Software Updates

Database Security Knowledgebase Update 6.02

Written by | Dec 8, 2020 6:16:00 AM

Trustwave Database Security Knowledgebase version 6.02 includes new checks for Elasticsearch and updated checks for IBM Db2, MongoDB, PostgreSQL, and Teradata

It is also cumulative of version 6.01 which introduced new checks for Elasticsearch, MariaDB, Microsoft SQL Server, MySQL, and Oracle and updated checks for MySQL and Teradata.

New policies are also available for DISA STIG.

New Vulnerability and Configuration Check Highlights

Elasticsearch

  • Privilege escalation via API keys and authentication tokens creation
  • Risk: High

 

  • Privilege escalation via API keys creation
  • Risk: High

 

  • Race condition in response headers
  • Risk: Medium

 

  • Username disclosure in the API Key service
  • Risk: Medium

 

  • Anonymous access is enabled
  • Risk: Medium

 

  • Ensure Federal Information Processing Standard (FIPS) is enabled
  • Risk: Medium

 

  • Field disclosure in scrolling search
  • Risk: Medium

 

  • Password hashing algorithm
  • Risk: Low

 

Microsoft SQL Server

  • Microsoft SQL Server Analysis Services Information Disclosure Vulnerability (2017-Aug)
  • Risk: Medium

 

  • Microsoft SQL Server Remote Code Execution Vulnerability (2018-Aug)
  • Risk: High

 

MySQL

  • Critical Patch Update - October 2020
  • Risk: High

 

Oracle

  • Critical Patch Update/Patch Set Update - October 2020
  • Risk: High

 

MariaDB

  • Over 25 checks added

 

Updated Checks

  • Latchest patch, Fix Pack, patchset checks updated for IBM Db2, MongoDB, PostgreSQL, Teradata, and MySQL

 

New Policies

  • DISA-STIG MongoDB EA 3.x V1R2 – Audit
  • DISA-STIG PostgreSQL 9.x V2R1 – Audit
  • DISA-STIG SQL Server 2016 V2R1-1 Audit

Availability

  • Available to all AppDetectivePRO and DbProtect customers with maintenance (subscription or perpetual) in good standing at no additional cost.
  • AppDetectivePRO customers can use the Updater within the product as well