Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
8organicbits 3 days ago

While I think an update to the Apache version is a good idea, this is a very low quality report. There are tons of people scanning the web looking for out-of-date software and sending low effort reports about known CVEs. This is the kind of report even large companies ignore.

Critically, it's not even clear that this is a vulnerability report. Yes the version is out dated, and yes there are known CVEs, but is the server actually vulnerable?

The CVE referenced has the key phrase: "... whose response headers are malicious or exploitable". This does not appear to be a CVE that would impact every installation. You need to find a way to control the response headers, meaning you need to chain another vulnerability.

Without verifying that the server is vulnerable this isn't a vulnerability report. It's a suggestion to install updates. Paired with the poor delivery, it seems reasonable for the author to get blocked and ignored.

vips7L 3 days ago | parent | next [-]

>yes there are known CVEs, but is the server actually vulnerable?

I ask this question every time some security guy scans my dependencies, they never can actually determine that and I'm forced to drop everything to fix it.

8organicbits 2 days ago | parent [-]

That's a good point. I'm a developer and security freelancer so I've been on both sides of that interaction. As a developer I usually update when there's a severe vulnerability in a dependency; checking if I am actually vulnerable would take longer. As a security contractor I've helped teams with some really out of date systems, often with several high severity CVEs. I typically (depending on contract terms) assess if the application is vulnerable, and if so, if there's evidence of compromise.

I prefer establishing an update cadence versus fire drills. Security hygiene over heroics.

kayfox 2 days ago | parent | prev | next [-]

> While I think an update to the Apache version is a good idea, this is a very low quality report.

It's still a report, which should be handled with seriousness and professionalism. What that app developer did was neither.

evilDagmar 2 days ago | parent | prev [-]

Truth. A stripped down configuration of that running nothing but personally-written code on the backend would pretty much render those issues moot (as in "completely mitigated").

Considering how lacking in detail the reports were, I'd probably have just dismissed this man's claims as "AI slop". That he was relying on nmap to tell him the version of something that is easily discovered using openssl s_client (because those HTTP response headers are perfectly human-readable) is kind of telling in and of itself.