What is Obsolete Software and why should I be concerned?
Obsolete Software relates to services that have been identified and are using software which is out of date and no longer supported or maintained by its developer. This means that bugs won’t be fixed and vulnerabilities will not be patched and may not even be publicly disclosed until they have been exploited by attackers. Running any out-of-date software makes an organisation extremely vulnerable to attack (just like running vulnerable services) and service failure.
How do I resolve this?
Having out-of-date services accessible directly from the Internet raises the question of why the organisation has not hidden or updated these to mitigate the known risk that exists. These servers (and any internal instances) should be upgraded to the latest stable, maintained, versions of the relevant product – you can check each vendor’s website for the latest release version. If this isn’t possible, you should take steps to mitigate this issue, such as removing any sensitive systems and data and segregating this server from other parts of your infrastructure.
We further recommend implementing a procedure to regularly check software is up to date (for example a register of all software used, where it is used, and who is responsible for keeping it up to date) and do not delay or ignore messages to update services when prompted by software providers.