WAS Engine 7.7 Released

Document created by Dave Ferguson Employee on Apr 7, 2020Last modified by Dave Ferguson Employee on Apr 7, 2020
Version 2Show Document
  • View in full screen mode

Greetings!  This is to announce that WAS Engine 7.7 has been released to all Qualys platforms including private cloud platforms.  This release is part of our ongoing effort to continuously improve the WAS scanning engine.

 

This update includes the following changes.

 

  • Finalized release of a comprehensive suite of SSL/TLS and certificate detections.  A total of 58 QIDs were released, which you can find under a new detection scope category in the WAS option profile called "SSL/TLS and Certificate issues".  These 58 QIDs are identical to the ones used in Qualys Vulnerability Management (VM) scans.
  • Implemented initial support for the OpenAPI v3 specification to expand our REST API scanning capability.  Now, in addition to testing with Swagger v2, an OpenAPI v3 file can be used to test your API for vulnerabilities.  Scan setup is the same.
  • Added a new detection for CVE-2019-8451, a server-side request forgery (SSRF) vulnerability in Atlassian Jira. The QID is 150279. This detection leverages Qualys Periscope.
  • Enhanced the reporting of QID 150059 (Windows file path present in HTML) to include the response headers as well as a relevant section of the response body with the Windows file path highlighted.
  • Added a new detection for CVE-2017-9822, a remote code execution (RCE) vulnerability in DNN, the CMS formerly known as DotNetNuke. The QID is 150278.
  • Fixed an issue related to API scanning where certain QIDs were detected but not being reported because they were incorrectly identified as duplicates.
  • Changed the scan engine to maintain the uppercase/lowercase format of injected headers.  Previously, at scan time, the first letter of a header was being changed to uppercase and remaining letters to lowercase.
  • Fixed a problem where the scanner couldn't connect to certain TLS 1.0 targets.
  • Fixed a false positive for QID 150246 (PRSSI vulnerability) in the case where a stylesheet uses a path root-relative URL.
  • Fixed an issue where certain QIDs, in rare cases, would cause the scan to end in error.

 

As always, if you encounter any problems in your WAS scans, please open a support ticket by selecting Help--Contact Support while logged into the platform.  Feel free to post a question here on the Qualys Community site as well.

 

-Dave

Attachments

    Outcomes