Qualys Blog | Expert network security guidance and news

Zombie POODLE and GOLDENDOODLE Vulnerabilities

Posted by Yash Sannegowda in Qualys Technology, SSL Labs on April 22, 2019

Recently new vulnerabilities like Zombie POODLE, GOLDENDOODLE, 0-Length OpenSSL and Sleeping POODLE were published for websites that use CBC (Cipher Block Chaining) block cipher modes. These vulnerabilities are applicable only if the server uses TLS 1.2 or TLS 1.1 or TLS 1.0 with CBC cipher modes.

SSL Labs will identify cipher suites using CBC with orange color and with text WEAK (note: this is live now on https://dev.ssllabs.com/; and will be live by April 26 on https://www.ssllabs.com/ ). This change won’t have any effect on the grades, as it only means that SSL Labs discourages the use of CBC-based cipher suites further.

SSL Labs will start giving “F” grade to the server affected by these vulnerabilities from end of May 2019. For now, SSL Labs will give only a warning for affected servers:

Zombie POODLE (Invalid padding with valid MAC)
GOLDENDOODLE (Valid padding with an invalid MAC)
0-Length OpenSSL (Invalid Mac/Valid Pad, 0-length record)
Sleeping POODLE (invalid padding with valid MAC)

SSLLabs UI Changes

Limitation in SSL Labs Detections

These tests are specific to protocol/cipher suite, SSL Labs only checks with preferred Protocol and CBC Cipher suite. There is a probability that the server could be vulnerable with other set of protocol/cipher suite.
SSL Labs only checks with a limited set of CBC cipher suite

More Information

Note: The warning is live on https://dev.ssllabs.com/ and will be live on https://www.ssllabs.com/ by April 26. As stated above, the grade change will be live by the end of May.

Qualys Training Update, April 2019

Posted by Nick Dlouhy in Qualys Technology on April 18, 2019

The Qualys Training team has expanded the AssetView & Threat Protection course, and added two new training series: CertView and Troubleshooting Scanner Appliance Error Codes.

These new additions build on last month’s update, when we introduced the new Vulnerability Management learning path, which takes you from the fundamentals through advanced topics, and ensures you have a complete foundation in Qualys technology.

The Qualys Training team brings you these updates to help you learn quickly how to get the most value from your Qualys subscription. Read on for more detail on what’s new this month.

Monitoring AWS Golden AMI Pipelines with Slack

Posted by Sean Nicholson in Qualys News, Qualys Technology on April 17, 2019

If your company uses Slack and is looking for ways to easily monitor activities in its AWS Golden AMI Pipeline, you can use AWS native services to send messages into a Slack channel. This can give your teams better visibility into the approval process for the candidate AMIs that they submit, as opposed to handling this via email. As we all know, email messages can get lost, overlooked or dumped in spam folders, which doesn’t happen with Slack messages. Moreover, Slack channels can have multiple subscribers so a single message can be seen by multiple people or other bots. Handling approval requests within a Slack channel also simplifies the management of the process.

Read on for a detailed, step-by-step explanation.

No Comments
Permalink
Tags: aws, devops, devsecops, golden AMI, slack

Ancestry: On the Vanguard of DevOps Security

Posted by Grant Johnson in Qualys News, Qualys Technology on April 10, 2019

*Grant Johnson, Ancestry’s Director, Risk & Compliance*

(This is a guest post by Grant Johnson, Director, Risk & Compliance at Ancestry)

Over the past two years, Ancestry moved its entire applications and data infrastructure from local data centers to Amazon’s cloud, and this required a new approach for managing vulnerabilities in our DevOps pipeline. In the hopes that our insights will help security teams embarking on this path, this article details the challenges we faced and the best practices that helped us succeed, including:

the benefits of replacing production AMIs with new ones instead of patching them;
the importance of making security an enabler of agile, cloud processes like DevOps;
and effective ways to get DevOps team members and senior leaders to buy into your risk reduction strategy.

Read on to learn how, with Qualys’ help, we streamlined and automated vulnerability fixes, resulting in a steep drop in the number of high severity bugs in our production applications.

No Comments
Permalink
Tags: amazon, ancestry, aws, devops, devsecops, golden AMI, public cloud, vulnerability management

Qualys Cloud Platform 2.38 New Features

Posted by Chris Carlson in Qualys Technology on April 10, 2019

This release of the Qualys Cloud Platform version 2.38 includes updates and new features for AssetView, Web Application Firewall, and Web Application Scanning, highlights as follows.

No Comments
Permalink
Tags: assetview, av, azure, dynamic tagging, waf, was, web application firewall, web application scanning

April 2019 Patch Tuesday – 74 Vulns, 16 Critical, 2 Actively Attacked, 1 PoC Exploit, Adobe Vulns

Posted by Jimmy Graham in The Laws of Vulnerabilities on April 9, 2019

This month’s Patch Tuesday addresses 74 vulnerabilities, with 16 labeled as Critical. Eight of the Critical vulns are for scripting engines and browser components, impacting Microsoft browsers and Office, along with another 5 Critical vulns in MSXML. Two Critical remote code execution (RCE) vulnerabilities are patched in GDI+ and IOleCvt. Two privilege escalation vulns in Win32k are reported as Actively Attacked, while another in the Windows AppX Deployment Service has a public PoC exploit.

No Comments
Permalink
Tags: adobe, microsoft, patch, Patch Tuesday, security, vulnerabilities

Qualys Policy Compliance Notification: Policy Library Update

Posted by Pronamika Abraham in Qualys News, Qualys Technology on April 3, 2019

Qualys’ library of built-in policies makes it easy to comply with the security standards and regulations that are most commonly used and adhered to. Qualys provides a wide range of policies, including many that have been certified by CIS as well as the ones based on security guidelines from OS and application vendors and other industry best practices.

In order to keep up with the latest changes in security control requirements and new technologies, Qualys publishes new content to the Policy Library every month.

No Comments
Permalink
Tags: cis, library, pc, policy library, product news

Qualys Cloud Platform (VM, PC) 8.18.1 New Features

Posted by Pronamika Abraham in Qualys News, Qualys Technology on April 1, 2019

The patch release of the Qualys Cloud Platform, version 8.18.1.0-1, includes new support for HashiCorp Vaults as well as for Virtual Scanner Appliance for OCI and OCI-Classic Platforms.

Qualys Cloud Platform (VM, PC) 8.18 New Features

Posted by Pronamika Abraham in Qualys News, Qualys Technology on March 23, 2019

This new release of the Qualys Cloud Platform (VM, PC), version 8.18 contains several new features and improvements in Qualys Vulnerability Management and Policy Compliance, which include CertView Vulnerability Scan for EC2 Assets, support for new authentication types to filter vulnerabilities, support for InformixDB authentication and IBM Web Application Server, and 2 new technologies in Policy Compliance.

No Comments
Permalink
Tags: duration, notification, pc, scheduling, vm

Free Training: New Certified Learning Paths

Posted by Nick Dlouhy in Qualys News, Qualys Technology on March 18, 2019

The Qualys Training team is eager to share all of the recent additions to our free training program, as well as provide insight into what is coming in 2019. You can expect to see regular updates as we continue to improve our training offerings!

It is our mission to help Qualys customers and partners become more familiar with the entire portfolio of Qualys Cloud Apps, learn key workflows and adopt best practices. To help guide you, we are creating Learning Paths which take you from fundamentals through advanced topics, and ensure you have a complete foundation in Qualys technology.