Published:2018/01/16  Last Updated:2018/01/16

JVNVU#91290407
Trend Micro Control Manager vulnerable to SQL injection

Overview

Trend Micro Control Manager contains multiple SQL injection vulnerabilities.

Products Affected

  • Trend Micro Control Manager Version 6.0 prior to build 3506

Description

Trend Micro Control Manager contains multiple SQL injection vulnerabilities.

Impact

  • An unauthenticated user may access and read files stored on the server
  • A remote attacker may execute arbitrary code, escalate privilege or perform directory traversal attacks
  • A remote attacker may cause SQL injection attacks and upload/execute arbitrary code

Solution

Apply the Patch
Apply the patch according to the information provided by the developer.
The developer has released Trend Micro Control Manager 6.0 Service Pack 3 Patch 2 Critical Patch (build 3506) to address these vulnerabilities.

References

JPCERT/CC Addendum

This advisory refers to the vulnerabilities that are disclosed on the TippingPoint Zero Day Initiative advisories listed below.

ZDI-17-180 ZDI-17-181 ZDI-17-182 ZDI-17-183 ZDI-17-184 ZDI-17-185 ZDI-17-186

Vulnerability Analysis by JPCERT/CC

Credit

Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia