sunhux
asked on
IIS in Cloud
https://www.cloudflare.com/resources-downloads
Referring to the (3rd party) IIS Module, is it a safe security practice to install it in a tenant's
VM in cloud environment?
Referring to the (3rd party) IIS Module, is it a safe security practice to install it in a tenant's
VM in cloud environment?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
In the case of plug-ins, I've seen Firefox introducing vulnerabilities.
This module appears to be F5 (loadbalancer) related: we do use F5 but I'm uncertain how does it interact
or what is its impact on F5.
Some of the Firefox & IIS "plugins" related vulnerabilities that our IPS has reported:
,,,1000192 - Indexing Service ISAPI Extention Buffer Overflow Vulnerability,Web
Server IIS,2 - Normal,Critical,Prevent,Vu lnerabilit y,N/A,CVE- 2001-0500, 10.0,"Nov
ember 21, 2007"
,,,1001256 - Mozilla Firefox Acrobat Reader Plugin Universal Cross Site Scripting,
Web Client Mozilla FireFox,2 - Normal,Medium,Prevent,Vuln erability, N/A,CVE-20 0
7-0048,5.0,"January 17, 2008"
1004331 - Mozilla Firefox Plugin Parameter Array Dangling Pointer,Web Client Mozilla
FireFox,2 - Normal,Critical,Prevent,Ex ploit,N/A, CVE-2010-2 755,10.0," Aug 11, 2010"
1005329 - Foxit Reader Plugin For Browsers URL Processing Buffer Overflow
Vulnerability, Web Client Mozilla FireFox,2 - Normal,Critical, Prevent,Vulnerability,
N/A,N/A,10.0, "Feb 13, 2013"
This module appears to be F5 (loadbalancer) related: we do use F5 but I'm uncertain how does it interact
or what is its impact on F5.
Some of the Firefox & IIS "plugins" related vulnerabilities that our IPS has reported:
,,,1000192 - Indexing Service ISAPI Extention Buffer Overflow Vulnerability,Web
Server IIS,2 - Normal,Critical,Prevent,Vu
ember 21, 2007"
,,,1001256 - Mozilla Firefox Acrobat Reader Plugin Universal Cross Site Scripting,
Web Client Mozilla FireFox,2 - Normal,Medium,Prevent,Vuln
7-0048,5.0,"January 17, 2008"
1004331 - Mozilla Firefox Plugin Parameter Array Dangling Pointer,Web Client Mozilla
FireFox,2 - Normal,Critical,Prevent,Ex
1005329 - Foxit Reader Plugin For Browsers URL Processing Buffer Overflow
Vulnerability, Web Client Mozilla FireFox,2 - Normal,Critical, Prevent,Vulnerability,
N/A,N/A,10.0, "Feb 13, 2013"
ASKER
Is this module (given by the CDN provider) some sort of plugin?
Java/JRE plugins is another concern that we have to patch & apply IPS signatures from time to time.
Java/JRE plugins is another concern that we have to patch & apply IPS signatures from time to time.
ASKER
In the case of Java/Firefox & some common plugins, we can still get patches from Oracle/Firefox but
I'm concerned that if this module is not well-supported & one day has a vulnerability, there's no
vendor to produce patch for it; if it's uncommon, our IPS products may not produce signatures for it.
If it's not a plugin nor some add-ons that will give rise to security risk, then do let me know how it's
being assessed as such so that we'll proceed to have the tenant install it
I'm concerned that if this module is not well-supported & one day has a vulnerability, there's no
vendor to produce patch for it; if it's uncommon, our IPS products may not produce signatures for it.
If it's not a plugin nor some add-ons that will give rise to security risk, then do let me know how it's
being assessed as such so that we'll proceed to have the tenant install it
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
1000192 - Indexing Service ISAPI Extention Buffer Overflow Vulnerability,WebServer IIS,2 - Normal,Critical,Prevent,Vu lnerabilit y,N/A,CVE- 2001-0500, 10.0,"Nove mber 21, 2007"Gee, that was a very insightful response.
I personally prefer to use software developed by big players like MS n Oracle as they are seen as frequently developing patches for the likes of IIS, .Net, Java/Jre.
Curious if the IPS filter I listed earlier has any relation to this Isapi module:
I personally prefer to use software developed by big players like MS n Oracle as they are seen as frequently developing patches for the likes of IIS, .Net, Java/Jre.
Curious if the IPS filter I listed earlier has any relation to this Isapi module:
ASKER
Sorry the formatting was out in my last post: the first 3 and a half lines was supposed to be at the bottom
ASKER
I recall there is a way to configure in F5 LB such tt the clients source IP is logged in IIS logs : correct me if I m wrong. If so we wont need this Isapi filter
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Excellent
ASKER
a) in the case of Struts for Apache, we'll need to address Struts vulnerabilities from time to
time on top of Apache's vulnerabilities. So does this IIS module also add on this extra
potential vulnerability that we have to address from time to time?
b) does Windows 2008 R2 and IIS patches that are released by MS affect this module?
Any special handling needed?
c) is there any VA scanner like Nessus (or Outpos in our case) that could scan for this
module's vulnerability?
d) does any IIS & Windows 2008 R2 hardening affect this module in any way?