Summary
The latest update to the TrustKeeper scan engine that powers our Trustwave Vulnerability Management product (including both internal and external vulnerability scanning) is now available. A highlight of the update is an additional check for the recently disclosed POODLE vulnerability in version 3 of the SSL protocol (CVE-2014-3566). This week's release also includes new tests for an additional 27 vulnerabilities.
New Vulnerability Test Highlights
Some of the more interesting vulnerability tests we added recently are as follows:
XAMPP
- XAMPP ADONewConnection Buffer Overflow (CVE-2007-2079)
- XAMPP Cross Site Request Forgery in xamppsecurity.php (CVE-2008-6498)
- XAMPP Cross Site Scripting Vulnerabilities in iart.php and ming.php (CVE-2008-3569)
- XAMPP Cross Site Scripting Vulnerability in phonebook.php and other pages (CVE-2005-1077)
- XAMPP Directory Traversal and Code Injection Vulnerability (CVE-2005-2043)
- XAMPP lang.tmp Arbitrary File Write Vulnerability (CVE-2013-2586)
- XAMPP Multiple SQL Injection Vulnerabilities (CVE-2007-2080)
- XAMPP Multiple Unquoted Windows Search Path Vulnerabilities (CVE-2006-4994)
- XAMPP SERVER Superglobal Variable Spoofing (CVE-2008-6499)
Microsoft .NET Framework
PostgreSQL
- PostgreSQL using LOAD with plugins can shut down backend server (CVE-2009-3229)
- PostgreSQL RESET SESSION AUTHORIZATION combined with ANALYZE allows privilege escalation (CVE-2009-3230)
- PostgreSQL authentication bypass with LDAP backend (CVE-2009-3231)
- PostgreSQL denial-of-service using client-specified localized error messages (CVE-2009-0922)
- PostgreSQL ANALYZE user defined function privilege escalation (CVE-2007-6600)
- PostgreSQL TCL regular expression back reference denial-of-service (CVE-2007-4769)
- PostgreSQL DBLink function privilege escalation (CVE-2007-6601)
- PostgreSQL search_path SECURITY DEFINER privilege escalation (CVE-2007-2138)
- PostgreSQL ALTER COLUMN TYPE denial-of-service and unauthorized memory access (CVE-2007-0556)
- PostgreSQL disable data type check denial-of-service and unauthorized memory access (CVE-2007-0555)
- PostgreSQL logging of protocol messages denial-of-service (CVE-2006-5542)
- PostgreSQL aggregates in UPDATE denial-of-service (CVE-2006-5540)
- PostgreSQL SQL injection quote escape bypass (CVE-2006-2314)
- PostgreSQL invalid multibyte encoding SQL injection bypass (CVE-2006-2313)
- PostgreSQL ANYARRAY coercion denial-of-service (CVE-2006-5541)
FreeBSD
- FreeBSD mmap Local User Privilege Escalation (FreeBSD-SA-13:06.mmap) (CVE-2013-2171)
SSL Protocol
How to Update?
All Trustwave customers using the TrustKeeper scan engine receive the updates automatically as soon as an update is available. No action is required.