The Apache Server used in KCA has been modified by RSA to address all known security vulnerabilities. Below is the information received from RSA Security Engineering after they analyzed the above Scan report:
*****
- All of these "vulnerabilities" either reside in features that are disabled in KCA (htpasswd, mod_proxy), or have been addressed in KCA patches
- RSA Security constantly monitors the Apache and vulnerability-tracking communities, and evaluates the impact on KCA of each issue when it arises. Careful analysis is undertaken to determine if KCA is truly vulnerable and, if so, to devise the most effective, fastest, and least disruptive solution to minimize any impact on our customers.
- Quite often, patching a vulnerability in KCA does not entail the installation of a new version of some embedded system (e.g. Apache or mod_ssl), as such "upgrades" generally include many unrelated tweaks and enhancements which can have unforeseen consequences on the KCA product. Rather than drop in a new subsystem and hope for the best, RSA identifies and addresses the specific cause of a vulnerability. By focusing on the root cause, KCA security updates can be released quickly with the lowest risk of introducing other bugs.
- The implication of this approach, however, is that naive scanning tools such as Nessus will raise false-positive alerts in KCA scans, because KCA reports the (technically correct) older version signatures of embedded components.
For more information, see
http://vdc-bugzilla.na.rsa.net/show_bug.cgi?id=8958+