Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2017.0078
ePolicy Orchestrator update fixes multiple Oracle Java vulnerabilities
29 May 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: McAfee ePolicy Orchestrator
Operating System: Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Modify Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2017-3544 CVE-2017-3533 CVE-2017-3526
CVE-2017-3511
Member content until: Wednesday, June 28 2017
Reference: https://kc.mcafee.com/corporate/index?page=content&id=SB10200
OVERVIEW
McAfee Security Bulletin - ePolicy Orchestrator update fixes
multiple Oracle Java vulnerabilities affecting versions prior to:
5.1.3 and earlier
5.3.2 and earlier
5.9.0
IMPACT
The vendor has provided the following information about the
vulnerability:
"This ePO update resolves the following issues:
CVE-2017-3511: This difficult to exploit vulnerability allows an
unauthenticated attacker with a logon to the infrastructure where
Java SE executes to compromise Java SE. A successful attacks require
human interaction from a person other than the attacker and while
the vulnerability is in Java SE, attacks may significantly impact
additional products. Successful attacks of this vulnerability can
result in takeover of Java SE. Subcomponent: JCE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3511
CVE-2017-3526: This difficult to exploit vulnerability allows an
unauthenticated attacker with network access via multiple protocols
to compromise Java SE. Successful attacks of this vulnerability can
result in an unauthorized ability to cause a hang or frequently
repeatable crash (complete Denial of Service) of Java SE.
Subcomponent: JAXP
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3526
CVE-2017-3533: This difficult to exploit vulnerability allows an
unauthenticated attacker with network access via FTP to compromise
Java SE. Successful attacks of this vulnerability can result in
unauthorized update, insert, or delete access to some of Java SE
accessible data. Subcomponent: Networking
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3533
CVE-2017-3544: This difficult to exploit vulnerability allows an
unauthenticated attacker with network access via SMTP to compromise
Java SE. Successful attacks of this vulnerability can result in
unauthorized update, insert, or delete access to some of Java SE
accessible data. Subcomponent: Networking
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3544
Affected Component:
ePO Java core web services" [1]
MITIGATION
The vendor recommends applying the relevant patches to address this issue:
"Users of ePO 5.1.x should upgrade to ePO 5.1.3, 5.3.1, or 5.3.2
and then apply hotfix epo51x53xHF1191750.zip. Users of ePO 5.3.0
should upgrade to ePO 5.3.1 or 5.3.2 and then apply hotfix
epo51x53xHF1191750.zip. Users of ePO 5.9.0 should apply hotfix
epo590HF1191751.zip.
Refer to the upgrade instructions in the Hotfix Release Notes for
further details.
NOTE: All FIPS 140-2 installed customers running ePO 4.6.4 can
upgrade to ePO 5.1.x for maintaining FIPS compliant installations.
Go to the Product Downloads site and download the applicable product
patch/hotfix files:
Product Type File Name Release Date
ePO 5.1.3 Hotfix epo51x53xHF1191750.zip May 25, 2017
ePO 5.3.1 Hotfix epo51x53xHF1191750.zip May 25, 2017
ePO 5.3.2 Hotfix epo51x53xHF1191750.zip May 25, 2017
ePO 5.9.0 Hotfix epo590HF1191751.zip May 25, 2017" [1]
REFERENCES
[1] McAfee Security Bulletin - ePolicy Orchestrator update fixes
multiple Oracle Java vulnerabilities
https://kc.mcafee.com/corporate/index?page=content&id=SB10200
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWSt88ox+lLeg9Ub1AQiCBg/9HZ89Lm4QzXQBXMWwWfIaIDasArqwLDBh
RXErvtAfjYQceqojMUbRplfh0S+uEy3kCIMnAJIssOG8oEKzZAH5hNLBhm4zbtBt
HsWmvA1QHsstZKyzyG3MD9DLctbY8ZY46B0rQRvpyR7kvU/TbcwA/bTB6+fzxD4q
xKfjn7e75jkQ/i/123/tXS41BssmCcyalDosOIv3QXVUmCBQpqKwUv6n8nf6piEg
CPpaQG+EvtQRDA7of2B9GLsnADu7SvR7h4dwO2ZpYLOAtyxnMxhvQ3dlgUBBS50c
eLC5JA0b3CRYqlzqUq+U+dbC0JuJnvN2Zgqx4NPPB8OYHVgfev1mceao8seTPPPD
w7ToVIqyU5vw3Jgx1rCcXwW8i3KIL3fG5w5/9wB+l7yQHXW4kMjSAFTzOFvvkWbU
jwcrCEgPO/FUmKYwfg0GZ13UR7rCLkNeb9XykQ2b5+NJJc301P76HBjuN2EkrVEQ
859tgjNoQ0Jj6caDBrg+5rLyInajVtbIRO+ncPgAgVeOHQOqce3K464c1IdJp7zg
4Y5BBIUqlWcvPUkC/tLhn28EuSDRr4pXV2Oln8EhjvVbU1wzlh5mKbR5KM5mp2NK
YJiYXVBuw6qxuKp3oV2N3iR8PuEyYndMUiqCnYj+wymf497axC+6bl9gPTXpg7Ij
SdNucJ+RUpw=
=v29X
-----END PGP SIGNATURE-----