Hello all -
WAS Engine 6.3 has been released to all Qualys platforms including private cloud platforms. This new release is part of our ongoing effort to continuously improve the WAS scanning engine. This update includes the following enhancements.
- New detection for CVE-2016-5019, a deserialization vulnerability in Apache MyFaces Trinidad. QID 150254 will be reported if this vulnerability is detected.
- New detection for CVE-2010-1164, a cross-site scripting vulnerability in Atlassian JIRA. QID 150233 will be reported for this vulnerability.
- Change to reduce false positives for QID 150069 (Static Session ID) when duplicate cookies are present.
- Fix to prevent scanner error when an invalid tarball or zip is encountered on the target web app.
- Change to address a specific Selenium auth script failure that worked prior to Engine 6.0.
- Change to SSL/TLS negotiation to fix an issue where the scanner couldn't connect to certain targets.
- New detections for known Drupal vulnerabilities, namely CVE-2018-7600, CVE-2018-9861, and CVE-2018-7602. The corresponding QIDs are 150218, 150219, and 150220.
If you encounter any problems in your WAS scans, please open a support ticket by selecting Help--Contact Support while logged into the platform. Feel free to post a question here on the Qualys Community site as well.