JVN#48847535
Trend Micro enterprise products multiple vulnerabilities

Overview

Multiple enterprise products provided by Trend Micro Incorporated contain multiple vulnerabilities.

Products Affected

• Office Scan 11.0 (CVE-2016-1223)
• Worry-Free Business Security 9.0 (CVE-2016-1223, CVE-2016-1224)
• Worry-Free Business Security Service 5.x (CVE-2016-1223, CVE-2016-1224)

Description

Multiple enterprise products provided by Trend Micro Incorporated contain the following vulnerabilities.

• Directory Traversal - CVE-2016-1223

  CVSS v3	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	Base Score: 4.3
  CVSS v2	AV:A/AC:L/Au:N/C:P/I:N/A:N	Base Score: 3.3

• HTTP Header Injection - CVE-2016-1224

  CVSS v3	CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	Base Score: 5.2
  CVSS v2	AV:A/AC:M/Au:N/C:N/I:P/A:N	Base Score: 2.9

Impact

An attacker that can access the user's LAN environment may obtain access to files on the device. (CVE-2016-1223)
An arbitrary script may be executed on the user's web browser. (CVE-2016-1224)

Solution

If using Office Scan 11.0:
Apply the Update Module
Contact the developer's suuport center and inquire about the Update Module (HotFix).
According to the developer, applying the Critical Patch planned for release at the end of June 2016 will also address the vulnerability.

If using Worry-Free Business Security 9.0:
Update the software
According to the developer, applying Service Pack 3 planned for release at the end of June 2016 will address the vulnerabilities.

If using Worry-Free Business Security Service 5.x:
Update the Software
Update the software according to the information provided by the developer.