TrustKeeper Scan Engine Update for March 07 2018

The latest update to the TrustKeeper scan engine that powers our Trustwave Vulnerability Management product (including both internal and external vulnerability scanning) is now available. Enjoy!

New Vulnerability Test Highlights

Some of the more interesting vulnerability tests we added recently are as follows:

Apache

• Apache Tomcat JmxRemoteLifecycleListener Remote Code Execution ( CVE-2016-8735)
• Apache Tomcat Multiple Security Restraint Vulnerabilities ( CVE-2018-1305, CVE-2018-1304)
• Apache Tomcat ResourceLinkFactory Restriction Bypass ( CVE-2016-6797)
• Apache Tomcat Servlet Error Page Mechanism Vulnerability ( CVE-2017-5664)
• Apache Tomcat System Property Security Bypass ( CVE-2016-6794)

Cisco

• Cisco IOS Encryption Library Information Disclosure Vulnerability (Cisco-SA-20120913-CVE-2011-4667 and CSCty25257) ( CVE-2011-4667)

Atlassian JIRA

• Atlassian JIRA Infrastructure & Services - Incoming Email Handlers Cross-site Request Forgery Vulnerability (JRASERVER-66622) ( CVE-2017-16862)
• Atlassian JIRA Infrastructure & Services - Incoming Email Handlers Cross-site Scripting Vulnerability (JRASERVER-66719) ( CVE-2017-18039)
• Atlassian JIRA Issue Navigation & Search - Filters Cross-site Scripting Vulnerability (JRASERVER-66624) ( CVE-2017-16864)
• Atlassian JIRA Issue Navigation & Search - Jira Query Language Cross-site Scripting Vulnerability (JRASERVER-66495) ( CVE-2017-14594)
• Atlassian JIRA Server Project Administration - Users and Roles Cross-site Scripting Vulnerability (JRASERVER-61861) ( CVE-2016-4318)
• Atlassian JIRA Server System Administration - Auditing Cross-site Request Forgery Vulnerability (JRASERVER-61803) ( CVE-2016-4319)
• Atlassian JIRA Server Workflow Servlet Multiple Vulnerabilities (JRASERVER-64077) ( CVE-2017-5983)

PHP

• PHP bzread Inadequate Error Handling Vulnerability ( CVE-2016-5399)
• PHP GD Graphics Library (libgd) Denial of Service vulnerability ( CVE-2018-5711)
• PHP msgfmt_parse_message Stack-based Buffer Overflow Vulnerability ( CVE-2017-11362)
• PHP parse_url Improper Input Validation Vulnerability ( CVE-2016-10397)
• PHP PHAR 404 error page Reflected Cross-Site Scripting ( CVE-2018-5712)
• PHP phar.c Buffer Over-Read Vulnerability (before 5.6.30 and 7.0.15) ( CVE-2017-11147)
• PHP php_variables.c Denial of Service Vulnerability ( CVE-2017-11142)
• PHP timelib_meridian Out-of-bound Read Vulnerability ( CVE-2017-16642)
• PHP var_unserializer.re Buffer Over-Read Vulnerability ( CVE-2017-12933)
• PHP var_unserializer.re Heap Use After Free Vulnerability ( CVE-2017-12934)
• PHP var_unserializer.re Heap Use After Free Vulnerability (before 7.0.22, 7.1.8) ( CVE-2017-12932)
• PHP WDDX deserialization Denial of Service Vulnerability ( CVE-2017-11143)

WordPress

• Wordpress Core Unauthenticated Denial of Service Through 4.9.4 ( CVE-2018-6389)
• Wordpress prior to 4.9.1 Multiple Vulnerabilities ( CVE-2017-17091, CVE-2017-17092, CVE-2017-17093, CVE-2017-17094)
• Wordpress prior to 4.9.2 Cross-Site Scripting Vulnerabilities ( CVE-2018-5776)

How to Update?

All Trustwave customers using the TrustKeeper Scan Engine receive the updates automatically as soon as an update is available. No action is required.