All Posts

445 posts

CVE-2019-11016: Open Redirect Vulnerability

elgg logoEarlier this year the Qualys Web Application Scanning team discovered and reported an open redirect vulnerability (CVE-2019-11016) in Elgg, an open source rapid development framework for socially aware web applications, which the Elgg team promptly fixed.

Versions of the Elgg framework before 1.12.18 and 2.3.x versions before 2.3.11 are vulnerable to open redirect via the $url parameter. An attacker could abuse the functionality by entering a particular path that triggers an open redirect to an attacker-controlled website.

Because this type of vulnerability is not uncommon, QID 150051 in Qualys Web Application Scanning (WAS) was improved to report if this type of open redirect vulnerability is found in a scanned web application.

Continue reading …

Qualys Cloud Platform 2.42 New Features

This release of the Qualys Cloud Platform version 2.42 includes updates and new features for Web Application Scanning, highlights as follows.

Continue reading …

Streamlining and Automating Compliance

There are seemingly countless regulatory and industry frameworks out there that organizations have to navigate and comply with. SOX (Sarbanes-Oxley), PCI-DSS (Payment Card Industry Data Security Standard), GDPR (General Data Protection Regulation), HIPAA (Health Insurance Portability and Accountability Act), and many others that require maintaining a specified baseline of security. Compliance is a challenge in and of itself, but it is increasingly difficult to maintain compliance with accelerated DevOps lifecycles and complex, hybrid cloud environments.

Continue reading …

Qualys Cloud Platform 8.22 New Features (VM, PC)

Update December 11, 2019: See additional details about this release.

The 8.22.0 release adds several new features in Qualys Cloud Platform, adds a new API in Policy Compliance and support for 2 new technologies for OCA.

Continue reading …

Policy Compliance Library Updates, November 2019

Qualys’ library of built-in policies makes it easy to comply with the security standards and regulations that are most commonly used and adhered to. Qualys provides a wide range of policies, including many that have been certified by CIS as well as the ones based on security guidelines from OS and application vendors and other industry best practices.

In order to keep up with the latest changes in security control requirements and new technologies, Qualys publishes new content to the Policy Library every month.

The November release adds support to 3 new technologies, includes 1 new CIS Benchmark policy and provides updates to several existing policies in the Qualys Content Library.

Qualys’ Certification Page at CIS has been updated.

Continue reading …

The Power and Future of the Qualys Cloud Platform

Qualys Security Conference 2019 kicked off this morning at the Bellagio hotel in Las Vegas. The event actually began on Monday with training sessions over the first two days, but this morning hundreds of attendees filled a conference room to listen to keynote presentations about the state of cybersecurity and the vision for the future of the Qualys Cloud Platform.

Continue reading …

Qualys Cloud Platform 8.21.7 New Features

Update November 27, 2019: The features referenced in this blog post will be released in Qualys Cloud Platform release 8.22.

Update November 19, 2019: The features referenced in this blog post will be released in the next Qualys Cloud Platform release scheduled for December 2019, and will be announced separately. We apologize for any confusion this may have caused.

Original Post: The upcoming release of the Qualys Cloud Platform (VM, PC), version 8.21.7, will include new features in Qualys Cloud Platform, Vulnerability Management, and Policy Compliance.

Continue reading …

Policy Compliance Library Updates, October 2019

Qualys’ library of built-in policies makes it easy to comply with the security standards and regulations that are most commonly used and adhered to. Qualys provides a wide range of policies, including many that have been certified by CIS as well as the ones based on security guidelines from OS and application vendors and other industry best practices.

In order to keep up with the latest changes in security control requirements and new technologies, Qualys publishes new content to the Policy Library every month.

The October release includes the following new policy and updates:

  • 2 new technologies for OCA
  • 7 new technologies for Scanner
  • 10 new CIS Benchmark policies
  • 3 new browser policies for Cloud Agent
  • 11 new Industry and Best Practice policies
  • 1 new DISA STIG policy
  • 1 Microsoft Security Baseline policy
  • More than 100 updated policies

Qualys’ Certification Page at CIS has been updated.

Continue reading …

Qualys Cloud Platform 8.21.6 New Features

Update Nov 19, 2019: This blog post was updated with additional detail about the new features in 8.21.6.

The 8.21.6 release adds several new features in Qualys Cloud Platform, Policy Compliance, and Vulnerability Management. Apart from various other new features, this release adds support for Apple Safari 11.x/12.x in compliance scans for Unix hosts, and extends UDC support for multiple new technologies for Qualys PC; whereas, new features for VM includes added support for HashiCorp vaults in DB Auth Records and Sybase authentication for vulnerability scanning.

Continue reading …

PHP Remote Code Execution Vulnerability (CVE-2019-11043)

Certain versions of PHP 7 running on NGINX with php-fpm enabled can be vulnerable to the remote code execution vulnerability CVE-2019-11043.

Given the simplicity of the exploit, all web servers using the vulnerable version of PHP should be upgraded to non-vulnerable PHP versions as soon as possible. Because the vulnerability is limited to specific configurations, the number of vulnerable installations is smaller than it might be.

Qualys Web Application Scanning (WAS) will test for this vulnerability as long as QID 150270 is included in your scan. We recommend organizations immediately remediate all systems that are vulnerable. While you are getting ready to patch, you can easily deploy a virtual patch via pre-built templates in Qualys Web Application Firewall.

Remediation instructions are included below.

Continue reading …