Security Resources

Software Updates

TrustKeeper Scan Engine Update for April 18, 2018

New Vulnerability Test Highlights

Some of the more interesting vulnerability tests we added recently are as follows:

Apache

  •  
  • Apache HTTP Server Certificate Restriction Bypass Vulnerability ( CVE-2016-4979)
  •  
  • Apache HTTP Server FilesMatch Directive Improper Input Validation Vulnerability ( CVE-2017-15715)
  •  
  • Apache HTTP Server HTTP2 Memory Handling Error Vulnerability ( CVE-2017-9789)
  •  
  • Apache HTTP Server HTTP2 Write After Free Vulnerability ( CVE-2018-1302)
  •  
  • Apache HTTP Server mod_authnz_ldap Out-of-Bound Write Vulnerability ( CVE-2017-15710)
  •  
  • Apache HTTP Server mod_auth_digest Uninitialized Memory Reflection Vulnerability ( CVE-2017-9788)
  •  
  • Apache HTTP Server mod_auth_digest Weak Digest Auth Nonce Generation Vulnerability ( CVE-2018-1312)
  •  
  • Apache HTTP Server mod_cache_socache out of Bound Read Vulnerability ( CVE-2018-1303)
  •  
  • Apache HTTP Server mod_http2 Denial of Service Vulnerability ( CVE-2016-8740)
  •  
  • Apache HTTP Server mod_session Tampering Vulnerability ( CVE-2018-1283)
  •  
  • Apache HTTP Server mod_session_crypto Padding Oracle Attack Vulnerability ( CVE-2016-0736)
  •  
  • Apache HTTP Server out of Bound Access Vulnerability ( CVE-2018-1301)
  •  
  • Apache HTTP Stream-processing Outage Denial of Service Vulnerability ( CVE-2016-1546)
  •  
  • Apache Tomcat HTTP2 Directory Traversal Vulnerability ( CVE-2017-7675)
  •  
  • Apache Tomcat HTTP2 Header Parser Denial of Service Vulnerability ( CVE-2016-6817)
  •  
  • Apache Tomcat SecurityManager Bypass via JSP Servlet Configuration Parameter Manipulation ( CVE-2016-6796)
  •  
  • Apache Tomcat SecurityManager Bypass Vulnerability via Tomcat IntrospectHelper Utility Method ( CVE-2016-5018)

Clam AV

  •  
  • ClamAV cabd_read_string (in mspack/cabd.c) Stack-based Buffer Over-Read Vulnerability ( CVE-2017-11423)
  •  
  • ClamAV lzxd_decompress (in lzxd.c) Heap Memory Buffer Overflow Vulnerability ( CVE-2017-6419)
  •  
  • ClamAV multiple functions (in libclamunrar/unrarvm.c) Heap Memory Overflow Vulnerability ( CVE-2012-6706)
  •  
  • ClamAV pdf_parse_array and pdf_parse_string (in pdfng.c) Heap Memory Overflow Vulnerability (CSCvh91380 and CSCvh91400) ( CVE-2018-0202)
  •  
  • ClamAV xar_hash_check (in xar.c) Out-of-Bounds Heap Read Vulnerability ( CVE-2018-1000085)

FTP

  •  
  • FTP AUTH TLS Plaintext Command Injection Vulnerability ( CVE-2011-1575, CVE-2011-4130)
  •  
  • FTP Cleartext Authentication and Unencrypted Communication Channel Accessibility
  •  
  • FTP Server .forward File Information Disclosure Vulnerability
  •  
  • FTP Server .rhosts File Information Disclosure Vulnerability

JBoss

  •  
  • JBoss mod_cluster Segmentation Fault Vulnerability (prior to 1.3.5) ( CVE-2016-8612)

How to Update?

All Trustwave customers using the TrustKeeper Scan Engine receive the updates automatically as soon as an update is available. No action is required.