JVNDB-2023-002100

Security updates for multiple Trend Micro products for enterprises (June 2023)

Trend Micro Incorporated has released security updates for multiple Trend Micro products for enterprises. For more details, refer to the information provided by the developer.

Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.

Trend Micro, Inc.

• Apex Central
• Apex One
• Apex One as a Service
• Trend Micro Mobile Security 9.8 SP5

Mobile Security (Enterprise) 9.8 SP5
Arbitrary file deletion due to unauthenticated path traversal - CVE-2023-32521
Arbitrary file deletion due to authenticated path traversal - CVE-2023-32522
Unauthorized access due to authentication bypass - CVE-2023-32523, CVE-2023-32524
Unrestricted file upload - CVE-2023-32525, CVE-2023-32526
Arbitrary command execution due to local file inclusion - CVE-2023-32527, CVE-2023-32528

Apex One 2019 (On-prem), Apex One as a Service
Registry key removal due to privilege escalation - CVE-2023-30902
Information disclosure due to improper access control - CVE-2023-32552, CVE-2023-32553
Privilege escalation due to Time-of-check Time-of-use (TOCTOU) vulnerability - CVE-2023-32554, CVE-2023-32555
Information disclosure due to link following vulnerability - CVE-2023-32556
Code execution due to path traversal vulnerability - CVE-2023-32557
Privilege escalation due to untrusted search path vulnerability - CVE-2023-34144, CVE-2023-34145
Privilege escalation due to exposure of dangerous method/function vulnerability - CVE-2023-34146, CVE-2023-34147, CVE-2023-34148

Apex Central 2019 (On-prem)
Code execution due to SQL injection - CVE-2023-32529, CVE-2023-32530
Code execution due to XSS - CVE-2023-32531, CVE-2023-32532, CVE-2023-32533, CVE-2023-32534, CVE-2023-32535
Reflected XSS under authenticated conditions due to user input validation and sanitization issues - CVE-2023-32536, CVE-2023-32537, CVE-2023-32604, CVE-2023-32605

[Update the Software and Apply Additional Configuration]
Update the software to the latest version according to the information provided by the developer.
The issues in Apex One as a Service are fixed in the April and May 2023 Maintenance.

After the updates, apply the additional configuration as a countermeasure against CVE-2023-32552 and CVE-2023-32553.
For details, refer to the information provided by the developer.

Trend Micro, Inc.

• Trend Micro Incorporated : SECURITY BULLETIN: May 2023 Security Bulletin for Trend Micro Mobile Security (Enterprise)
• Trend Micro Incorporated : SECURITY BULLETIN: May 2023 Security Bulletin for Trend Micro Apex Central
• Trend Micro Incorporated : SECURITY BULLETIN: May 16, 2023 Security Bulletin for Trend Micro Apex One
• Trend Micro Incorporated : SECURITY BULLETIN: June 6, 2023 Security Bulletin for Trend Micro Apex One

1. Path Traversal(CWE-22) [NVD Evaluation]
2. Improper Authentication(CWE-287) [NVD Evaluation]
3. No Mapping(CWE-noinfo) [NVD Evaluation]
4. Time-of-check Time-of-use (TOCTOU) Race Condition(CWE-367) [NVD Evaluation]
5. Link Following(CWE-59) [NVD Evaluation]
6. Untrusted Search Path(CWE-426) [NVD Evaluation]
7. Improper Privilege Management(CWE-269) [NVD Evaluation]
8. SQL Injection(CWE-89) [NVD Evaluation]
9. Cross-site Scripting(CWE-79) [NVD Evaluation]
10. No Mapping(CWE-Other) [NVD Evaluation]

1. CVE-2023-32521
2. CVE-2023-32522
3. CVE-2023-32523
4. CVE-2023-32524
5. CVE-2023-32525
6. CVE-2023-32526
7. CVE-2023-32527
8. CVE-2023-32528
9. CVE-2023-30902
10. CVE-2023-32552
11. CVE-2023-32553
12. CVE-2023-32554
13. CVE-2023-32555
14. CVE-2023-32556
15. CVE-2023-32557
16. CVE-2023-34144
17. CVE-2023-34145
18. CVE-2023-34146
19. CVE-2023-34147
20. CVE-2023-34148
21. CVE-2023-32529
22. CVE-2023-32530
23. CVE-2023-32531
24. CVE-2023-32532
25. CVE-2023-32533
26. CVE-2023-32534
27. CVE-2023-32535
28. CVE-2023-32536
29. CVE-2023-32537
30. CVE-2023-32604
31. CVE-2023-32605

1. JVN : JVNVU#91852506
2. JVN : JVNVU#93384719
3. National Vulnerability Database (NVD) : CVE-2023-30902
4. National Vulnerability Database (NVD) : CVE-2023-32521
5. National Vulnerability Database (NVD) : CVE-2023-32522
6. National Vulnerability Database (NVD) : CVE-2023-32523
7. National Vulnerability Database (NVD) : CVE-2023-32524
8. National Vulnerability Database (NVD) : CVE-2023-32525
9. National Vulnerability Database (NVD) : CVE-2023-32526
10. National Vulnerability Database (NVD) : CVE-2023-32527
11. National Vulnerability Database (NVD) : CVE-2023-32528
12. National Vulnerability Database (NVD) : CVE-2023-32552
13. National Vulnerability Database (NVD) : CVE-2023-32553
14. National Vulnerability Database (NVD) : CVE-2023-32554
15. National Vulnerability Database (NVD) : CVE-2023-32555
16. National Vulnerability Database (NVD) : CVE-2023-32556
17. National Vulnerability Database (NVD) : CVE-2023-32557
18. National Vulnerability Database (NVD) : CVE-2023-34144
19. National Vulnerability Database (NVD) : CVE-2023-34145
20. National Vulnerability Database (NVD) : CVE-2023-34146
21. National Vulnerability Database (NVD) : CVE-2023-34147
22. National Vulnerability Database (NVD) : CVE-2023-32529
23. National Vulnerability Database (NVD) : CVE-2023-32530
24. National Vulnerability Database (NVD) : CVE-2023-32531
25. National Vulnerability Database (NVD) : CVE-2023-32532
26. National Vulnerability Database (NVD) : CVE-2023-32533
27. National Vulnerability Database (NVD) : CVE-2023-32534
28. National Vulnerability Database (NVD) : CVE-2023-32535
29. National Vulnerability Database (NVD) : CVE-2023-32536
30. National Vulnerability Database (NVD) : CVE-2023-32537
31. National Vulnerability Database (NVD) : CVE-2023-32604
32. National Vulnerability Database (NVD) : CVE-2023-32605
33. National Vulnerability Database (NVD) : CVE-2023-34148

• [2023/06/14]
    Web page was published
• [2023/07/25]
    References : Content was added
• [2024/05/23]
    CVSS Severity was modified
    CWE was modified
    References : Contents were added