We are seeing Qualys flag our 2019 Windows servers as vulnerable to QID 91617 - Microsoft Windows Adobe Type Manager Library Remote Code Execution Vulnerability (ADV200006) (Zero Day) and according to Microsoft’s own post on the issue, https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200006, Windows Server 2019 is impacted by this vulnerability.
However, the files (C:\Windows\SysWOW64\atmfd.dll and C:\Windows\System32\atmfd.dll) and the relevant registry settings are NOT in the our 2019 image or our resulting builds and the Qualys results sections of vulnerability scans only show the operating system, NOT any files or registry settings found or patches that are missing.
So, Qualys is in agreement with Microsoft’s post and flagging the vulnerability, but at the same time it is not pointing to any vulnerable files, registry settings, or missing patches.
Is Windows Server 2019 really vulnerable? What is the community seeing on Windows Server 2019?