[Japanese]

JVNDB-2023-006199

Multiple security updates for Trend Micro Apex One and Apex One as a Service (November 2023)

Overview

Trend Micro Incorporated has released multiple security updates for Trend Micro Apex One and Apex One as a Service.

Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.8 (High) [NVD Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
Affected Products


Trend Micro, Inc.
  • Apex One On Premise (2019)
  • Apex One as a Service

Impact

* Privilege escalation due to a link following vulnerability in the product's security agent - CVE-2023-47192
* Privilege escalation due to origin validation error vulnerabilities in the product's security agent - CVE-2023-47193, CVE-2023-47194, CVE-2023-47195, CVE-2023-47196, CVE-2023-47197, CVE-2023-47198, CVE-2023-47199
* Privilege escalation due to origin validation error vulnerabilities in the product's plug-in manager - CVE-2023-47200, CVE-2023-47201
* Privilege escalation due to a local file inclusion vulnerability in the product's management server - CVE-2023-47202
Solution

[Apply the Patch]
Apply the patch according to the information provided by the developer.
The developer has released the patch listed below that contains a fix for these vulnerabilities.

* Trend Micro Apex One On Premise (2019) SP1 CP 12526

The issue is fixed in the September 2023 Monthly Patch (202309) Agent Version: 14.0.12737 for Trend Micro Apex One as a Service.

[Apply the Workaround]
Applying the following workaround may mitigate the impact of these vulnerabilities.

* Restrict access to the product's administration console only from the trusted network
Vendor Information

Trend Micro, Inc.
CWE (What is CWE?)

  1. No Mapping(CWE-noinfo) [Other]
CVE (What is CVE?)

  1. CVE-2023-47192
  2. CVE-2023-47193
  3. CVE-2023-47194
  4. CVE-2023-47195
  5. CVE-2023-47196
  6. CVE-2023-47197
  7. CVE-2023-47198
  8. CVE-2023-47199
  9. CVE-2023-47200
  10. CVE-2023-47201
  11. CVE-2023-47202
References

  1. JVN : JVNVU#98040889
  2. National Vulnerability Database (NVD) : CVE-2023-47192
  3. National Vulnerability Database (NVD) : CVE-2023-47193
  4. National Vulnerability Database (NVD) : CVE-2023-47194
  5. National Vulnerability Database (NVD) : CVE-2023-47195
  6. National Vulnerability Database (NVD) : CVE-2023-47196
  7. National Vulnerability Database (NVD) : CVE-2023-47197
  8. National Vulnerability Database (NVD) : CVE-2023-47198
  9. National Vulnerability Database (NVD) : CVE-2023-47199
  10. National Vulnerability Database (NVD) : CVE-2023-47200
  11. National Vulnerability Database (NVD) : CVE-2023-47201
  12. National Vulnerability Database (NVD) : CVE-2023-47202
Revision History

  • [2023/11/13]
      Web page was published
  • [2024/03/13]
      CVSS Severity was modified
      References : Contents were added

Date Public2023/11/10
Date First Published2023/11/13
Date Last Updated2024/03/13