Skip to main content

Understanding Security Scan Reports for Websites Hosted in MODX Cloud

  • Updated

Introduction

At MODX, we provide fully managed hosting on Ubuntu LTS servers. We take security seriously and handle all system updates and patches in-house. This article helps you interpret security scan results.

Interpreting Security Scan Results

Many generic security scans compare software version numbers against known vulnerable versions. However, these scans often don’t account for Ubuntu’s backporting practices. As a result, they may report false positives, flagging software as vulnerable even when it’s been patched.

An example of this is any report about things related to Java libraries installed by default in some OS versions. Our server builds do not include Java, and it is not available to customer sites—our customer environments only include the libraries required to operate and build websites using PHP. This includes Log4Shell (CVE-2021-44228) and Text4Shell (CVE-2022-42889).

How to Verify If a Reported Vulnerability Has Been Patched

If your security scan reports vulnerabilities, follow these steps to verify if they’ve been addressed:

  1. Note the CVE (Common Vulnerabilities and Exposures) number or the affected package name from your scan results.
  2. Visit the Ubuntu Security Notices website: https://ubuntu.com/security/notices
  3. Use the search function to look for notices related to Ubuntu 20.04 and the specific CVE or package.
  4. Check if the notice indicates that the vulnerability has been patched.
  5. Alternatively, use the Ubuntu Security Tracker: https://ubuntu.com/security/cve
    • Enter the CVE number in the search box
    • Look for the status of Ubuntu 20.04 (Focal) in the results
  6. If you’re unsure about a specific vulnerability, please contact our support team and include the CVE number or package name. We’ll be happy to research and verify patch statuses for you starting at $250 USD.

Our Commitment to Security

We continuously monitor for new security patches and apply them according to our patching policy. This proactive approach helps ensure that your hosted environment remains secure.

What If a Vulnerability Isn’t Patched?

In rare cases where a reported vulnerability has not yet been patched, we assess the risk and may take additional measures to mitigate it. We prioritize addressing any confirmed, unpatched vulnerabilities based on their severity classification.

Contact Us

If you need help interpreting scan results, or have concerns about specific vulnerabilities, please don’t hesitate to contact our support team.

Remember: Security is a partnership. While we manage server-level security, please ensure you follow best practices for application-level security within your hosted environment.



Related articles