for fellow community members!