question

JasonDean-5612 avatar image
0 Votes"
JasonDean-5612 asked ryanchill edited

PCI scan failing on Azure Web App

Hi,

We are getting a failed PCI scan reporting multiple issues with NGINX. There is literally nothing on the internet about how to fix this. PCI Compliance Manager wants us to upgrade the version of NGINX that Azure is using but I'm not sure we can even do that. See error message below. What do I do to make this scan pass? The web app that it's scanning is just a simple website or Azure App Service (xyz.azurewebsites.net).

Vulnerable nginx version detected on port 80 -
Server: nginx/1.16.1

CVE-2019-20372
CVE-2021-23017

Customers are advised to install nginx 1.21.0 or later versions to remediate this vulnerability.


azure-webapps-security
· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @JasonDean-5612, can you elaborate further on how you deploy your app code? Are you using a container image? Do you have any 3rd party library configured?

0 Votes 0 ·

Hi @ryanchill! Thanks for your response. I use an Azure DevOps pipeline to deploy the code. See screenshot. Deploy tasks are on version 4.*.

123237-cleanshot-2021-08-14-at-072808.png


123208-cleanshot-2021-08-14-at-074313.png


0 Votes 0 ·

Thanks for the details @JasonDean-5612. How is your app service configured? I assuming your solution is .NET Core? I've heard of these errors on a Virtual Machine but not an App Service. I'd like to see if I can reproduce your issue.

0 Votes 0 ·
Show more comments

1 Answer

JasonDean-5612 avatar image
1 Vote"
JasonDean-5612 answered

Just to close the loop on this issue... I ended up having to create a new App Service and port the app over to that. I re-ran the PCI scan and everything is good.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.