AppDetectivePRO and DbProtect Knowledgebase Update 4.48

This month's update for our AppDetectivePRO and DbProtect Knowledgebase is now available.

Knowledgebase version 4.48 includes six new checks for vulnerabilities in IBM DB2 for Linux, UNIX and Windows (LUW) and new and updated checks for pluggable databases (PDBs) in Oracle data stores.

New Vulnerability and Configuration Check Highlights

IBM DB2 LUW

  • Denial of Service vulnerability in ALTER MODULE statement handling
    • Verify that version of the target database is not vulnerable to a Denial of Service vulnerability in ALTER MODULE statement handling.
    • Risk: High
    • Relevant CVEs: CVE-2014-3094

  • Buffer Overflow in Java Stored Procedure Infrastructure
    • Verify that version of the target database is not vulnerable to a Buffer Overflow vulnerability in DB2's Java Stored Procedure infrastructure.
    • Risk: High
    • Relevant CVEs: CVE-2012-2197

  • Denial of Service Vulnerability in XSLT Library
    • Verify that version of the target database is not vulnerable to a Denial of Service vulnerability in DB2's XSLT library.
    • Risk: Medium
    • Relevant CVEs: CVE-2013-5466

  • Unauthorized Access to Table for user holding EXPLAIN authority
    • Verify that version of the target database is not vulnerable to unauthorized access to tables for users holding EXPLAIN authority.
    • Risk: Medium
    • Relevant CVEs: CVE-2013-4033

  • Denial of Service when using a SELECT statement with a subquery containing a UNION
    • Verify that version of the target database is not vulnerable to a Denial of Service vulnerability when using a SELECT statement with a subquery containing a UNION.
    • Risk: Low
    • Relevant CVEs: CVE-2014-3095

Oracle

  • List all user-created PDBs in the current instance
    • Reports list of all user-created PDBs in the CDB.
    • Risk: Informational
    • Relevant CVEs: N/A

Updated Checks

Oracle

  • More than 100 checks updated to support Oracle 12c multi-tenancy mode (PDB)

New Policies

Frameworks and policies added accordingly and policy mapping logic for AppDetectivePRO has been updated.

  • DISA-STIG Oracle 11G V8R1-12-Audit (Built-in)—This policy has been created based on configuration parameters outlined by the DISA-STIG ORACLE 11G DATABASE SECURITY CHECKLIST Version 8, Release 1.12

  • DISA-STIG Oracle 11gR2 V1R2-Audit (Built-in)—This policy has been created based on guidelines mapped out in the DOD Security Technical Implementation Guides "Oracle Database 11.2g Security Technical Implementation Guide Version 1 Release 2"

Notable Changes and Fixes

  • KB-3338–Updated "Audit tables dedicated tablespace" check to report metadata instead of fact by updating check to provide metadata occurrences

  • KB-3283–Updated implementation for "Password Lock Time" and "Password Reuse Time" Oracle checks to prevent failure when parameter was set with floating number

How to Update?

All AppDetectivePRO and DbProtect customers can download the latest Knowledgebase Update 4.48 by visiting the Trustwave support portal at https://trustwave.com/Company/Support and selecting either the AppDetectivePRO or DbProtect product.

AppDetectivePRO customers can also update their deployment by launching the "Updater" within the product.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.