Hi my azure web application (dotnet core 3.1) was giving a green flag for PCI Compliance until couple of days. However I received an email from the certification providing stating that the application is no longer PCI compatible, with following two messages.
Title: CPE Based Vulnerabilities for Microsoft IIS httpd 10.0 Impact: One or more vulnerabilities have been found that affect this service. Please see the relevant CVEs for more details.
Resolution: Apply the latest vendor patches to the Microsoft IIS httpd 10.0 service running on port 80 & port 443
CVE ----------------| Score
CVE-2008-4301 10.0
CVE-2008-4300 5.0
CVE-2013-2566 4.3
CVE-2015-2808 4.3
This is confusing as no changes were made either to web application or azure settings. The resolution they suggested is to apply latest vendor patches to the Microsoft IIS, which I think is possible only when the application is running on a VM, whereas my application is a simple Azure App service.
Server:
HTTP response header. – Dai