[Japanese]

JVNDB-2017-002290

Trend Micro Control Manager vulnerable to SQL injection

Overview

Trend Micro Control Manager contains multiple SQL injection vulnerabilities.

This advisory refers to the vulnerabilities that are disclosed on the TippingPoint Zero Day Initiative advisories listed below.

TippingPoint Zero Day Initiative
http://www.zerodayinitiative.com/advisories/published/

ZDI-17-180, ZDI-17-181, ZDI-17-182, ZDI-17-183, ZDI-17-184, ZDI-17-185, ZDI-17-186
CVSS Severity (What is CVSS?)

Affected Products


Trend Micro, Inc.
  • Trend Micro Control Manager Version 6.0 prior to build 3506

Impact

* An unauthenticated user may access and read files stored on the server
* A remote attacker may execute arbitrary code, escalate privilege or perform directory traversal attacks
* A remote attacker may cause SQL injection attacks and upload/execute arbitrary code
Solution

[Apply the Patch]
Apply the patch according to the information provided by the developer.
The developer has released Trend Micro Control Manager 6.0 Service Pack 3 Patch 2 Critical Patch (build 3506) to address these vulnerabilities.
Vendor Information

Trend Micro, Inc.
CWE (What is CWE?)

CVE (What is CVE?)

References

  1. JVN : JVNVU#91290407
  2. Related Information : Zero Day Initiative
  3. Related Information : ZDI-17-180
  4. Related Information : ZDI-17-181
  5. Related Information : ZDI-17-182
  6. Related Information : ZDI-17-183
  7. Related Information : ZDI-17-184
  8. Related Information : ZDI-17-185
  9. Related Information : ZDI-17-186
Revision History

  • [2018/01/17]
      Web page was published

Date Public2017/04/07
Date First Published2018/01/17
Date Last Updated2018/01/17