[Japanese]

JVNDB-2012-000090

Trend Micro Control Manager vulnerable to SQL injection

Overview

Trend Micro Control Manager contains a SQL injection vulnerability.

Trend Micro Control Manager contains a vulnerability in the ad hoc query module, which may result in SQL injection.

Tom Gregory and Mada R Perdhana of Spentera reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 6.5 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: Single Instance
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial

Affected Products


Trend Micro, Inc.
  • Trend Micro Control Manager prior to 6.0.0.1449 (English version)
  • Trend Micro Control Manager prior to 5.5.0.1823 (English version)
  • Trend Micro Control Manager prior to 5.5.0.1823 (Japanese version)

Impact

An arbitrary SQL command may be executed in the backend database the product is referencing.
Solution

[Apply a patch]
Apply the appropriate patch according to the information provided by the developer.
Vendor Information

Trend Micro, Inc.
CWE (What is CWE?)

  1. SQL Injection(CWE-89) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2012-2998
References

  1. JVN : JVN#42014489
  2. National Vulnerability Database (NVD) : CVE-2012-2998
  3. US-CERT Vulnerability Note : VU#950795
Revision History

[2012/09/27]
  Web page was published