Loading...
Security Resources

Software Updates

Trustwave App Scanner Updates for November 7, 2018

Auto updates 8.6 and 8.7 are now available

===== ===== ===== ===== ===== ==

Web Server Vulnerabilities Updates

===== ===== ===== ===== ===== ==

IBM WebSphere Cross Site Scripting Vulnerability

  CVE-2018-1767

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Cachemonitor is vulnerable

to cross-site scripting. This vulnerability allows users to embed arbitrary

JavaScript code in the Web UI thus altering the intended functionality potentially

leading to credentials disclosure within a trusted session. IBM X-Force ID: 148621

Oracle WebLogic Server Remote Code Execution Vulnerability

  CVE-2018-3252

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware

(subcomponent: WLS Core Components). Supported versions that are affected are

10.3.6.0, 12.1.3.0 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated

attacker with network access via T3 to compromise Oracle WebLogic Server. Successful

attacks of this vulnerability can result in takeover of Oracle WebLogic Server.

CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts).

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Oracle WebLogic Server Remote Code Execution Vulnerability

  CVE-2018-3250

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware

(subcomponent: WLS - Web Services). The supported version that is affected is 10.3.6.0.

Easily exploitable vulnerability allows unauthenticated attacker with network access via

HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction

from a person other than the attacker and while the vulnerability is in Oracle WebLogic

Server, attacks may significantly impact additional products. Successful attacks of this

vulnerability can result in unauthorized update, insert or delete access to some of Oracle

WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle

WebLogic Server accessible data.

CVSS 3.0 Base Score 6.1 (Confidentiality and Integrity impacts).

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

Oracle WebLogic Server Remote Code Execution Vulnerability

  CVE-2018-3249

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware

(subcomponent: WLS - Web Services). The supported version that is affected is 10.3.6.0.

Easily exploitable vulnerability allows low privileged attacker with network access via

HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can

result in unauthorized access to critical data or complete access to all Oracle WebLogic

Server accessible data.

CVSS 3.0 Base Score 6.5 (Confidentiality impacts).

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

Oracle WebLogic Server Remote Code Execution Vulnerability

  CVE-2018-3248

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware

(subcomponent: WLS - Web Services). The supported version that is affected is 10.3.6.0.

Easily exploitable vulnerability allows unauthenticated attacker with network access via

HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction

from a person other than the attacker. Successful attacks of this vulnerability can result

in unauthorized access to critical data or complete access to all Oracle WebLogic Server

accessible data.

CVSS 3.0 Base Score 6.5 (Confidentiality impacts).

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

Oracle WebLogic Server Remote Code Execution Vulnerability

  CVE-2018-3246

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware

(subcomponent: WLS - Web Services). Supported versions that are affected are 12.1.3.0

and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker

with network access via HTTP to compromise Oracle WebLogic Server. Successful

attacks of this vulnerability can result in unauthorized access to critical data

or complete access to all Oracle WebLogic Server accessible data.

CVSS 3.0 Base Score 7.5 (Confidentiality impacts).

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Oracle WebLogic Server Remote Code Execution Vulnerability

  CVE-2018-3201

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware

(subcomponent: WLS Core Components). The supported version that is affected is 12.2.1.3.

Easily exploitable vulnerability allows unauthenticated attacker with network access

via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability

can result in takeover of Oracle WebLogic Server.

CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts).

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Oracle WebLogic Server Remote Code Execution Vulnerability

  CVE-2018-3197

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware

(subcomponent: WLS Core Components). The supported version that is affected is

12.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with

network access via T3 to compromise Oracle WebLogic Server. Successful attacks

of this vulnerability can result in takeover of Oracle WebLogic Server.

CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts).

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Oracle WebLogic Server Remote Code Execution Vulnerability

  CVE-2018-3191

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware

(subcomponent: WLS Core Components). Supported versions that are affected are

10.3.6.0, 12.1.3.0 and 12.2.1.3. Easily exploitable vulnerability allows

unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server.

Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.

CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts).

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Oracle WebLogic Server Remote Code Execution Vulnerability

  CVE-2018-2902

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware

(subcomponent: Console). Supported versions that are affected are 10.3.6.0 and

12.1.3.0. Easily exploitable vulnerability allows low privileged attacker with

network access via HTTP to compromise Oracle WebLogic Server. Successful attacks

of this vulnerability can result in unauthorized read access to a subset of Oracle

WebLogic Server accessible data.

CVSS 3.0 Base Score 4.3 (Confidentiality impacts).

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).

Apache Tomcat Open Redirect Vulnerability

  CVE-2018-11784

When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11,

8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory

(e.g. redirecting to '/foo/' when the user requested '/foo') a specially

crafted URL could be used to cause the redirect to be generated to any URI

of the attackers choice.

Engine versions updated to 1001.0.26 and 1000.0.88.

 

Manual update instructions

Trustwave App Scanner customers with auto update enabled receive updates automatically and need not take any action. Customers who manually update their products or services will need to download the appropriate manual update file for their version of Trustwave App Scanner:

1. Log in to your account at https://login.trustwave.com

2. Click on the support tab

3. Click on "File Library" in the sub-menu

4. Navigate to the path "private/AppScanner/Manual Update" and download the appropriate file

5. Follow the instructions appropriate to the product you use:

Trustwave App Scanner Desktop
 formerly Cenzic Desktop (Pro)

1. Double click on the manual updater .exe file

2. Click the install button to extract the executable

a. You can specify any path on the local drive

b. It will extract a folder named "Manualupdate_(x)" where x is the auto update number

3. Open the folder and double click on the InstallUpdates.bat file to perform the library update

4. Log into Trustwave App Scanner and go to Help > Check for Updates

a. If the system update is present, a pop up will appear stating that Trustwave App Scanner needs to close down

b. Click OK

5. Restart Trustwave App Scanner to get the updates and log back in to receive the latest updates

Trustwave App Scanner Enterprise
 formerly Cenzic Enterprise (ARC)

1. Download the .exe file onto the machine that has Trustwave App Scanner Enterprise installed on it and double click the file

2. Click the install button to extract the executable

a. You can specify any path on the local drive

b. It will extract a folder named "Manualupdate_(x)" where x is the auto update number

3. Open the folder and double click on the InstallUpdates.bat file to perform the library update

4. Once Manual Updater exits, restart the Enterprise Execution Engine through the Configuration Utility at Start > Programs > Cenzic > Configuration Utility > Local Service Tab > Enterprise Execution Engine and restart the service

5. Log into Trustwave App Scanner Enterprise using the administrative account

6. If you see any "System Updates Available" message at the top of the page, go to Administration > Server Settings > System Updates

7. Click on Apply System Updates