Published:2019/11/05  Last Updated:2019/11/05

JVNVU#90577675
Trend Micro Apex One vulnerable to command injection

Overview

Trend Micro Apex One contains a command injection vulnerability.

Products Affected

  • Apex One 2019

Description

Trend Micro Apex One contains a command injection vulnerability (CWE-77).
If this vulnerability is exploited, an authenticated user on the administrative console of Apex One may upload an arbitrary file to the specific folder.

Impact

A remote attacker with the privilege of IUSR account may upload an arbitrary file to the specific folder, then execute it.

Solution

Apply the Patch
Apply the appropriate patch according to the information provided by the developer.
The developer has released the following patch to address this vulnerability.

  • Apex One 2019 Critical Patch (Build 2049)

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
Base Score: 8.2
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:A/AC:L/Au:S/C:P/I:P/A:P
Base Score: 5.2
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Trend Micro Incorporated coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2019-18188
JVN iPedia