Security audits reporting potential vulnerabilities in Core Services 3.X

From support-works
Jump to navigation Jump to search



Status: Published
Version: 1.3
Authors: HTL QA
Applies to: Supportworks Core Service 3.X

Hornbill Core Services includes third party products which are used by Supportworks ESP. In certain cases, the versions of third party products used are not the latest available.

External security audits and tests may identify the presence of these products and then report a vulnerability simply because the versions used are not the latest. In itself, such an assessment does not take into account the application, environment and scenarios that these third party products are used with. Any vulnerability with current or older versions of third party products are relevant only if they can be exploited within the context of their use by Hornbill's own products and solutions. If identified, Hornbill is committed to resolving specific issues with any version of third party products as used in conjunction with its own products and solution.

Hornbill has produced a new release of Core Services (6.0.x), which includes the latest versions of PHP, MySQL and Apache. Aligned with the release of this new version of Core Services are releases of Supportworks ESP 8.0 and ITSM Enterprise.

For customers that choose not to, or cannot move to the latest platforms. Hornbill recommends that customers upgrade to Core Services 3.1.4 and the Supportworks ESP v7.6.2 platform release. Core Services 3.1.4 contains a later Apache release in the 2.2 development stream and security hardening. Hornbill also recommends that customers review firewall settings on their Supportworks servers to ensure that only those ports necessary for Supportworks ESP to function are open. From Supportworks ESP v7.6 onwards, port 5002 – the port previously required to be open to connect to the Supportworks MySQL database – can be closed. (For MySQL replication, port 5002 only needs to be open for the replication server.)