IBM Support

InfoSphere Guardium fails PCI vulnerability scan "OpenBSD OpenSSH 4.3 on Check Point GAiA"

Troubleshooting


Problem

These document discusses some vulnerabilities that may be reported with the Guardium appliance from a PCI scan.

Symptom

PCI vulnerability scan on Guardium reports the following vulnerabilities:


EMAILADDRESS=support@guardium.com, CN=guardium.com, OU=CA, O="" Guardium, Inc."", L=Waltham, ST=Massachusetts, C=US -- Path does not chain with any of the trust anchors. The list of well-known, trusted CAs is:

OpenBSD OpenSSH 4.3 on Check Point GAiA (Linux 2.6) TLS/SSL certificate signed by unknown, untrusted CA:

TLS/SSL certificate is self-signed.

The subject common name found in the X.509 certificate ('CN=gmachine') does not seem to match the scan target '':

SSL certificate is signed with MD5withRSA

Length of RSA modulus in X.509 certificate: 1024 bits (less than 2047bits)

Cause

The first vulnerability listed:

"EMAILADDRESS=support@guardium.com, CN=guardium.com, OU=CA, O=""
Guardium, Inc."", L=Waltham, ST=Massachusetts, C=US -- Path does not
chain with any of the trust anchors. The list of well-known, trusted
CAS is:"

occurs because the appliance certificate has not been updated with a new certificate from a trusted source. It still has the default certificate that we ship appliances with.

The rest of the vulnerabilities may be related to missing latest updates on the appliance.

Resolving The Problem


1.- Request a certificate from your trusted signer and install it on the appliance. See How to install GUI Certificates in Guardium in the Related URL section for details.

2.- Install patch 150 for version 8.2 (v8.2p150) or patch 50 for version 9.0 (v9.0p50) which contain important updates to the installed certificate.

[{"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF016","label":"Linux"}],"Version":"9.0;8.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21671358

Page Feedback