[Japanese]
|
JVNDB-2022-000071
|
Multiple vulnerabilities in Trend Micro Apex One and Trend Micro Apex One as a Service
|
Trend Micro Apex One and Trend Micro Apex One as a Service provided by Trend Micro Incorporated contain multiple vulnerabilities listed below.
* Improper validation in some components of the rollback mechanism (CWE-20) - CVE-2022-40139
* Improper access control (CWE-284) - CVE-2022-40140
* Information exposure (CWE-200) - CVE-2022-40141
* Improper link resolution before file access (CWE-59) - CVE-2022-40142
* Improper link resolution before file access (CWE-59) - CVE-2022-40143
* Improper authentication (CWE-287) - CVE-2022-40144
Trend Micro Incorporated states that attacks exploiting CVE-2022-40139 have been observed.
CVE-2022-40139, CVE-2022-40140, CVE-2022-40141, CVE-2022-40142, CVE-2022-40143
Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.
CVE-2022-40144
Akinori Takeuchi of Cyber Defense Institute, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
CVSS V3 Severity: Base Metrics 7.8 (High) [IPA Score]
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVSS V2 Severity: Base Metrics 6.8 (Medium) [IPA Score]
- Access Vector: Local
- Access Complexity: Low
- Authentication: Single Instance
- Confidentiality Impact: Complete
- Integrity Impact: Complete
- Availability Impact: Complete
The above CVSS base scores have been assigned for CVE-2022-40142
|
CVSS V3 Severity:
Base Metrics
7.2 (High) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: High
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: High
-
Integrity Impact: High
-
Availability Impact: High
CVSS V2 Severity:Base Metrics
6.5 (Medium)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: Partial
-
Integrity Impact: Partial
-
Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2022-40139
|
CVSS V3 Severity:
Base Metrics
5.5 (Medium) [IPA Score]
-
Attack Vector: Local
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: None
-
Integrity Impact: None
-
Availability Impact: High
CVSS V2 Severity:Base Metrics
4.6 (Medium)
[IPA Score]
-
Access Vector: Local
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: None
-
Availability Impact: Complete
The above CVSS base scores have been assigned for CVE-2022-40140
|
CVSS V3 Severity:
Base Metrics
5.6 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: High
-
Privileges Required: None
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: Low
CVSS V2 Severity:Base Metrics
5.1 (Medium)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: High
-
Authentication: None
-
Confidentiality Impact: Partial
-
Integrity Impact: Partial
-
Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2022-40141
|
CVSS V3 Severity:
Base Metrics
7.3 (High) [IPA Score]
-
Attack Vector: Local
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: Required
-
Scope: Unchanged
-
Confidentiality Impact: High
-
Integrity Impact: High
-
Availability Impact: High
CVSS V2 Severity:Base Metrics
6.6 (Medium)
[IPA Score]
-
Access Vector: Local
-
Access Complexity: Medium
-
Authentication: Single
-
Confidentiality Impact: Complete
-
Integrity Impact: Complete
-
Availability Impact: Complete
The above CVSS base scores have been assigned for CVE-2022-40143
|
CVSS V3 Severity:
Base Metrics
8.2 (High) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: Low
-
Integrity Impact: None
-
Availability Impact: High
CVSS V2 Severity:Base Metrics
6.4 (Medium)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: None
-
Confidentiality Impact: Partial
-
Integrity Impact: None
-
Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2022-40144
|
|
Trend Micro, Inc.
- Apex One On Premise (2019)
- Apex One as a Service
|
|
* An attacker who can log in to the product's administration console may execute an arbitrary code - CVE-2022-40139
* An attacker who can log in to the system where the affected product is installed may be able to cause a denial-of-service (DoS) - CVE-2022-40140
* If certain traffic data is intercepted and decoded, some information related to the server may be obtained - CVE-2022-40141
* An attacker who can log in to the system where the affected product is installed may obtain the administrative privilege - CVE-2022-40142, CVE-2022-40143
* If a remote attacker sends a specially crafted request to the affected product, the product's login authentication may be bypassed - CVE-2022-40144
|
[Apply the Patch]
Apply the patch according to the information provided by the developer.
The developer has released the following patch to fix these vulnerabilities.
* Trend Micro Apex One On Premise (2019) Service Pack 1 b11092/11088
The issues in Trend Micro Apex One as a Service are already fixed in August 2022 updates.
[Apply the Workaround]
Applying the following workaround may mitigate the impact of these vulnerabilities.
* Permit access to the product only from the trusted network
|
Trend Micro, Inc.
|
- Improper Input Validation(CWE-20) [IPA Evaluation]
- Information Exposure(CWE-200) [IPA Evaluation]
- Permissions(CWE-264) [IPA Evaluation]
- Improper Authentication(CWE-287) [IPA Evaluation]
- Link Following(CWE-59) [IPA Evaluation]
|
- CVE-2022-40139
- CVE-2022-40140
- CVE-2022-40141
- CVE-2022-40142
- CVE-2022-40143
- CVE-2022-40144
|
- JVN : JVN#36454862
- National Vulnerability Database (NVD) : CVE-2022-40139
- National Vulnerability Database (NVD) : CVE-2022-40140
- National Vulnerability Database (NVD) : CVE-2022-40141
- National Vulnerability Database (NVD) : CVE-2022-40142
- National Vulnerability Database (NVD) : CVE-2022-40143
- National Vulnerability Database (NVD) : CVE-2022-40144
- IPA SECURITY ALERTS : JVN#36454862
- JPCERT : JPCERT-AT-2022-0023
- CISA Known Exploited Vulnerabilities Catalog : CVE-2022-40139
|
- [2022/09/14]
Web page was published
- [2024/06/13]
References : Contents were added
|