[Japanese]
|
JVNDB-2023-001292
|
Multiple vulnerabilities in Trend Micro Apex One and Apex One as a Service
|
Trend Micro Incorporated has released security updates for Apex One and Apex One as a Service.
Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.
|
CVSS V3 Severity: Base Metrics 9.8 (Critical) [NVD Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
|
|
Trend Micro, Inc.
- Apex One On Premise (2019)
- Apex One as a Service
|
|
* Uploading of a large number of files to fill up the file system on the affected server - CVE-2023-0587
* Arbitrary code execution due to an uncontrolled search path element vulnerability - CVE-2023-25143
* Privilege escalation due to an incorrect access control vulnerability - CVE-2023-25144
* Privilege escalation due to a link following vulnerability - CVE-2023-25145
* Quarantining of a file, deletion of the original folder and replacing with a junction to an arbitrary location due to a link following vulnerability - CVE-2023-25146
* Agent protection bypass - CVE-2023-25147
* Privilege escalation using symbolic links due to a link following vulnerability - CVE-2023-25148
|
[Apply the Patch]
Apply the patch according to the information provided by the developer.
The developer has released the following patch to fix these vulnerabilities.
* Trend Micro Apex One On Premise (2019) Service Pack 1 b11564 (repack)
The issues in Trend Micro Apex One as a Service are already fixed in January 2023 updates (Agent 14.0.11960).
[Apply the Workaround]
Applying the following workaround may mitigate the impact of these vulnerabilities.
* Permit access to the product only from the trusted network
|
Trend Micro, Inc.
|
- Unrestricted Upload of File with Dangerous Type(CWE-434) [NVD Evaluation]
- Uncontrolled Search Path Element(CWE-427) [NVD Evaluation]
- No Mapping(CWE-Other) [NVD Evaluation]
- Link Following(CWE-59) [NVD Evaluation]
|
- CVE-2023-0587
- CVE-2023-25143
- CVE-2023-25144
- CVE-2023-25145
- CVE-2023-25146
- CVE-2023-25147
- CVE-2023-25148
|
- JVN : JVNVU#96221942
- National Vulnerability Database (NVD) : CVE-2023-0587
- National Vulnerability Database (NVD) : CVE-2023-25143
- National Vulnerability Database (NVD) : CVE-2023-25144
- National Vulnerability Database (NVD) : CVE-2023-25145
- National Vulnerability Database (NVD) : CVE-2023-25146
- National Vulnerability Database (NVD) : CVE-2023-25147
- National Vulnerability Database (NVD) : CVE-2023-25148
|
- [2023/03/02]
Web page was published
- [2024/06/07]
CVSS Severity was modified
References : Contents were added
CWE was modified
|