Security Scan against ESXi 7.0 U3q might report false positive findings CVE-2018-12122, CVE-2007-6750 (aka SlowLoris)

search cancel

Security Scan against ESXi 7.0 U3q might report false positive findings CVE-2018-12122, CVE-2007-6750 (aka SlowLoris)

book

Article ID: 378666

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

When running a security scan against an ESXi 7.0 Update 3q (build 23794027), the scanner reports 2 findings for a vulnerability commonly known as SlowLoris:

CVE-2007-6750 (https://nvd.nist.gov/vuln/detail/CVE-2007-6750)
CVE-2018-12122 (https://nvd.nist.gov/vuln/detail/CVE-2018-12122)

Environment

VMware vSphere ESXi 7x

Resolution

Both of these findings are false positive alarms. ESXi 7.0 Update 3q and later versions are not vulnerable.

In detail:

CVE-2007-6750 only affects Apache versions up until 2.2.14, but ESXi 7.0 U3q ships with Apache 2.4.15-1ph3, a newer version which is not affected by this vulnerability.
CVE-2018-12122 is a vulnerability in node.js. ESXi does not ship with the Javascript library and is therefore not affected by this CVE either.

Feedback

thumb_up Yes

thumb_down No