Web Server Vulnerability Updates
WordPress Privilege Escalation Vulnerability
WordPress versions 4.9.6 and earlier are affected by a media issue that could potentially allow a user with certain capabilities to attempt to delete files outside the uploads directory.
IBM WebSphere Sensitive Information Disclosure
CVE-2018-1621
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local attacker to obtain clear text password in a trace file caused by improper handling of some datasource custom properties. IBM X-Force ID: 144346.
Oracle WebLogic Server Remote Code Execution Vulnerability
CVE-2018-2983
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Oracle WebLogic Server Remote Code Execution Vulnerability
CVE-2018-2987
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Console). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
Oracle WebLogic Server Remote Code Execution Vulnerability
CVE-2018-2998
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: SAML). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N).
Manual update instructions
Trustwave App Scanner customers with auto update enabled receive updates automatically and need not take any action. Customers who manually update their products or services will need to download the appropriate manual update file for their version of Trustwave App Scanner:
1. Log in to your account at https://login.trustwave.com
2. Click on the support tab
3. Click on "File Library" in the sub-menu
4. Navigate to the path "private/AppScanner/Manual Update" and download the appropriate file
5. Follow the instructions appropriate to the product you use:
Trustwave App Scanner Desktop
formerly Cenzic Desktop (Pro)
1. Double click on the manual updater .exe file
2. Click the install button to extract the executable
a. You can specify any path on the local drive
b. It will extract a folder named "Manualupdate_(x)" where x is the auto update number
3. Open the folder and double click on the InstallUpdates.bat file to perform the library update
4. Log into Trustwave App Scanner and go to Help > Check for Updates
a. If the system update is present, a pop up will appear stating that Trustwave App Scanner needs to close down
b. Click OK
5. Restart Trustwave App Scanner to get the updates and log back in to receive the latest updates
Trustwave App Scanner Enterprise
formerly Cenzic Enterprise (ARC)
1. Download the .exe file onto the machine that has Trustwave App Scanner Enterprise installed on it and double click the file
2. Click the install button to extract the executable
a. You can specify any path on the local drive
b. It will extract a folder named "Manualupdate_(x)" where x is the auto update number
3. Open the folder and double click on the InstallUpdates.bat file to perform the library update
4. Once Manual Updater exits, restart the Enterprise Execution Engine through the Configuration Utility at Start > Programs > Cenzic > Configuration Utility > Local Service Tab > Enterprise Execution Engine and restart the service
5. Log into Trustwave App Scanner Enterprise using the administrative account
6. If you see any "System Updates Available" message at the top of the page, go to Administration > Server Settings > System Updates
7. Click on Apply System Updates
