JVNVU#97131578: Multiple vulnerabilities in Trend Micro Apex One and Apex One as a Service

Overview

Trend Micro Incorporated has released security updates for Apex One and Apex One as a Service.

Products Affected

Apex One On Premise (2019)
Apex One as a Service

Description

Trend Micro Incorporated has released security updates for Apex One and Apex One as a Service.

Impact

Privilege escalation due to a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability
Privilege escalation due to a an Out-of-Bounds access vulnerability
Privilege escalation due to a forced browsing vulnerability
Privilege escalation due to an improper certification validation vulnerability
Bypass of the product's anti-tampering mechanisms due to an improper registry permissions vulnerability in the Trend Micro Apex One Data Loss Prevention (DLP) module
Privilege escalation due to an origin validation error vulnerability

Solution

Apply the Patch
Apply the patch according to the information provided by the developer.
The developer has released the following patch to fix these vulnerabilities.

Trend Micro Apex One On Premise (2019) Service Pack 1 Critical Patch b11110/11102

The issues in Trend Micro Apex One as a Service are already fixed in September 2022 updates.

Apply the Workaround
Applying the following workaround may mitigate the impact of these vulnerabilities.

Permit access to the product only from the trusted network

Vendor Status

Vendor	Link
Trend Micro Incorporated	CRITICAL SECURITY BULLETIN: October 2022 Security Bulletin for Trend Micro Apex One

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia

JVNVU#97131578 Multiple vulnerabilities in Trend Micro Apex One and Apex One as a Service