Why does our vulnerability scan report the SMG has vulnerabilities in the Apache/HTTPD web server?

Why does our vulnerability scan report the SMG has vulnerabilities in the Apache/HTTPD web server?

The SecureMail Gateway versions 4 and 5 are built on a hardened CentOS Linux operating system. The software components of the operating system, like the Apache web server (HTTPD), the mysql database, the openssl encryption libraries, etc. are regularly updated via 'backports' to the original version. Although the main version number reported by the software never changes, the software itself receives regular updates by our Technical support via patches. The updates are released when major bugs or security vulnerabilities are discovered in the software components.

Please refer to this article for more information about the 'backporting' process for Linux releases: https://access.redhat.com/security/updates/backporting

The problem with this technique is that it can create 'false positives' when vulnerability scanning tools only look at the reported version number and do not ACTUALLY CHECK if the system is vulnerable. For instance, many scanners will report that the SMG's web server has dozens of vulnerabilities from as far back as 2013, and that it should be upgraded to at least httpd 2.2.XX. These are most likely false positives if the scanner is simply looking at the reported version number.

If you would like to test the web server of your SMG for vulnerabilites, a very helpful tool from Qualys can be found here: https://www.ssllabs.com/ssltest/

    • Related Articles

    • Routing Mail From Microsoft 365 To Your SMG

      If you are using Microsoft 365 as your mail service, setting up your mail flow to include GlobalCerts SecureMail Gateway(s) is done using a 'Connector' and routing rules. First you need to set up a connector to your SMG. Then, you'll create mail flow ...
    • How do I update the SMG's SSL Certificate?

      Please follow these instructions to update the SSL/TLS certificate on your SecureMail Gateway: Login to the web administration at https://smg.mydomain.com:444/ Click on Certificate -> Upload in the top menu. Copy/Paste your new certificate in PEM ...
    • End User Training for the SMG

      The attached document contains detailed walkthroughs on how to send and receive secure emails using the SecureMail Gateway solution.
    • SMG Mail Routing for Microsoft Exchange

      If your organization is using Microsoft Exchange for your email server infrastructure, below you will find details on routing your outbound email through the SecureMail Gateway server so that it can secure outgoing emails: ​ Setting up a "Send ...
    • How To Import SMG User's S/MIME Certificates into Microsoft Outlook

      Introduction The article describes how to manually trust and use GlobalCerts S/MIME certificates within Microsoft Outlook. It is useful for any 3rd parties that would like to use S/MIME to secure their email with a GlobalCerts user. It assumes you ...