-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT Security Bulletin
McAfee Security Bulletin - ePolicy Orchestrator update fixes
29 November 2018
AusCERT Security Bulletin Summary
Product: McAfee ePolicy Orchestrator
Operating System: Virtualisation
Impact/Access: Provide Misleading Information -- Remote with User Interaction
CVE Names: CVE-2018-11784
Member content until: Saturday, December 29 2018
McAfee has addressed a Tomcat vulnerability which affects ePolicy
Orchestrator (CVE-2018-11784). 
McAfee has provided the following information about the
"ePO runs on Apache Tomcat and as per the CVE listed below, the Tomcat
update consumed by ePO is possibly vulnerable to invalidated redirects
to any URI of an attacker's choice.
This ePO update resolves the following issue:
When the default servlet returned a redirect to a directory (for
example, redirecting to /foo/ when the user requested /foo) a
specially crafted URL could be used to cause the redirect to be
generated to any URI of the attacker's choice.
ePO web core services" 
"To remediate this issue:
Users of ePO 5.3.2 or earlier are recommended to upgrade to ePO
5.3.3, 5.9.1, or 5.10 and apply the fix for the version you
upgraded to. See the table below for the relevant fix.
Users of ePO 5.9.0 are recommended to upgrade to ePO 5.9.1 or
5.10 and apply the fix for the version you upgraded to. See the
table below for the relevant fix.
Users of ePO 5.3.3 are recommended to apply EPO533HF1257674.zip.
Users of ePO 5.9.1 are recommended to apply EPO591HF1260432.zip.
Users of ePO 5.10 are recommended to apply ePO 5.10 Update 2.
 McAfee Security Bulletin - ePolicy Orchestrator update fixes Tomcat
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----