Security Bulletin: Vulnerabilities in AppScan Standard

Flash (Alert)


Abstract

The IBM Security AppScan Standard 8.6 (previously known as IBM Rational AppScan Standard Edition) release includes fixes to two security vulnerabilities.

Content

Subscribe to My Notifications to be notified of important product support bulletins like this.
  • Follow this link for more information (requires login with your IBM ID)

VULNERABILITY 1: Insecure SSL Communication to the target test site

DESCRIPTION: AppScan Standard allows the scanning of sites with incorrect certificates. By default AppScan Standard ignores invalid certificates due to most target sites are test sites with dummy certificates. To prevent AppScan Standard from connecting to insecure sites, the attached .xml settings file can be used.

AFFECTED PLATFORMS: Versions 7.8 through 8.5.0.1 of AppScan Standard running on Microsoft Windows.

REMEDIATION: The recommended solution is to apply the fix for each named product as soon as practical. Please see below for information about the fixes available.

FIX: For IBM Rational AppScan Standard Edition version 7.8 to 8.5.0.1
· Upgrade to version 8.6
· If you are unable to upgrade to version 8.6, contact IBM Technical Support.

WORKAROUND: Not applicable; upgrade to version 8.6.0.1 and save the attached EngineOptions.xml file to the AppScan Standard to install directory to enable checking for invalid certificates.
--------------------------


VULNERABILITY 2: Oracle October 2011 Java Critical Patch Update - 6.0

DESCRIPTION: Summary advisory describing multiple CVEs to be addressed in upcoming Oracle and IBM Java releases. An overview of the Oracle security fixes can be found here:

http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html


AFFECTED PLATFORMS: Versions 7.8 through 8.5.0.1 of AppScan Standard running on Microsoft Windows.

REMEDIATION: The recommended solution is to apply the fix for each named product as soon as practical. Please see below for information about the fixes available.

FIX: For IBM Rational AppScan Standard Edition version 7.8 to 8.5.0.1
· Upgrade to version 8.6
· If you are unable to upgrade to version 8.6, contact IBM Technical Support.


WORKAOUND: Not applicable; upgrade to version 8.6.0.1.
--------------------------



REFERENCES:
· Complete CVSS Guide
· On-line Calculator V2

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this alert.

Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Security AppScan Standard
General Support issues

Software version:

7.9, 8.0, 8.5

Operating system(s):

Windows

Reference #:

1609022

Modified date:

2013-04-24

Translate my page

Machine Translation

Content navigation