Hi Steve,
> > I thought that this was an extention of the existing vulnerability (number
> > 10707 ... rated low to medium) to which the "Proposed Solution" made it
> > clear that there would be no real soution available for many months let
> > alone when (if ever) it would be deployed. This vulnerability was sent to
> > the security list last week and is what prompted David and Kostas to see
> > what effect it could have... given that running insecure RGMA is a
> > critical test! Remember that this is after the 45 days since the
> > vulnerability was first notified to the vulnerabilities group. I think
> > that what Kostas showed was that this vulnerability was mis-rated at low
> > to medium because people had not seen the possible dangers associated with
> > it.
>
> No this is not really an extension of #10707 as the servlet in
> question is purely to allow checking that firewalls are setup correcly
> and relevant ports open.
I guess that it was #10707 that "inspired" Kostas to look at the effect of
there being no authorisation in RGMA yet and this was just the first
servelet that he looked at.
All the best,
david
|