Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2014.0048 Two vulnerabilities have been identified in McAfee Asset Manager 11 April 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: McAfee Asset Manager Operating System: Network Appliance Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2014-2588 CVE-2014-2587 Member content until: Sunday, May 11 2014 OVERVIEW Two vulnerabilities have been identified in McAfee Asset Manager 6.6.126 and 6.5.x. [1] IMPACT The vendor has provided the following information about the vulnerabilities: "CVE-2014-2587 SQL injection vulnerability in McAfee Asset Manager 6.6 allows remote authenticated users to execute SQL commands via the username of an audit report. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2587 This flaw is encountered if the user logs on with a username and password to the MAM Console and runs a specific servlet action or tries to download a specific report. CVE-2014-2588 Directory traversal vulnerability in McAfee Asset Manager 6.6 allows remote authenticated users to read through a parameter. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2588" [1] MITIGATION The vendor recommends upgrading to McAfee Asset Manager 6.6.141 or later. REFERENCES [1] McAfee Security Bulletin – McAfee Asset Manager 6.6 update fixes two zero-day vulnerabilities https://kc.mcafee.com/corporate/index?page=content&id=SB10070 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU0dk6BLndAQH1ShLAQKNtg/8Dxc9oKjzWJ2zAlgvMagU2K/Fk8WWuziV myWv9hpIgrnx9jg58c8oby9vb8plucmnmKNGcZarkHJ1/+6aoMBtdO0ZsQCV7hia H/DTdnrnbBJ1Z4091zXzLdC0rGpRGYyIEC8ZYis/UuK2fKV1glC+LwN6lcRZxdbO gfgCRuB8K2XRaxsLmcWMG5joRwb8df7sta//htZgREGsgSSr87uhEYCnWlzAtzUi aeo4G9KBY2R8+WrrO2H2kbhP503XqJ+3/PhOpw5tG/dTEH7i8jPmrjozt1Lnegi4 M9vJWJtW4lQFhJE+49KW8N82h49QEBw9L1nlnuI3NDzgbIwb0aW2ww4mXWrQUuHd xPXzzF29mnchv+wc47nHuPTPXdQefO5JVadnO82gojjviqrxlu8KkuO4xMktH6ZV XihkOQ+TmqAkF1Oltjy7wH8ec1wLYcLiLGA25uPyoMtmZcQeqYuB2vzVy6BqAqru EePugaOON33xQ1/TNbqjYOjjzGD1GfL1VasxwH9C4n/VQ3opb/5nV6QT9mwEDQun 4hYHOGS9+W4GklQptR+g90kbHmRow9GvNtlobf2dqOoHhNohrR4jZNUDNrqJSmkr fxUJ0CS98tQqwVy6e5q6rodleWz2yaMpan2IaciDXOIhCVEG/MGKiJCFoLU7MLBE Hob/DnoPdMY= =SRZd -----END PGP SIGNATURE-----