Just in case any of you are being scanned for PCI compliance you may want
this head’s up that it’s now checking for HTTPoxy unhandled PROXY header
vuln (https://httpoxy.org/)
I blocked PROXY headers in IIS (and cleaned up some old PHP references in
CGI settings) but I still was failing the scan.
Turns out older versions of Tomcat have the vulnerability (I was running
8.0.24) https://www.apache.org/security/asf-httpoxy-response.txt
Upgrade to 8.0.36 seems to have sorted the issue.
(FWIW the new PCI scan also checks for Sweet32 vulns in 64 bit chiphers
ie: DES-CBC3-SHA so you’ll have to deal with those too)