I’m scratching my head a little bit here.
I have an “obsolete version of apache tomcat” on a server and instead of upgrading the installed version the owner of the machine has opted to disable service.
However after a new network scan the service keeps popping up as being obsolete.
Authenticated scans are not possible at this time on this machine so I’m a bit stuck.
Anyone an idea what the correct course of action is?
Thank you,
Karel
Many of the checks are based on vulnerable software versions and do not necessarily account for the service being enabled or disabled. I’m not sure if that’s the same case here, but it’s likely. If you’re comfortable with the service being disabled and think it will not be re-enabled down the road, you could always submit a vulnerability exclusion for it.
Pitty there isn’t a way to except/remove a specific vulnerability untill it is confirmed again by another scan.
There is a way to except a specific vulnerability on a specific asset, asset group, all assets, etc. When you browse to the asset page in question, scroll down to the vulnerabilities, and click the Exclude button on the right side of whichever vulnerability you would like to except.