They are unable to exploit it. The specail patch and/or subsequent MP's resolves the problem. The problem is the software does not acknowledging that the resolution has been accomplished.
>>> "Martin, Jonathan (Contractor)" <[EMAIL PROTECTED]> 2/28/2007 1:54 PM >>> Is the software saying the problem still exists because it doesn't see the new NBU version, or because it is exploiting the code vulnerability? Call me crazy but..... If their software says you have problem, but can't prove it then short of running the exploit yourself (which IMO is a major waste of time) then the NBU documentation should suffice. If their software is infact exploiting that problem and you are running a future release then someone needs to inform Symantec. I find the latter unlikely... Stupid politics... -Jonathan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob Stump Sent: Wednesday, February 28, 2007 1:14 PM To: veritas-bu@mailman.eng.auburn.edu Subject: [Veritas-bu] qualys vulnerability There is a scanning software provided by "Qualys" that has a problem but they REFUSE to fix their scanning software. The scanning software reports the vulnerability discussed in this notice but fails to report that the proper MP was applied to resolve the vulnerability. This is what our security group calls a "false positive". They then require that paper work be submitted to negate the "false positive". I think the scanning software should be fixed to NOT report a vulnerability, if the proper resolution has already been applied. Am I wrong? Here is the initial symantec resolution A vulnerability has recently been discovered, which affects the bpjava-msvc logon process within VERITAS NetBackup (tm) 4.5, 5.0, 5.1, and 6.0 (including maintenance and feature packs). This vulnerability could potentially allow remote malicious users to execute arbitrary code. http://support.veritas.com/docs/279085 The above resolution IS INCLUDED in subsequent maintenance packs. BTW: I asked our security group to contact the source and get it fixed but they said they had no confidence that the resolution from symantec is adequate. here is their website http://www.qualys.com/products/overview/
_______________________________________________ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu