TrustKeeper Scan Engine Update - February 5, 2014

The next update to the TrustKeeper Scan Engine is now available. This release includes tests for new vulnerabilities in Lighttpd, OpenSSL, Oracle MySQL and Ruby on Rails.

This update includes improvements to existing tests and better evidence to assist with vulnerability remediation efforts.

New Vulnerability Test Highlights

Some of the more interesting vulnerability tests we added recently are as follows:

Lighttpd

  • Lighttpd FAMMonitorDirectory Denial of Service Vulnerability (CVE-2013-4560)
  • Lighttpd Remote Privilege Escalation Vulnerability (CVE-2013-4559)
  • Lighttpd SNI Weak Cipher Configuration Vulnerability (CVE-2013-4508)

OpenSSL

  • OpenSSL DTLS Handling Denial of Service Vulnerability (CVE-2013-6450)
  • OpenSSL TLS Client Denial of Service Vulnerability (CVE-2013-6449)
  • OpenSSL TLS Crafted Handshake Denial of Service Vulnerability (CVE-2013-4353)

Oracle

Ruby on Rails

  • Ruby on Rails Action View Lookup Denial of Service (CVE-2013-6414)
  • Ruby on Rails Active Record JSON Database Query Restriction Bypass (CVE-2013-6417)
  • Ruby on Rails Log Subscriber Denial of Service Vulnerability (CVE-2013-4389)
  • Ruby on Rails Number to Currency Helper Cross-Site Scripting Vulnerability (CVE-2013-6415)
  • Ruby on Rails Translation Helper Cross-Site Scripting Vulnerability (CVE-2013-4491)

How to Update?

All Trustwave customers using the TrustKeeper Scan Engine receive the updates automatically as soon as an update is available. No action is required.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.