Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2017.0078 ePolicy Orchestrator update fixes multiple Oracle Java vulnerabilities 29 May 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: McAfee ePolicy Orchestrator Operating System: Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2 Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2017-3544 CVE-2017-3533 CVE-2017-3526 CVE-2017-3511 Member content until: Wednesday, June 28 2017 Reference: https://kc.mcafee.com/corporate/index?page=content&id=SB10200 OVERVIEW McAfee Security Bulletin - ePolicy Orchestrator update fixes multiple Oracle Java vulnerabilities affecting versions prior to: 5.1.3 and earlier 5.3.2 and earlier 5.9.0 IMPACT The vendor has provided the following information about the vulnerability: "This ePO update resolves the following issues: CVE-2017-3511: This difficult to exploit vulnerability allows an unauthenticated attacker with a logon to the infrastructure where Java SE executes to compromise Java SE. A successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Subcomponent: JCE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3511 CVE-2017-3526: This difficult to exploit vulnerability allows an unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in an unauthorized ability to cause a hang or frequently repeatable crash (complete Denial of Service) of Java SE. Subcomponent: JAXP https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3526 CVE-2017-3533: This difficult to exploit vulnerability allows an unauthenticated attacker with network access via FTP to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert, or delete access to some of Java SE accessible data. Subcomponent: Networking https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3533 CVE-2017-3544: This difficult to exploit vulnerability allows an unauthenticated attacker with network access via SMTP to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert, or delete access to some of Java SE accessible data. Subcomponent: Networking https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3544 Affected Component: ePO Java core web services" [1] MITIGATION The vendor recommends applying the relevant patches to address this issue: "Users of ePO 5.1.x should upgrade to ePO 5.1.3, 5.3.1, or 5.3.2 and then apply hotfix epo51x53xHF1191750.zip. Users of ePO 5.3.0 should upgrade to ePO 5.3.1 or 5.3.2 and then apply hotfix epo51x53xHF1191750.zip. Users of ePO 5.9.0 should apply hotfix epo590HF1191751.zip. Refer to the upgrade instructions in the Hotfix Release Notes for further details. NOTE: All FIPS 140-2 installed customers running ePO 4.6.4 can upgrade to ePO 5.1.x for maintaining FIPS compliant installations. Go to the Product Downloads site and download the applicable product patch/hotfix files: Product Type File Name Release Date ePO 5.1.3 Hotfix epo51x53xHF1191750.zip May 25, 2017 ePO 5.3.1 Hotfix epo51x53xHF1191750.zip May 25, 2017 ePO 5.3.2 Hotfix epo51x53xHF1191750.zip May 25, 2017 ePO 5.9.0 Hotfix epo590HF1191751.zip May 25, 2017" [1] REFERENCES [1] McAfee Security Bulletin - ePolicy Orchestrator update fixes multiple Oracle Java vulnerabilities https://kc.mcafee.com/corporate/index?page=content&id=SB10200 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWSt88ox+lLeg9Ub1AQiCBg/9HZ89Lm4QzXQBXMWwWfIaIDasArqwLDBh RXErvtAfjYQceqojMUbRplfh0S+uEy3kCIMnAJIssOG8oEKzZAH5hNLBhm4zbtBt HsWmvA1QHsstZKyzyG3MD9DLctbY8ZY46B0rQRvpyR7kvU/TbcwA/bTB6+fzxD4q xKfjn7e75jkQ/i/123/tXS41BssmCcyalDosOIv3QXVUmCBQpqKwUv6n8nf6piEg CPpaQG+EvtQRDA7of2B9GLsnADu7SvR7h4dwO2ZpYLOAtyxnMxhvQ3dlgUBBS50c eLC5JA0b3CRYqlzqUq+U+dbC0JuJnvN2Zgqx4NPPB8OYHVgfev1mceao8seTPPPD w7ToVIqyU5vw3Jgx1rCcXwW8i3KIL3fG5w5/9wB+l7yQHXW4kMjSAFTzOFvvkWbU jwcrCEgPO/FUmKYwfg0GZ13UR7rCLkNeb9XykQ2b5+NJJc301P76HBjuN2EkrVEQ 859tgjNoQ0Jj6caDBrg+5rLyInajVtbIRO+ncPgAgVeOHQOqce3K464c1IdJp7zg 4Y5BBIUqlWcvPUkC/tLhn28EuSDRr4pXV2Oln8EhjvVbU1wzlh5mKbR5KM5mp2NK YJiYXVBuw6qxuKp3oV2N3iR8PuEyYndMUiqCnYj+wymf497axC+6bl9gPTXpg7Ij SdNucJ+RUpw= =v29X -----END PGP SIGNATURE-----