CoalfireOne℠ - Scans Newsletter

October 2017 | Volume 8

Fill Out Your Special Notes

As a reminder, applicable "Special Notes" are now required to be filled in before being issued a passing scan report. Scans that return "Special Notes" are marked as a fail until the client submits Special Notes for ASV review.

To view our previous newsletter about Special Notes and what is needed for a passing scan, please click here.

Apache Struts Vulnerability

What is Apache Struts?
Apache Struts is a software toolkit for creating Java-based web applications that run on your web server.

Why is it vulnerable?
CVE-2017-9805: The REST Plugin in Apache Struts 2.1.2 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.

What Should You Do?

If you are using Apache Struts, upgrade to the latest version (2.5.13 or 2.3.34) as well as to continue to scan your environment on a monthly basis.

On a weekly basis Coalfire updates its scanning templates to ensure that its clients are getting the most in-depth scanning as well as to keep up with new vulnerabilities that are being identified.

Selecting the Appropriate Dispute Type

There has been a lot of discussion on which dispute type is acceptable and which is not. Per PCI Guidelines, Medium and High vulnerabilities must be addressed either by Remediation, Compensating Controls or prove the finding is a False Positive. This means Medium and High vulnerabilities must be submitted as a False Positive or Compensating Control while Acceptable Risk and Acceptable Use dispute types will not be accepted for external PCI scans.

If you have any questions regarding which dispute type to select when submitting disputes, please feel free to reach out to scandesk@coalfire.com.

Have a question about CoalfireOne?

The ScanDesk is ready to help. M-F: 6 AM-6 PM MT
650-597-4510 | scandesk@coalfire.com

Did you know?

  • Per PCI guidelines, disputes can be accepted for a period no longer than 90 days. CoalfireOne has a “Disputes by Vulnerability” option to lighten the load of submitting disputes from quarter to quarter.
  • Timely dispute response. Once a dispute is submitted, you will receive information if the dispute has been accepted or rejected within 5 business days. If the disputes have been rejected, a detailed explanation will be provided by a CoalfireOne representative.

<< Go Back

 

Friendly Reminders

Scan at least Monthly

  • Vulnerabilities are discovered every day. Coalfire recommends you to run automatic scans at least monthly, so you’ll always have the current vulnerability information for your hosts. This also allows those who complete ASV scans to identify vulnerabilities on hosts sooner, allowing for time to remediate before the end of the 90-day period.
Removal of SSL and early TLS
  • “SSL and early TLS have been removed as an example of strong cryptography in the PCI DSS. These protocols will no longer protect cardholder data – and can no longer be used as a security control after June 30, 2016 or June 20, 2018 for Merchants.” – PCI Council.
  • Even though the migration deadline for early TLS is June 20, 2018, a mitigation and migration plan is required to be in place now. As your ASV, a dispute will not be approved unless a migration and mitigation plan has been attested to.

CoalfireOne standard maintenance windows:

Every other Monday
4-6:30 PM PT

Every Thursday
12-3 PM PT