Let me first say that I'm not really a fan of PCI scanners. It's not so much that I'm anti security scanners but rather that scanning for vulnerabilities based on only the version number a package returns seems rather simplistic to me.

However, what should I do if my PCI scanner reports that the Apache version running the WebUI on my appliance is too old?

Well first to coin a phrase from "The Hitchhiker's Guide" DON'T PANIC!!

Our appliance is built on the widely used CentOS 6 platform and Red Hat do an amazing job of backporting security / bug fixes into their older and more stable package base. This means the chances are that any reported failures have been fixed already. It's also worth pointing out that we would never recommend that you use the appliance as your only firewall and really the WebUI should not be accessible to the wider internet.

When a PCI scanner reports a failure they'll give you a CVE number. You can then use this number to check against various websites to learn more about the problem and also in which version the problem is fixed. One such website is :
https://access.redhat.com/security/cve

Just select the relevant year and search for the CVE number in the filter box, to see Red Hat's response select the "Red Hat Enterprise Linux version 6" errata.

Another option(V7.4+) is to check against the package change log directly on the appliance itself :

rpm -q --changelog httpd |grep CVE-2011-3192

The above searches the changelog for any mention of CVE-2011-3192 and displays a result if found :

  • add security fix for CVE-2011-3192 (#733063, #736592)

Should your scanner find anything that's not already patched then please do contact support@loadbalancer.org to let us know, we can then look at either updating a package(if possible) or disabling a feature if it's not really required.

Malcolm has already had a moan about PCI DSS on a previous blog post