Server Software Risk Vector: Understanding Findings and Remediation Tips Ingrid Recommendations for Remediating Server Software Findings Identify out-of-date server software installations and update them. Ensure the organization has critical server software set to auto-update, if applicable, and if some of the organization’s production applications depend on certain unsupported versions, their software development teams will need to integrate the newer versions into their code base. Consult your operating system vendors’ software repositories and release notes for more information on supported server software for your organization. What are the risks to not remediating a Server Software finding? Leaves bugs and vulnerabilities unpatched. Exposes organizations to software bugs that can be exploited by attackers and may disrupt business continuity. How are software products with extended security updates graded?The general support life cycle of some software products are split into two periods the first half with “mainstream support" followed by the second half with “extended support” After the extended support period, “extended security updates (ESU)” might be offered. Extended support and ESU are taken into consideration when determining if software is supported.This currently applies within the Bitsight platform to Microsoft products. These ESU programs do not include all security fixes and upgrades.Software with ESU are evaluated in the following manner: GOOD: From the date of release to the end date of extended support. FAIR: The first and second years of ESU. WARN: The third year of ESU. BAD: The end date of ESU. Where can I view my Server Software Grades and Findings? SPM App: Findings ➔ Findings Table CM App: Select a company from your Companies List. Go to Vendor Risk ➔ Findings Insurance App: Select a company from your Companies List. Go to Client Risk ➔ Findings Bitsight API: GET /v1/companies/company_guid/findings?risk_vector=server_software Learn more about finding messages for the Server Software risk vector and how to remediate specific issues below:Bad Finding MessagesVersion is no longer supported by Microsoft Details: Microsoft no longer supports this version of IIS. Server: IIS Remediation Tips: Update IIS to a supported version. See supported versions.Software version is unsupported Details: The installed software is unsupported. Servers: Apache, PHP, OpenSSH, WordPress Remediation Tips: Review the list of supported server software and ensure the latest version is installed.IOS-specific software version is unsupported Details: The unsupported version installed may be affected by vulnerabilities. Servers: Apache, PHP, and OpenSSH Remediation Tip: Update to the latest version and restart the associated services.Version is no longer supported by WordPress Details: WordPress has released a new version. Server: WordPress Remediation Tips: Update WordPress to a supported version. See supported versions.OS release is unsupported Details: The server software is running on an unsupported OS release which creates security risks. Servers: All Remediation Tips: Ensure that a supported version of the OS distribution is installed. See supported server software.OS-specific software version is unsupported Details: The unsupported version installed may be affected by vulnerabilities.Remediation Tips: Update to the latest version and restart the associated services.Neutral Finding MessagesPatch status is unknown Details: We could not verify the latest security updates have been installed via Windows Update. Servers: All OS-specific software version is unknown Details: We could not verify that the server software has received enterprise support (patches) as the installed OS version could not be detected. Servers: All Software version is incomplete Details: We could not verify that the software version is supported since the server is configured to report an incomplete version. As this is arguably a security best practice, the grade strictly reflects the fact that the software’s support status is unknown. Servers: All Support status is unknown Details: We are unable to determine the security patch status of the installed software. Servers: All Good Finding MessagesSoftware version is supported Details: The software version is up-to-date. Servers: All OS-specific software version is supported Details: The software version is up-to-date for this operating system distribution.OS-specific software package is supported Details: The software package is supported for this operating system distribution.Software is supportedDetails: The software is supported. September 11, 2023: Published. Related articles Supported Server Software Server Software Risk Vector: Core Overview DKIM Records Findings Messages and Tips for Remediation SPF Domains Risk Vector: Understanding Findings and Remediation Tips Windows Extended Support and Extended Security Upgrades (ESU) Feedback 0 comments Please sign in to leave a comment.