-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2014.0048
     Two vulnerabilities have been identified in McAfee Asset Manager
                               11 April 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              McAfee Asset Manager
Operating System:     Network Appliance
Impact/Access:        Execute Arbitrary Code/Commands -- Existing Account
                      Access Confidential Data        -- Existing Account
Resolution:           Patch/Upgrade
CVE Names:            CVE-2014-2588 CVE-2014-2587 
Member content until: Sunday, May 11 2014

OVERVIEW

        Two vulnerabilities have been identified in McAfee Asset Manager 
        6.6.126 and 6.5.x. [1]


IMPACT

        The vendor has provided the following information about the
        vulnerabilities:
                
        "CVE-2014-2587
        SQL injection vulnerability in McAfee Asset Manager 6.6 allows remote 
        authenticated users to execute SQL commands via the username of an 
        audit report.
                
        http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2587
                
        This flaw is encountered if the user logs on with a username and 
        password to the MAM Console and runs a specific servlet action or 
        tries to download a specific report.
                
        CVE-2014-2588
                
        Directory traversal vulnerability in McAfee Asset Manager 6.6 allows 
        remote authenticated users to read through a parameter.
                
        http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2588" [1]


MITIGATION

        The vendor recommends upgrading to McAfee Asset Manager 6.6.141 or 
        later.


REFERENCES

        [1] McAfee Security Bulletin – McAfee Asset Manager 6.6 update fixes
            two zero-day vulnerabilities
            https://kc.mcafee.com/corporate/index?page=content&id=SB10070

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU0dk6BLndAQH1ShLAQKNtg/8Dxc9oKjzWJ2zAlgvMagU2K/Fk8WWuziV
myWv9hpIgrnx9jg58c8oby9vb8plucmnmKNGcZarkHJ1/+6aoMBtdO0ZsQCV7hia
H/DTdnrnbBJ1Z4091zXzLdC0rGpRGYyIEC8ZYis/UuK2fKV1glC+LwN6lcRZxdbO
gfgCRuB8K2XRaxsLmcWMG5joRwb8df7sta//htZgREGsgSSr87uhEYCnWlzAtzUi
aeo4G9KBY2R8+WrrO2H2kbhP503XqJ+3/PhOpw5tG/dTEH7i8jPmrjozt1Lnegi4
M9vJWJtW4lQFhJE+49KW8N82h49QEBw9L1nlnuI3NDzgbIwb0aW2ww4mXWrQUuHd
xPXzzF29mnchv+wc47nHuPTPXdQefO5JVadnO82gojjviqrxlu8KkuO4xMktH6ZV
XihkOQ+TmqAkF1Oltjy7wH8ec1wLYcLiLGA25uPyoMtmZcQeqYuB2vzVy6BqAqru
EePugaOON33xQ1/TNbqjYOjjzGD1GfL1VasxwH9C4n/VQ3opb/5nV6QT9mwEDQun
4hYHOGS9+W4GklQptR+g90kbHmRow9GvNtlobf2dqOoHhNohrR4jZNUDNrqJSmkr
fxUJ0CS98tQqwVy6e5q6rodleWz2yaMpan2IaciDXOIhCVEG/MGKiJCFoLU7MLBE
Hob/DnoPdMY=
=SRZd
-----END PGP SIGNATURE-----