JVNDB-2024-003645

Multiple vulnerabilities in multiple Trend Micro products

Trend Micro Incorporated has released security updates for multiple Trend Micro products.

Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.

Trend Micro, Inc.

• Apex One 2019 (On-prem) - CVE-2024-36302, CVE-2024-36303, CVE-2024-36304, CVE-2024-36305, CVE-2024-36306, CVE-2024-36307, CVE-2024-37289
• Apex One as a Service - CVE-2024-36302, CVE-2024-36303, CVE-2024-36304, CVE-2024-36305, CVE-2024-36306, CVE-2024-36307, CVE-2024-37289
• Deep Security Agent 20.x builds below 20.0.0.1-3180 - CVE-2024-36358
• TrendMicro InterScan Web Security Virtual Appliance (IWSVA) 6.5 versions before b3334 - CVE-2024-36359

Deep Security Agent is the agent software for Trend Micro Deep Security, Trend Micro Cloud One - Endpoint and Workload Security.

According to the developer, the following environments are not affected.

• Deep Security Virtual Appliance (DSVA) and Windows virtual machines protected by DSVA
• Deep Security Agent (for Linux)
• Deep Security Agent (for Unix)

Apex One 2019 (On-prem), Apex One as a Service

• Local privilege escalation due to an origin validation error vulnerability (CVE-2024-36302, CVE-2024-36303)


• Local privilege escalation due to Time-of-Check Time-Of-Use vulnerability (CVE-2024-36304)


• Local privilege escalation due to a link following vulnerability (CVE-2024-36305)


• Denial of Service (DoS) attack due to a link following vulnerability in the damage cleanup engine (CVE-2024-36306)


• Information disclosure due to a link following vulnerability (CVE-2024-36307)


• Local privilege escalation due to an improper access control vulnerability (CVE-2024-37289)

Deep Security Agent

• Local privilege escalation due to a link following vulnerability (CVE-2024-36358)

IWSVA

• Local privilege escalation due to XSS (CVE-2024-36359)

[Update the software]

Update the software to the latest version according to the information provided by Trend Micro Incorporated.



[Apply the Workaround]

Trend Micro Incorporated recommends applying mitigation measures.



For more information, refer to the information provided by Trend Micro Incorporated.

Trend Micro, Inc.

• Trend Micro Incorporated : SECURITY BULLETIN: May 2024 Security Bulletin for Trend Micro Apex One
• Trend Micro Incorporated : SECURITY BULLETIN: Trend Micro Deep Security Agent Link Following Local Privilege Escalation Vulnerability
• Trend Micro Incorporated : SECURITY BULLETIN: Trend Micro IWSVA XSS Privilege Escalation Vulnerability

1. CVE-2024-36302
2. CVE-2024-36303
3. CVE-2024-36304
4. CVE-2024-36305
5. CVE-2024-36306
6. CVE-2024-36307
7. CVE-2024-37289
8. CVE-2024-36358
9. CVE-2024-36359

1. JVN : JVNVU#99027428

• [2024/06/20]
    Web page was published