Azure Web App identified target web site is using IIS 10 and detected that it is out of date - how to change
Azure Web App identified target web site is using IIS and detected that it is out of date - how to change A security scan of a web app running windows has been identified as a High vulnerability. Since this is an old version of the software, it may be vulnerable to attacks. When the Server: Microsoft-IIS/10.0
External References: https://nvd.nist.gov/vuln/detail/CVE-1999-0229 Internet Information Services Other Vulnerability IIS allows local users to cause a denial of service via invalid regular expressions in a Visual Basic script in an ASP page. Affected Versions: 10.0 External Referenceshttps://nvd.nist.gov/vuln/detail/CVE-2000-0115
How can we do the following to fix this issue when using Azure web app?
Remedy Upgrading IIS to a higher version is not a standalone operation. The IIS version depends heavily on the Windows OS version that you use on your server machine. If it is not possible to upgrade IIS to a higher version for this type of reason, we strongly recommend that you track and apply the patches that are published by the vendor. Please note that all updates and patches for IIS come as Windows Updates. Also, you can select which update package(s) will be applied.
Solution 1:
As mention, a scan intended for an on-premises IIS installation is not applicable to a PaaS service. Azure Web Apps are a managed service from Microsoft and by using that you are trusting Microsoft to manage, update and secure that service and so you have to assume they are doing so. If you are not happy doing that then you should look at running your own web server in a VM where you have full control, but you will loose all the benefits of a PaaS service.