Hi my azure web application (dotnet core 3.1) was giving a green flag for PCI Compliance until couple of days. However I received an email from the certification providing stating that the application is no longer PCI compatible, with following two messages.
Title: CPE Based Vulnerabilities for Microsoft IIS httpd 10.0 Impact: One or more vulnerabilities have been found that affect this service. Please see the relevant CVEs for more details.
Resolution: Apply the latest vendor patches to the Microsoft IIS httpd 10.0 service running on port 80 & port 443
CVE ----------------| Score
CVE-2008-4301 10.0
CVE-2008-4300 5.0
CVE-2013-2566 4.3
CVE-2015-2808 4.3
This is confusing as no changes were made either to web application or azure settings. The resolution they suggested is to apply latest vendor patches to the Microsoft IIS, which I think is possible only when the application is running on a VM, whereas my application is a simple Azure App service.
We also use Security Metrics for scanning our websites. We called them this afternoon about this same issue. They requested that we send them a screenshot of our IIS Manager version page so that they can verify we are running current for our version. They will add this to the "False Positives" tab on the Vulnerability Scanning section of our account.
You will have to call their assistance line at 801-705-5700 for them to work with you on setting up False Positives (exceptions). They will ask several questions regarding your account to verify that you are with the company plus a call back number, name, title.