JVNVU#90577675
Trend Micro Apex One vulnerable to command injection
Overview
Trend Micro Apex One contains a command injection vulnerability.
Products Affected
- Apex One 2019
Description
Trend Micro Apex One contains a command injection vulnerability (CWE-77).
If this vulnerability is exploited, an authenticated user on the administrative console of Apex One may upload an arbitrary file to the specific folder.
Impact
A remote attacker with the privilege of IUSR account may upload an arbitrary file to the specific folder, then execute it.
Solution
Apply the Patch
Apply the appropriate patch according to the information provided by the developer.
The developer has released the following patch to address this vulnerability.
- Apex One 2019 Critical Patch (Build 2049)
Vendor Status
| Vendor | Link |
| Trend Micro Incorporated | SECURITY BULLETIN: Trend Micro Apex One Arbitrary File Upload with Command Injection Vulnerability |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Trend Micro Incorporated coordinated under the Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2019-18188 |
| JVN iPedia |
|