TrustKeeper Scan Engine Update – July 29, 2014

Summary

The latest update to the TrustKeeper Scan Engine is now available. Highlights of the update include coverage for 15 new vulnerabilities and expanded version coverage for PHP.

New Vulnerability Test Highlights

Some of the more interesting vulnerability tests we added recently are as follows:

Apache

• Apache HTTP Server mod_deflate Denial of Service Vulnerability (CVE-2014-0118)
• Apache HTTP Server mod_status Race Condition Vulnerability in Lua Request (CVE-2014-0226)
• Apache HTTP Server winnt_accept Denial of Service Vulnerability (CVE-2014-3523)
• Apache Tomcat AJP Request Denial of Service (CVE-2014-0095)
• Apache Tomcat Chunk Request Denial of Service (CVE-2014-0075)
• Apache Tomcat HTTP Request Smuggling Vulnerability (CVE-2014-0099)
• Apache Tomcat Information Disclosure via External XML Entities (CVE-2014-0096)

PHP

• PHP php_parserr Denial of Service Vulnerability (CVE-2014-4049)

phpMyAdmin

• phpMyAdmin Cross-site Scripting Vulnerability in PMA_getHtmlForActionLinks (CVE-2014-4954)
• phpMyAdmin Multiple Cross-site Scripting Vulnerabilities in AJAX Confirmation Message (CVE-2014-4986)
• phpMyAdmin Multiple Cross-site Scripting Vulnerabilities in Favorites Table (CVE-2014-4348)
• phpMyAdmin Multiple Cross-site Scripting Vulnerabilities in Hide Action (CVE-2014-4349)
• phpMyAdmin Multiple Cross-site Scripting Vulnerabilities in PMA_TRI_getRowForList (CVE-2014-4955)
• phpMyAdmin Privilege Escalation Vulnerability in User Group Features (CVE-2014-4987)

Miscellaneous

• Check to identify whether an SSL certificate's public key is too short and prone to brute force attacks (document explaining the importance of cryptographic key length)

How to Update?

All Trustwave customers using the TrustKeeper Scan Engine receive the updates automatically as soon as an update is available. No action is required.