I have a VPS account with several customers. One of them is trying to get PCI certified and his ASV (Approved Scanning Vendor: TrustWave) says OpenSSL is out of date and needs to be updated to the latest version. They also report that MySQL has an open port to the internet.

My questions are:

1. I thought a VPS account would allow you to install any software on your account only and not affect other accounts? My hosting provider is telling me that they cannot upgrade OpenSSL on just this one account only, that they would have to upgrade the whole server. Is this true or are they just BSing me?

2. What about MySQL? Can that be upgrade on one account only or does it have to affect the whole server?

3. Regarding TrustWaves report of having an open port in MySQL to the internet, how in the heck do they expect you to have a database if you don't have it open to your customers?

I starting think that maybe I don' really have a VPS account...it sounds like a Shared account to me but I'm not sure.

1/ depends on how the server hardware is segmented. But I'd be a little concerned about a server operator who won't upgrade the SSL setup in any case.

2/ Again it depends on the details.

but for both 1 & 2 IF the server is running fully isolated segments, each VPS could have different configurations of software with affecting the other segments

3/ You don't really need open ports for MySql, sites that are running on the server use localhost as the server name.
Only if you allow remote access to MySql should port 3306 be opened to the outside world, and even then access from remote system should be limited to named hosts or specific IPs.

They said openSSL has been backwards upgraded for all known vulernabilities and they want to keep that stable version. I'm waiting to hear from my customer if he can get TrustWave to give him a wavier based on this.

I understand re the open MySQL port.

Thanks...

I asked to close off the outside mysql port and they did that but now I've lost my 3rd party SQL tool access. They said they cannot close this port off for one vps account only. This doesn't sound like a VPS account to me, it sounds like a Shared hosting account.

Sounds like an inexperienced web host.

"backwards upgraded" Hmm? I wonder how that works.

and I'm with Andrei on this one.

This sounds funny to me as well.

It does depend on how the virtualization is being handled on the node as to how some software can be installed, but for the most part, installations are separate from the node on vps.

Quote:

Originally Posted by chrishirst

"backwards upgraded" Hmm? I wonder how that works.

I assume that they're refering to something like Red Hat's policy of backporting critical fixes to earlier versions, so most likely (as with most PCI DSS scanning in my experience) the scan is just looking for a version number rather than a vulnerability - in which case this will flag up as an error even though the version they're running may be perfectly safe.

As for the MySQL bit, it's complete nonsense to say that they can't firewall that for you without affecting other customers. If you're running this on a VPS (assuming that the MySQL server is also within that, rather than a shared MySQL server that you connect to for instance) it shouldn't be a problem.

Also I should mention that you could firewall MySQL for every IP except the one you connect from (assuming that you have a static IP) so it'll pass scanning, and still enable you to use remote management tools. Not entirely sure where this stands on compliance though.

Some of what they're saying could be to do with the details of the virtualisation software they're using... or they could just be a useless host (as others have suggested). What virtualisation software are they using? (e.g. Xen, Virtuozzo, VMware, OpenVZ etc.).