The following vulnerability was found in the latest vulnerability scan:
Patches must be applied to the underlying web server and ssl library. While many sites completely disable the renegotiation feature, it is advised to patch instead because clients can’t tell the difference otherwise between vulnerable or patched server and may completely refuse to connect to such a server.
Further, the server should reject client-initiated renegotiation requests as it may assist in a denial of service (DoS) attack against the server. Establishing encrypted SSL connection is a computationally expensive task. Most firewalls and DoS prevention tools watch for connection rate among other parameters. The renegotiation feature allows attacker to repeatedly send multiple connection reestablishment requests over a single TCP connection avoiding detection by DoS prevention tools.
Question is if ServiceDesk and xFlow are impacted
Release : 17.3
Component : SDM - Vulnerability
the described vulnerability is an SSL/TLS renegotiation issue that occurs during the SSL handshake between the browser and the web server. SDM/xFlow are not involved. We do not handle any SSL renegotiations.
The above vulnerability does not apply to SDM/xFlow.
According to the following pages, the Akka HTTP Server (used in xFlow) is not listed as vulnerable for the CVE-2009-3555. Also, in the page for the Akka vulnerabilities, the CVE is not listed either.
https://www.cvedetails.com/product/40771/Akka-Http-Server.html?vendor_id=16757
https://www.cvedetails.com/cve-details.php?cve_id=CVE-2009-3555