Troubleshooting
Problem
These document discusses some vulnerabilities that may be reported with the Guardium appliance from a PCI scan.
Symptom
PCI vulnerability scan on Guardium reports the following vulnerabilities:
EMAILADDRESS=support@guardium.com, CN=guardium.com, OU=CA, O=""
Guardium, Inc."", L=Waltham, ST=Massachusetts, C=US -- Path does not
chain with any of the trust anchors. The list of well-known, trusted
CAs is:
OpenBSD OpenSSH 4.3 on Check Point GAiA (Linux 2.6)
TLS/SSL certificate signed by unknown, untrusted CA:
TLS/SSL certificate is self-signed.
The subject common name found in the X.509 certificate ('CN=gmachine')
does not seem to match the scan target '
SSL certificate is signed with MD5withRSA
Length of RSA modulus in X.509 certificate: 1024 bits (less than 2047bits)
Cause
The first vulnerability listed:
"EMAILADDRESS=support@guardium.com, CN=guardium.com, OU=CA, O=""
Guardium, Inc."", L=Waltham, ST=Massachusetts, C=US -- Path does not
chain with any of the trust anchors. The list of well-known, trusted
CAS is:"
occurs because the appliance certificate has not been updated with a new certificate from a trusted source. It still has the default certificate that we ship appliances with.
The rest of the vulnerabilities may be related to missing latest updates on the appliance.
Resolving The Problem
1.- Request a certificate from your trusted signer and install it on the appliance. See How to install GUI Certificates in Guardium in the Related URL section for details.
2.- Install patch 150 for version 8.2 (v8.2p150) or patch 50 for version 9.0 (v9.0p50) which contain important updates to the installed certificate.
Related Information
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21671358