[Japanese]

JVNDB-2023-006199

Multiple security updates for Trend Micro Apex One and Apex One as a Service (November 2023)

Overview

Trend Micro Incorporated has released multiple security updates for Trend Micro Apex One and Apex One as a Service.

Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.
CVSS Severity (What is CVSS?)

Affected Products


Trend Micro, Inc.
  • Apex One On Premise (2019)
  • Apex One as a Service

Impact

* Privilege escalation due to a link following vulnerability in the product's security agent - CVE-2023-47192
* Privilege escalation due to origin validation error vulnerabilities in the product's security agent - CVE-2023-47193, CVE-2023-47194, CVE-2023-47195, CVE-2023-47196, CVE-2023-47197, CVE-2023-47198, CVE-2023-47199
* Privilege escalation due to origin validation error vulnerabilities in the product's plug-in manager - CVE-2023-47200, CVE-2023-47201
* Privilege escalation due to a local file inclusion vulnerability in the product's management server - CVE-2023-47202
Solution

[Apply the Patch]
Apply the patch according to the information provided by the developer.
The developer has released the patch listed below that contains a fix for these vulnerabilities.

* Trend Micro Apex One On Premise (2019) SP1 CP 12526

The issue is fixed in the September 2023 Monthly Patch (202309) Agent Version: 14.0.12737 for Trend Micro Apex One as a Service.

[Apply the Workaround]
Applying the following workaround may mitigate the impact of these vulnerabilities.

* Restrict access to the product's administration console only from the trusted network
Vendor Information

Trend Micro, Inc.
CWE (What is CWE?)

  1. No Mapping(CWE-noinfo) [Other]
CVE (What is CVE?)

  1. CVE-2023-47192
  2. CVE-2023-47193
  3. CVE-2023-47194
  4. CVE-2023-47195
  5. CVE-2023-47196
  6. CVE-2023-47197
  7. CVE-2023-47198
  8. CVE-2023-47199
  9. CVE-2023-47200
  10. CVE-2023-47201
  11. CVE-2023-47202
References

  1. JVN : JVNVU#98040889
Revision History

  • [2023/11/13]
      Web page was published