Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.0546 McAfee ePolicy Orchestrator patches multiple vulnerabilities 23 February 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: McAfee ePolicy Orchestrator Publisher: McAfee Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-2678 CVE-2018-2663 CVE-2018-2657 CVE-2018-2637 CVE-2018-2633 CVE-2018-2629 CVE-2018-2618 CVE-2018-2603 CVE-2018-2599 CVE-2018-2588 CVE-2018-2582 CVE-2018-2579 Reference: ASB-2018.0024 ESB-2018.0180 Original Bulletin: https://kc.mcafee.com/corporate/index?page=content&id=SB10225 - --------------------------BEGIN INCLUDED TEXT-------------------- McAfee Security Bulletin - ePolicy Orchestrator update fixes multiple Java vulnerabilities First Published: February 20, 2018 Impact of Vulnerability: Unauthorized Access Denial of Service (CWE-730, OWASP 2004:A9) CVE Numbers: CVE-2018-2633 CVE-2018-2637 CVE-2018-2582 CVE-2018-2618 CVE-2018-2629 CVE-2018-2603 CVE-2018-2657 CVE-2018-2599 CVE-2018-2678 CVE-2018-2588 CVE-2018-2663 CVE-2018-2579 Severity Rating: High, Medium, Low CVSS v3 Base and Overall Scores: CVE-2018-2633: 8.3/7.2 CVE-2018-2637: 7.4/6.4 CVE-2018-2582: 6.5/5.7 CVE-2018-2618: 5.9/5.2 CVE-2018-2629: 5.3/4.6 CVE-2018-2603: 5.3/4.6 CVE-2018-2657: 5.3/4.6 CVE-2018-2599: 4.8/4.2 CVE-2018-2678: 4.3/3.8 CVE-2018-2588: 4.3/3.8 CVE-2018-2663: 4.3/3.8 CVE-2018-2579: 3.7/3.2 Recommendations: Apply the hotfix specified in the Remediation table Replacement: None Affected Software: • ePolicy Orchestrator (ePO) 5.3.3, 5.3.2, 5.3.1, and 5.3.0 • ePO 5.9.1 and 5.9.0 Location of updated software: http://www.mcafee.com/us/downloads/downloads.aspx Vulnerability Description ePO is vulnerable to the Java CVEs mentioned above. This ePO update resolves the following issues: 1) CVE-2018-2633 Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2633 2) CVE-2018-2637 Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized creation, deletion, or modification access to critical data or all Java SE accessible data as well as unauthorized access to critical data or complete access to all Java SE accessible data. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2637 3) CVE-2018-2582 Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion, or modification access to critical data or all Java SE accessible data. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2582 4) CVE-2018-2618 Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE accessible data. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2618 5) CVE-2018-2629 Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion, or modification access to critical data or all Java SE accessible data. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2629 6) CVE-2018-2603 Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2603 7) CVE-2018-2657 Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2657 8) CVE-2018-2599 Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert, or delete access to some of Java SE accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2599 9) CVE-2018-2678 Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2678 10) CVE-2018-2588 Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2588 11) CVE-2018-2663 Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2663 12) CVE-2018-2579 Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2579 Affected Components: • ePO Java core web services Remediation To remediate this issue: • Users of ePO 5.3.2 or earlier are recommended to upgrade to ePO 5.3.3 or 5.9.1 and apply EPO5xHF1225856. • Users of ePO 5.3.3 are recommended to apply EPO5xHF1225856. • Users of ePO 5.9.0 are recommended to upgrade to ePO 5.9.1 and apply EPO5xHF1225856. • Users of ePO 5.9.1 are recommended to apply EPO5xHF1225856. Go to the Product Downloads site and download the applicable product hotfix files. Download and Installation Instructions See KB56057 for instructions on how to download McAfee products, documentation, security updates, patches, and hotfixes. Review the Release Notes and the Installation Guide, which you can download from the Documentation tab, for instructions on how to install these updates. Product Specific Notes ePO 5.1.x reached End of Life on December 31, 2017. McAfee highly recommends that all customers upgrade to ePO 5.3.x or 5.9.x. Workaround None. McAfee strongly encourages installing the latest ePO hotfix specified in the Remediation table. Acknowledgements None. 1.) CVE-2018-2633:McAfeeePOandJava NOTE: The below CVSS version 3.0 vector was used to generate this score. https://nvd.nist.gov/vuln-metrics/cvss/v3- calculator?vector=AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C 2.) CVE-2018-2637:McAfeeePOandJava NOTE: The below CVSS version 3.0 vector was used to generate this score. https://nvd.nist.gov/vuln-metrics/cvss/v3- calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C 3.) CVE-2018-2582:McAfeeePOandJava NOTE: The below CVSS version 3.0 vector was used to generate this score. https://nvd.nist.gov/vuln-metrics/cvss/v3- calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C 4.) CVE-2018-2618:McAfeeePOandJava NOTE: The below CVSS version 3.0 vector was used to generate this score. https://nvd.nist.gov/vuln-metrics/cvss/v3- calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C 5.) CVE-2018-2629:McAfeeePOandJava NOTE: The below CVSS version 3.0 vector was used to generate this score. https://nvd.nist.gov/vuln-metrics/cvss/v3- calculator?vector=AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C 6.) CVE-2018-2603: McAfee ePO and Java NOTE: The below CVSS version 3.0 vector was used to generate this score. https://nvd.nist.gov/vuln-metrics/cvss/v3- calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C 7.) CVE-2018-2657: McAfee ePO and Java NOTE: The below CVSS version 3.0 vector was used to generate this score. https://nvd.nist.gov/vuln-metrics/cvss/v3- calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C 8.) CVE-2018-2599: McAfee ePO and Java NOTE: The below CVSS version 3.0 vector was used to generate this score. https://nvd.nist.gov/vuln-metrics/cvss/v3- calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L/E:U/RL:O/RC:C 9.) CVE-2018-2678: McAfee ePO and Java NOTE: The below CVSS version 3.0 vector was used to generate this score. https://nvd.nist.gov/vuln-metrics/cvss/v3- calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C 10.) CVE-2018-2588: McAfee ePO and Java NOTE: The below CVSS version 3.0 vector was used to generate this score. https://nvd.nist.gov/vuln-metrics/cvss/v3- calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C 11.) CVE-2018-2663: McAfee ePO and Java NOTE: The below CVSS version 3.0 vector was used to generate this score. https://nvd.nist.gov/vuln-metrics/cvss/v3- calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C 12.) CVE-2018-2579: McAfee ePO and Java NOTE: The below CVSS version 3.0 vector was used to generate this score. https://nvd.nist.gov/vuln-metrics/cvss/v3- calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWo+z3ox+lLeg9Ub1AQhxJg/+Kxj0ZLX3I5Ridw+xfJEDbMLgArrBNzuc EgZ5wJJePg8tUdj2K7hFCIYHIAEXPEsDT7woiTcGU4u+pOKD3rMz3Qtti5lNVcii tdM/1o8wA1/HGMBSC7AUqh5urFNVH6ImJ1UzB3b7R9JdpK+yfaL2I8C5XqIPQmHG I+XZhuO6zRdG5sfey1D/i0g3Nfslu4rOiv0a42U0ti4re4iDKdSqjizBfbXX35Ow J0l1SFMOc0CkJusQTYyGbOny+Rd/tAwDVLsgRidN570EkrWp6HeDIaNvluIgbyB1 +CkiLoOVjSM6Z6Hn2kdXe0ECOS2yjEznB0kLvUdxBreYInSH2zfSAuiSQn//z7LG SnszfQocDOlNz6FKuBOaV7k3U3/LMyVZGr6dclSUypQQpZ5XlB6aoCsUtrGSAV9h u0w77bSGQiGYY0S47NKQJwSfB0mF92MjSfQTJXxLTrcETYCxD5p5fq2dcHHwmoEB geMrwi44l3CYGCQIdcaTxIYdK81iwtcA+JEDwEVUv655oMHrpp5LW/YqpIh26UKE 0uQ98zZWjG9CBoJOJOHl46LddqNmTF0ou0WjnojPXEvgLp3H5MDdG8n3k3KG0J7S RGRqFixpBpXjKZj8A8UKSv/IT7Gc4KvZglph5Je1oviYjBLakrnor+HjugK49N12 Lq3vUSxerxM= =xKvD -----END PGP SIGNATURE-----