Author: Igor Obolenskiy

PCI & QID 38598 “Deprecated Public Key Length”

Posted by Igor Obolenskiy in Qualys Technology, Security Labs on October 10, 2018

QID 38598 “Deprecated Public Key Length” will be marked as PCI Fail as of November 1, 2018 in accordance with its CVSS score.

Under PCI DSS merchants and financial institutions are required to protect their clients’ sensitive data with strong cryptography. Strong cryptography is defined in the Glossary of Terms, Abbreviations and Acronyms for PCI DSS as cryptography based on industry-tested and accepted algorithms.

NIST Special Publication 800-131A announced that RSA public keys shorter than 2048 bits are disallowed, so QID 38598 detected in ASV scans will result a PCI failure. ASV scan customers will need to obtain a 2048-bit or larger public key length certificate from their Certificate Authority.

QID 86725 “F5 BIG-IP Load Balancer Internal IP Address Disclosure”

Posted by Igor Obolenskiy in Qualys Technology, Security Labs on March 28, 2018

QID 86725 “F5 BIG-IP Load Balancer Internal IP Address Disclosure Vulnerability” will be marked as a PCI Fail as of May 1, 2018 in accordance with its CVSS score.

PCI DSS v3.2 & Exposing Session ID in URL

Posted by Igor Obolenskiy in Qualys Technology on March 13, 2018

Passing the session ID in the URL such as QID 150068 “Session ID in URL” will be marked as a Fail for PCI as of April 15, 2018 in accordance with PCI DSS v3.2.

PCI DSS v3.2 & Private IP Address Disclosure

Posted by Igor Obolenskiy in Qualys Technology on January 8, 2018

Private IP addresses disclosure such as QID 86247 “Web Server Internal IP Address/Internal Network Name Disclosure Vulnerability” will be marked as a Fail for PCI as of February 1, 2018 in accordance with PCI DSS v3.2.