On Wed, Dec 06, 2006 at 02:45:43AM +0000, tech tech wrote:
Plugin: 17348 [Jetty < 4.2.19 Denial of Service]
1. The plugin defines severity as Medium. But in the
scan report i found thar it is giving a high severity
alert.
Earlier, risk levels were assigned somewhat arbitrarily -- basically, it
was a judgment call by the plugin's author. And while we tried to have
holes / warnings / notes correspond to risk factors of Critical or High
/ Medium / Low or None respectively, it didn't always happen.
For the past year, we've been using CVSS base scores --
http://www.first.org/cvss/cvss-guide.html -- for the assignment,
although we still have to revisit many of the older plugins to update them.
This was one such plugin, and I've just calculated a base score for it
and updated the plugin. According to this score, the vulnerability is a
low risk one, and that is now reflected in the report.
2. I did the scan with Non DoS plugins. Even then
nessus reported this vulnerability... is it a problem
with the nessus client?
Nessus has both a denial of service plugin category as well as a denial
of service plugin family. The category describes the possible effect of
the plugin when you run it while the family is based on the
vulnerability or vulnerabilities being covered by the plugin.
When you run in safe checks or enable non-DoS plugins in the NessusWX
client, you're talking about plugin categories, that is, plugins that
might crash the service or host or otherwise negatively impact it when
you run it. Hope this clears up the confusion somewhat.
George
--
theall@tenablesecurity.com
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
|