-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2013.0124
        A number of vulnerabilities have been identified in McAfee
                           ePolicy Orchestrator
                              7 November 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              McAfee ePolicy Orchestrator
Operating System:     Windows Server 2003
                      Windows Server 2008
                      Windows Server 2008 R2
                      Windows Server 2008 with Hyper-V
                      VMware ESX Server
                      Citrix XenServer
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                      Modify Arbitrary Files          -- Remote/Unauthenticated
                      Denial of Service               -- Remote/Unauthenticated
                      Access Confidential Data        -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2013-5830 CVE-2013-5825 CVE-2013-5823
                      CVE-2013-5802 CVE-2013-5782 CVE-2013-5780
                      CVE-2013-4002  
Member content until: Saturday, December  7 2013
Reference:            ASB-2013.0113
                      ESB-2013.1577
                      ESB-2013.1556
                      ESB-2013.1511
                      ESB-2013.1499
                      ESB-2013.1493
                      ESB-2013.1491
                      ESB-2013.1480
                      ESB-2013.1468

OVERVIEW

        A number of vulnerabilities have been identified in McAfee ePolicy 
        Orchestrator prior to version 4.6.7 or 5.1. [1]


IMPACT

        The vendor has provided the following details regarding these 
        vulnerabilities:
        
        "ePO is vulnerable to seven of the CVEs reported in Oracle's October 
        15, 2013 Java SE update. Collectively, these vulnerabilities could 
        allow unauthorized disclosure of information, unauthorized 
        modification, or disruption of service. 
        
            CVE-2013-5782 McAfee ePO and Oracle JRE (Base CVSS Score = 10.0)
            Vulnerability in the Java SE, JRockit, Java SE Embedded component 
            of Oracle Java SE (subcomponent: 2D). Supported versions that are 
            affected are Java SE 7u40 and earlier, Java SE 6u60 and earlier, 
            Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit
            R27.7.6 and earlier and Java SE Embedded 7u40 and earlier. Easily 
            exploitable vulnerability allows successful unauthenticated 
            network attacks via multiple protocols. Successful attack of this
            vulnerability can result in unauthorized Operating System takeover
            including arbitrary code execution. Note: Applies to client and 
            server deployment of Java. This vulnerability can be exploited 
            through sandboxed Java Web Start applications and sandboxed Java 
            applets. It can also be exploited by supplying data to APIs in the 
            specified Component without using sandboxed Java Web Start 
            applications or sandboxed Java applets, such as through a web 
            service.
            http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5782 
             
            CVE-2013-5802 McAfee ePO and Oracle JRE (Base CVSS Score = 10.0)
            Vulnerability in the Java SE, JRockit, Java SE Embedded component 
            of Oracle Java SE (subcomponent: JAXP). Supported versions that are
            affected are Java SE 7u40 and earlier, Java SE 6u60 and earlier, 
            Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit 
            R27.7.6 and earlier and Java SE Embedded 7u40 and earlier. Easily 
            exploitable vulnerability allows successful unauthenticated network
            attacks via multiple protocols. Successful attack of this 
            vulnerability can result in unauthorized update, insert or delete 
            access to some Java SE, JRockit, Java SE Embedded accessible data 
            as well as read access to a subset of Java SE, JRockit, Java SE 
            Embedded accessible data and ability to cause a partial denial of 
            service (partial DOS) of Java SE, JRockit, Java SE Embedded. Note: 
            Applies to client and server deployment of Java. This vulnerability 
            can be exploited through sandboxed Java Web Start applications and 
            sandboxed Java applets. It can also be exploited by supplying data 
            to APIs in the specified Component without using sandboxed Java Web
            Start applications or sandboxed Java applets, such as through a web
            service.
            http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5802
             
            CVE-2013-5830 McAfee ePO and Oracle JRE (Base CVSS Score = 10.0)
            Vulnerability in the Java SE, JRockit, Java SE Embedded component
            of Oracle Java SE (subcomponent: Libraries). Supported versions 
            that are affected are Java SE 7u40 and earlier, Java SE 6u60 and 
            earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, 
            JRockit R27.7.6 and earlier and Java SE Embedded 7u40 and earlier.
            Easily exploitable vulnerability allows successful unauthenticated 
            network attacks via multiple protocols. Successful attack of this 
            vulnerability can result in unauthorized Operating System takeover 
            including arbitrary code execution. Note: Applies to client and 
            server deployment of Java. This vulnerability can be exploited 
            through sandboxed Java Web Start applications and sandboxed Java 
            applets. It can also be exploited by supplying data to APIs in the
            specified Component without using sandboxed Java Web Start 
            applications or sandboxed Java applets, such as through a web 
            service.
            http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5830
             
            CVE-2013-4002 McAfee ePO and Oracle JRE (Base CVSS Score = 7.1)
            Vulnerability in the Java SE, JRockit, Java SE Embedded component 
            of Oracle Java SE (subcomponent: JAXP). Supported versions that are
            affected are Java SE 7u40 and earlier, Java SE 6u60 and earlier, 
            Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit 
            R27.7.6 and earlier and Java SE Embedded 7u40 and earlier. Easily 
            exploitable vulnerability allows successful unauthenticated network
            attacks via multiple protocols. Successful attack of this 
            vulnerability can result in unauthorized ability to cause a partial
            denial of service (partial DOS) of Java SE, JRockit, Java SE 
            Embedded. Note: Applies to client and server deployment of Java. 
            This vulnerability can be exploited through sandboxed Java Web 
            Start applications and sandboxed Java applets. It can also be 
            exploited by supplying data to APIs in the specified Component 
            without using sandboxed Java Web Start applications or sandboxed
            Java applets, such as through a web service.
            http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4002
             
            CVE-2013-5823 McAfee ePO and Oracle JRE (Base CVSS Score = 5.0)
            Vulnerability in the Java SE, JRockit, Java SE Embedded component 
            of Oracle Java SE (subcomponent: Security). Supported versions that
            are affected are Java SE 7u40 and earlier, Java SE 6u60 and 
            earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier
            and Java SE Embedded 7u40 and earlier. Easily exploitable 
            vulnerability allows successful unauthenticated network attacks 
            via multiple protocols. Successful attack of this vulnerability can
            result in unauthorized ability to cause a partial denial of service
            (partial DOS) of Java SE, JRockit, Java SE Embedded. Note: Applies
            to client and server deployment of Java. This vulnerability can be 
            exploited through sandboxed Java Web Start applications and 
            sandboxed Java applets. It can also be exploited by supplying data
            to APIs in the specified Component without using sandboxed Java Web
            Start applications or sandboxed Java applets, such as through a web
            service.
            http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5823
             
            CVE-2013-5825 McAfee ePO and Oracle JRE (Base CVSS Score = 5.0)
            Vulnerability in the Java SE, JRockit, Java SE Embedded component 
            of Oracle Java SE (subcomponent: JAXP). Supported versions that 
            are affected are Java SE 7u40 and earlier, Java SE 6u60 and 
            earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, 
            JRockit R27.7.6 and earlier and Java SE Embedded 7u40 and earlier.
            Easily exploitable vulnerability allows successful unauthenticated
            network attacks via multiple protocols. Successful attack of this 
            vulnerability can result in unauthorized ability to cause a partial
            denial of service (partial DOS) of Java SE, JRockit, Java SE 
            Embedded. Note: Applies to client and server deployment of Java. 
            This vulnerability can be exploited through sandboxed Java Web 
            Start applications and sandboxed Java applets. It can also be 
            exploited by supplying data to APIs in the specified Component 
            without using sandboxed Java Web Start applications or sandboxed 
            Java applets, such as through a web service.
            http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5825
             
            CVE-2013-5780 McAfee ePO and Oracle JRE (Base CVSS Score = 4.3)
            Vulnerability in the Java SE, JRockit, Java SE Embedded component 
            of Oracle Java SE (subcomponent: Libraries). Supported versions 
            that are affected are Java SE 7u40 and earlier, Java SE 6u60 and
            earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, 
            JRockit R27.7.6 and earlier and Java SE Embedded 7u40 and earlier.
            Difficult to exploit vulnerability allows successful 
            unauthenticated network attacks via multiple protocols. 
            Successful attack of this vulnerability can result in 
            unauthorized read access to a subset of Java SE, JRockit, Java 
            SE Embedded accessible data. Note: Applies to client and server 
            deployment of Java. This vulnerability can be exploited through 
            sandboxed Java Web Start applications and sandboxed Java applets.
            It can also be exploited by supplying data to APIs in the 
            specified Component without using sandboxed Java Web Start 
            applications or sandboxed Java applets, such as through a web 
            service.
            http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5780" [1] 


MITIGATION

        The vendor recommends applying the appropriate patch or upgrading to
        the latest release to correct these issues. [1]


REFERENCES

        [1] McAfee Security Bulletin - ePO update fixes multiple Java
            vulnerabilities reported by Oracle
            https://kc.mcafee.com/corporate/index?page=content&id=SB10058

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUnrhUhLndAQH1ShLAQLUkBAAlxRn+V/VkPIegTNVbkK9zHQtk/VwbZIC
MT+gBn2pdDPF3B7Beih91lP2l54CnLy//krfLtnhbVf7ihrhRlkEVa7XXrNaeJo4
ymRW6WE23LYmfCUvdX4pSyq/7Ol8PqG21WWBv1u7Pt7vzc8p40Lgf/emz2YSxWfz
seqfR0DZst8bnZa5n0opqWacS6CMxSq9UYouM67Gofud4J8UkhJViPaUWswV/KII
ICeTk7Y3T0H0IXTTRnHYtyYb3revFBPqljxqXKjGij7EEBFlzQvMha7r6mKqQsPk
/OivOluoCFDsFVFaCadcFW7YoyXs/fQ/K6iLnqUyD/2auEoYxtgbF51JvoGNzckj
JwKtSC3jqsRMFMPPDUNK2G5No9gvjFbB8akArTCr3OqeXu3dcY/2kyA3pTPmwSLf
pOwTSVh1MTcP5KPJQMHb8rrnomDHMVumpuvPUIupLoU/+EW+tousAT00d9dGXKJ8
H7jkr4bqZcx8XUAfcYHA3SpU7YTQ9v3GaOacf3vZ3t3WgJtqpW3ymK7XRYKX1qiS
6VH4aGvawUpfLHe4lVUhQKPLKSW97zK0qYc7m++FxT6DHPaKqarrvgRlNDz9ZJvR
uDG84ust2Igos1dnUsKm2Lzehgc5cds7vVtQaz+xvCsnRezeAx3eHkWAEZQSwy5t
XI0SV8ZNgXc=
=hbb2
-----END PGP SIGNATURE-----