Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2013.0124
A number of vulnerabilities have been identified in McAfee
ePolicy Orchestrator
7 November 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: McAfee ePolicy Orchestrator
Operating System: Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Server 2008 with Hyper-V
VMware ESX Server
Citrix XenServer
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2013-5830 CVE-2013-5825 CVE-2013-5823
CVE-2013-5802 CVE-2013-5782 CVE-2013-5780
CVE-2013-4002
Member content until: Saturday, December 7 2013
Reference: ASB-2013.0113
ESB-2013.1577
ESB-2013.1556
ESB-2013.1511
ESB-2013.1499
ESB-2013.1493
ESB-2013.1491
ESB-2013.1480
ESB-2013.1468
OVERVIEW
A number of vulnerabilities have been identified in McAfee ePolicy
Orchestrator prior to version 4.6.7 or 5.1. [1]
IMPACT
The vendor has provided the following details regarding these
vulnerabilities:
"ePO is vulnerable to seven of the CVEs reported in Oracle's October
15, 2013 Java SE update. Collectively, these vulnerabilities could
allow unauthorized disclosure of information, unauthorized
modification, or disruption of service.
CVE-2013-5782 McAfee ePO and Oracle JRE (Base CVSS Score = 10.0)
Vulnerability in the Java SE, JRockit, Java SE Embedded component
of Oracle Java SE (subcomponent: 2D). Supported versions that are
affected are Java SE 7u40 and earlier, Java SE 6u60 and earlier,
Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit
R27.7.6 and earlier and Java SE Embedded 7u40 and earlier. Easily
exploitable vulnerability allows successful unauthenticated
network attacks via multiple protocols. Successful attack of this
vulnerability can result in unauthorized Operating System takeover
including arbitrary code execution. Note: Applies to client and
server deployment of Java. This vulnerability can be exploited
through sandboxed Java Web Start applications and sandboxed Java
applets. It can also be exploited by supplying data to APIs in the
specified Component without using sandboxed Java Web Start
applications or sandboxed Java applets, such as through a web
service.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5782
CVE-2013-5802 McAfee ePO and Oracle JRE (Base CVSS Score = 10.0)
Vulnerability in the Java SE, JRockit, Java SE Embedded component
of Oracle Java SE (subcomponent: JAXP). Supported versions that are
affected are Java SE 7u40 and earlier, Java SE 6u60 and earlier,
Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit
R27.7.6 and earlier and Java SE Embedded 7u40 and earlier. Easily
exploitable vulnerability allows successful unauthenticated network
attacks via multiple protocols. Successful attack of this
vulnerability can result in unauthorized update, insert or delete
access to some Java SE, JRockit, Java SE Embedded accessible data
as well as read access to a subset of Java SE, JRockit, Java SE
Embedded accessible data and ability to cause a partial denial of
service (partial DOS) of Java SE, JRockit, Java SE Embedded. Note:
Applies to client and server deployment of Java. This vulnerability
can be exploited through sandboxed Java Web Start applications and
sandboxed Java applets. It can also be exploited by supplying data
to APIs in the specified Component without using sandboxed Java Web
Start applications or sandboxed Java applets, such as through a web
service.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5802
CVE-2013-5830 McAfee ePO and Oracle JRE (Base CVSS Score = 10.0)
Vulnerability in the Java SE, JRockit, Java SE Embedded component
of Oracle Java SE (subcomponent: Libraries). Supported versions
that are affected are Java SE 7u40 and earlier, Java SE 6u60 and
earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier,
JRockit R27.7.6 and earlier and Java SE Embedded 7u40 and earlier.
Easily exploitable vulnerability allows successful unauthenticated
network attacks via multiple protocols. Successful attack of this
vulnerability can result in unauthorized Operating System takeover
including arbitrary code execution. Note: Applies to client and
server deployment of Java. This vulnerability can be exploited
through sandboxed Java Web Start applications and sandboxed Java
applets. It can also be exploited by supplying data to APIs in the
specified Component without using sandboxed Java Web Start
applications or sandboxed Java applets, such as through a web
service.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5830
CVE-2013-4002 McAfee ePO and Oracle JRE (Base CVSS Score = 7.1)
Vulnerability in the Java SE, JRockit, Java SE Embedded component
of Oracle Java SE (subcomponent: JAXP). Supported versions that are
affected are Java SE 7u40 and earlier, Java SE 6u60 and earlier,
Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit
R27.7.6 and earlier and Java SE Embedded 7u40 and earlier. Easily
exploitable vulnerability allows successful unauthenticated network
attacks via multiple protocols. Successful attack of this
vulnerability can result in unauthorized ability to cause a partial
denial of service (partial DOS) of Java SE, JRockit, Java SE
Embedded. Note: Applies to client and server deployment of Java.
This vulnerability can be exploited through sandboxed Java Web
Start applications and sandboxed Java applets. It can also be
exploited by supplying data to APIs in the specified Component
without using sandboxed Java Web Start applications or sandboxed
Java applets, such as through a web service.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4002
CVE-2013-5823 McAfee ePO and Oracle JRE (Base CVSS Score = 5.0)
Vulnerability in the Java SE, JRockit, Java SE Embedded component
of Oracle Java SE (subcomponent: Security). Supported versions that
are affected are Java SE 7u40 and earlier, Java SE 6u60 and
earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier
and Java SE Embedded 7u40 and earlier. Easily exploitable
vulnerability allows successful unauthenticated network attacks
via multiple protocols. Successful attack of this vulnerability can
result in unauthorized ability to cause a partial denial of service
(partial DOS) of Java SE, JRockit, Java SE Embedded. Note: Applies
to client and server deployment of Java. This vulnerability can be
exploited through sandboxed Java Web Start applications and
sandboxed Java applets. It can also be exploited by supplying data
to APIs in the specified Component without using sandboxed Java Web
Start applications or sandboxed Java applets, such as through a web
service.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5823
CVE-2013-5825 McAfee ePO and Oracle JRE (Base CVSS Score = 5.0)
Vulnerability in the Java SE, JRockit, Java SE Embedded component
of Oracle Java SE (subcomponent: JAXP). Supported versions that
are affected are Java SE 7u40 and earlier, Java SE 6u60 and
earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier,
JRockit R27.7.6 and earlier and Java SE Embedded 7u40 and earlier.
Easily exploitable vulnerability allows successful unauthenticated
network attacks via multiple protocols. Successful attack of this
vulnerability can result in unauthorized ability to cause a partial
denial of service (partial DOS) of Java SE, JRockit, Java SE
Embedded. Note: Applies to client and server deployment of Java.
This vulnerability can be exploited through sandboxed Java Web
Start applications and sandboxed Java applets. It can also be
exploited by supplying data to APIs in the specified Component
without using sandboxed Java Web Start applications or sandboxed
Java applets, such as through a web service.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5825
CVE-2013-5780 McAfee ePO and Oracle JRE (Base CVSS Score = 4.3)
Vulnerability in the Java SE, JRockit, Java SE Embedded component
of Oracle Java SE (subcomponent: Libraries). Supported versions
that are affected are Java SE 7u40 and earlier, Java SE 6u60 and
earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier,
JRockit R27.7.6 and earlier and Java SE Embedded 7u40 and earlier.
Difficult to exploit vulnerability allows successful
unauthenticated network attacks via multiple protocols.
Successful attack of this vulnerability can result in
unauthorized read access to a subset of Java SE, JRockit, Java
SE Embedded accessible data. Note: Applies to client and server
deployment of Java. This vulnerability can be exploited through
sandboxed Java Web Start applications and sandboxed Java applets.
It can also be exploited by supplying data to APIs in the
specified Component without using sandboxed Java Web Start
applications or sandboxed Java applets, such as through a web
service.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5780" [1]
MITIGATION
The vendor recommends applying the appropriate patch or upgrading to
the latest release to correct these issues. [1]
REFERENCES
[1] McAfee Security Bulletin - ePO update fixes multiple Java
vulnerabilities reported by Oracle
https://kc.mcafee.com/corporate/index?page=content&id=SB10058
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUnrhUhLndAQH1ShLAQLUkBAAlxRn+V/VkPIegTNVbkK9zHQtk/VwbZIC
MT+gBn2pdDPF3B7Beih91lP2l54CnLy//krfLtnhbVf7ihrhRlkEVa7XXrNaeJo4
ymRW6WE23LYmfCUvdX4pSyq/7Ol8PqG21WWBv1u7Pt7vzc8p40Lgf/emz2YSxWfz
seqfR0DZst8bnZa5n0opqWacS6CMxSq9UYouM67Gofud4J8UkhJViPaUWswV/KII
ICeTk7Y3T0H0IXTTRnHYtyYb3revFBPqljxqXKjGij7EEBFlzQvMha7r6mKqQsPk
/OivOluoCFDsFVFaCadcFW7YoyXs/fQ/K6iLnqUyD/2auEoYxtgbF51JvoGNzckj
JwKtSC3jqsRMFMPPDUNK2G5No9gvjFbB8akArTCr3OqeXu3dcY/2kyA3pTPmwSLf
pOwTSVh1MTcP5KPJQMHb8rrnomDHMVumpuvPUIupLoU/+EW+tousAT00d9dGXKJ8
H7jkr4bqZcx8XUAfcYHA3SpU7YTQ9v3GaOacf3vZ3t3WgJtqpW3ymK7XRYKX1qiS
6VH4aGvawUpfLHe4lVUhQKPLKSW97zK0qYc7m++FxT6DHPaKqarrvgRlNDz9ZJvR
uDG84ust2Igos1dnUsKm2Lzehgc5cds7vVtQaz+xvCsnRezeAx3eHkWAEZQSwy5t
XI0SV8ZNgXc=
=hbb2
-----END PGP SIGNATURE-----