Operating System:

[Appliance]

Published:

05 September 2014

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ASB-2014.0102 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2014.0102
         ePO updates fix multiple Java and OpenSSL vulnerabilities
                             5 September 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              McAfee ePolicy Orchestrator
Operating System:     Network Appliance
Impact/Access:        Access Privileged Data   -- Remote/Unauthenticated      
                      Modify Arbitrary Files   -- Remote/Unauthenticated      
                      Denial of Service        -- Remote/Unauthenticated      
                      Access Confidential Data -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2014-4264 CVE-2014-4263 CVE-2014-4244
                      CVE-2014-3511  
Member content until: Sunday, October  5 2014
Reference:            https://kc.mcafee.com/corporate/index?page=content&id=SB10083
                      https://kc.mcafee.com/corporate/index?page=content&id=SB10084

OVERVIEW

        Several vulnerabilities in Java have been discovered which McAfee 
        ePolicy Orchestrator (ePO) prior to ePO 4.5.7, ePO 4.6.8 and ePO 
        5.1.1. [1]
        
        A vulnerability in OpenSSL has been discovered which affects McAfee
        ePolicy Orchestrator (ePO). [2]


IMPACT

        The vendor has provided the following details regarding these 
        vulnerabilities:
        
        CVE-2014-4264: "Unspecified vulnerability in Oracle Java SE 7u60 and
        8u5 allows remote attackers to affect availability via unknown 
        vectors related to Security. (Client & Server)". [1]
        
        CVE-2014-4263: "Unspecified vulnerability in Oracle Java SE 5.0u65,
        6u75, 7u60, and 8u5, and JRockit R27.8.2 and R28.3.2, allows remote
        attackers to affect confidentiality and integrity via unknown 
        vectors related to "Diffie-Hellman key agreement." [1]
        
        CVE-2014-4244: "Unspecified vulnerability in Oracle Java SE 5.0u65,
        6u75, 7u60, and 8u5, and JRockit R27.8.2 and JRockit R28.3.2, allows
        remote attackers to affect confidentiality and integrity via unknown
        vectors related to Security. (Client & Server" [1]
        
        CVE-2014-3511: "The ssl23_get_client_hello function in s23_srvr.c in
        OpenSSL 1.0.1 before 1.0.1i allows man-in-the-middle attackers to 
        force the use of TLS 1.0 by triggering ClientHello message 
        fragmentation in communication between a client and server that both
        support later TLS versions, related to a "protocol downgrade" issue." [2]


MITIGATION

        The vendor recommends users of ePO 4.5.x and 4.6.x should upgrade to
        ePO 4.6.8 and apply hotfix EPOHF983759, and users of ePO 5.0.x and 
        5.1.x should upgrade to ePO 5.1.1 and apply hotfix EPOHF983758 to 
        remediate the Java vulnerabilities. [1]
        
        The vendor also recommends users running ePO 5.1.1 apply the ePO 
        5.1.1 HF988208 hotfix to remediate the OpenSSL vulnerability. [2]


REFERENCES

        [1] McAfee Security Bulletin - ePO update fixes multiple Java
            vulnerabilities reported by Oracle's Q3 2014 Critical Patch Update
            https://kc.mcafee.com/corporate/index?page=content&id=SB10083

        [2] McAfee Security Bulletin - ePO update fixes a security
            vulnerability reported by OpenSSL
            https://kc.mcafee.com/corporate/index?page=content&id=SB10084

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVAlSsRLndAQH1ShLAQIpjhAAufeKQir/tiDPnsPR5dgEmam2OCfuH0T/
r80m2q7VwSxqFd73D4YykUSoGVJgHyBLKFX6jE+bUKyK5wGCzooKKEqHztC6pvIa
9rb4xOdnyYoPi3pEMyLbvG0d8B5x4qFRnWqSkOZlcEYhp3sfVP1dHarOzVQDMpQu
fKzXTyXlkLSubff9h5NCa/8qSpyiNOeELjPORV2iTnHj7bxMpoax3u/V51gnOYsn
TG9+Vc9Bkb6Exs6u9WjjLandTjx5fdJKr7nsA1dtuaWFYkWHIqbRFJz0B+Tae5E5
pkyuSFsKUcNO1qqvwSMQ4vO3wajj4e09J7Z5ACK61yhT2D5jAEDCHRSIzGKQJsfa
EvZ9XHWTqREFC564hXbSr6KbdSOsVjBvVpJUcVK9fRao3I0pKyHxARRt6L1v5HAR
mfJPOTPRku1dU9+vcwH/cmzAgMDJjEu870J+H0IBCnfOaQHbFhLdTAXbK+hyAdiz
6P0dCzQoMab/y1GB5pIE0+VokdfnC8SbT7VKXM2pnD84j61FpQb4N5flDv4Lm5HT
aoi6Evj9HARujKISz775LxZgK22euqWeFBuysfVLssE65KlMwbUp5FFNIam16/P4
4ELRckR6J/3CyYP6j7GcpdIe9PtgGou4rmRM507YiHZhmscV1NwKCcbtDoyMzy4U
ksyZyTP8h2w=
=yDCY
-----END PGP SIGNATURE-----