How to Remove / Find out if it's Installed: Oracle iPlanet Web Server on Ubuntu - PCI Compliance Vulnerability

0

I'm the last stretch of getting a Server fully PCI Compliant; however, there are two more points I have spent hours researching and can't find accurate or up to date information about.

On the Scans I'm getting these two Flags as High Risk Vulnerabilities:

  1. WebSphere JSP source disclosure in web document root
  2. Sun ONE Application Server source disclosure

The Server O/S is Ubuntu Server V 16.04.5 LTS and is running

  • Odoo V11 Enterprise Edition
  • Postfix 3.1.0
  • Dovecot 2.2.22
  • Apache 2.4.38
  • PostgreSQL 11.3
  • Python 2.7.12
  • Python 3.5.2

When I run a Scan and try the following:

Information From Target:
Service: https
Sent:
GET /web/content/59950-fae3f18/index.JSP HTTP/1.0
Host: novathreads.us
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Connection: Keep-alive
Cookie: session_id=7e72f6c77a05598387c0d015fa80050966f5cffe

I get:

Received:
return _.isFunction(value)?value.call(object):value;};var idCounter=0;_.uniqueId=function(prefix){var id=++idCounter+'';return prefix?prefix+id:id;};_.templateSettings={evaluate:/<%([\s\S]+?)%>/g,interpolate:/<%=([\s\S]+?)%>/g,escape:/<%-([\s\S]+?)%>/g};var noMatch=/(.)^/;var escapes={"'":"'",'\\':'\\','
And:
return _.isFunction(value)?value.call(object):value;};var idCounter=0;_.uniqueId=function(prefix){var id=++idCounter+'';return prefix?prefix+id:id;};_.templateSettings={evaluate:/<%([\s\S]+?)%>/g,interpolate:/<%=([\s\S]+?)%>/g,escape:/<%-([\s\S]+?)%>/g};var noMatch=/(.)^/;var escapes={"'":"'",'\\':'\\','

Which is being flagged by my Approved Scanning Vendors as a High Vulnerability as it exposing information about the session and server.

I have searched intensively and it seems that either these are deprecated or very specific in use.

The only semi-useful information I found is that those don't exist anymore and nowadays turned into Oracle iPlanet Web Server.

What I desperately need is a way to find out if they're installed to either disable them or to prove that they're not installed to my SAV and dispute the vulnerability.

Would someone be kind enough to show me how can I determine if they're installed or not?

Will this work to try to deny execution of .jsp files on Apache?

<Files  ~ "\.jsp$">
   Order allow,deny
   Deny from all
</Files>

DevilYan

Posted 2019-05-25T01:00:32.977

Reputation: 1

No answers

Asked: 2019-05-25T01:00:32.977

Viewed: 29 times

Active: 2019-05-26T06:22:59.170