The latest release of Trustwave App Scanner for versions 8.2 through 8.7 detects vulnerabilities in Apache HTTP Server, Drupal, and IBM WebSphere. The OWASP 2017 template and category is also available. Details are below. The appropriate update for your version of Trustwave App Scanner should have downloaded automatically. If needed, manual update instructions are available at the end of this update.
Web Server Vulnerabilities Updates
Drupal Remote Code Execution Vulnerability (CVE-2018-7600)
- Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
Apache HTTP Server Weak Digest Auth Nonce Generation (CVE-2018-1312)
- In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed across servers by an attacker without detection.
Apache HTTP Server Denial of Service Vulnerability (CVE-2018-1303)
- A specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.30 due to an out of bound read while preparing data to be cached in shared memory. It could be used as a Denial of Service attack against users of mod_cache_socache.
Apache HTTP Server NULL Pointer Exception (CVE-2018-1302)
- When an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.30 could have written a NULL pointer potentially to an already freed memory. The memory pools maintained by the server make this vulnerability hard to trigger in usual configurations, the reporter and the team could not reproduce it outside debug builds, so it is classified as low risk.
Apache HTTP Server Denial of Service Vulnerability (CVE-2018-1301)
- A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of bound access after a size limit is reached by reading the HTTP header. This vulnerability is considered very hard if not impossible to trigger in non-debug mode (both log and build level), so it is classified as low risk for common server usage.
Apache HTTP Server Remote Exploitation Vulnerability (CVE-2018-1283)
- When mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user may influence their content by using a "Session" header. This comes from the "HTTP_SESSION" variable name used by mod_session to forward its data to CGIs, since the prefix "HTTP_" is also used by the Apache HTTP Server to pass HTTP header fields, per CGI specifications. The severity is set to Medium because "SessionEnv on" is not a default nor common configuration, it should be considered High when this is the case though, because of the possible remote exploitation.
Apache HTTP Server File Upload Vulnerability (CVE-2017-15715)
- In Apache httpd 2.4.0 to 2.4.29, the expression specified in < FilesMatch > could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are externally blocked, but only by matching the trailing portion of the filename.
IBM WebSphere Application Server spoofing Vulnerability (CVE-2017-1788)
- IBM WebSphere Application Server 9 installations using Form Login could allow a remote attacker to conduct spoofing attacks. IBM X-Force ID: 137031.
IBM WebSphere Sensitive Information Disclosure (CVE-2017-1741)
- IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to obtain sensitive information caused by improper handling of Administrative Console panel fields. When exploited an attacker could read files on the file system. IBM X-Force ID: 134931.
Template Updates for 8.6 and 8.7
The OWASP 2017 Template is now available. The template contains the smart attacks recommended by OWASP Top 10 - 2017
Category Updates for 8.6 and 8.7
The OWASP 2017 Category is now available. The category contains the smart attacks recommended by OWASP Top 10 - 2017
Manual update instructions
Trustwave App Scanner customers with auto update enabled receive updates automatically and need not take any action. Customers who manually update their products or services will need to download the appropriate manual update file for their version of Trustwave App Scanner:
1. Log in to your account at https://login.trustwave.com
2. Click on the support tab
3. Click on "File Library" in the sub-menu
4. Navigate to the path "private/AppScanner/Manual Update" and download the appropriate file
5. Follow the instructions appropriate to the product you use:
Trustwave App Scanner Desktop
formerly Cenzic Desktop (Pro)
1. Double click on the manual updater .exe file
2. Click the install button to extract the executable
a. You can specify any path on the local drive
b. It will extract a folder named "Manualupdate_(x)" where x is the auto update number
3. Open the folder and double click on the InstallUpdates.bat file to perform the library update
4. Log into Trustwave App Scanner and go to Help > Check for Updates
a. If the system update is present, a pop up will appear stating that Trustwave App Scanner needs to close down
b. Click OK
5. Restart Trustwave App Scanner to get the updates and log back in to receive the latest updates
Trustwave App Scanner Enterprise
formerly Cenzic Enterprise (ARC)
1. Download the .exe file onto the machine that has Trustwave App Scanner Enterprise installed on it and double click the file
2. Click the install button to extract the executable
a. You can specify any path on the local drive
b. It will extract a folder named "Manualupdate_(x)" where x is the auto update number
3. Open the folder and double click on the InstallUpdates.bat file to perform the library update
4. Once Manual Updater exits, restart the Enterprise Execution Engine through the Configuration Utility at Start > Programs > Cenzic > Configuration Utility > Local Service Tab > Enterprise Execution Engine and restart the service
5. Log into Trustwave App Scanner Enterprise using the administrative account
6. If you see any "System Updates Available" message at the top of the page, go to Administration > Server Settings > System Updates
7. Click on Apply System Updates
