JVNVU#94051551
Multiple Trend Micro products vulnerable to directory traversal
Overview
Multiple Trend Micro products vulnerable to directory traversal.
Products Affected
- Trend Micro Apex One as a Service prior to March 2019 Monthly Maintenance Release
- Trend Micro Apex One B1066 and earlier
- Trend Micro OfficeScan XG (Version 12.0) and 11.0 SP1
- Trend Micro Worry-Free Business Security 10.0, 9.5 and 9.0 SP3
Description
Trend Micro Apex One as a Service, Trend Micro Apex One, Trend Micro OfficeScan and Trend Micro Worry-Free Business Security provided by Trend Micro Incorporated contains a directory traversal vulnerability (CWE-22).
Impact
A remote attacker may modify arbitrary files on the server running Trend Micro OfficeScan or Trend Micro Worry-Free Business Security.
Solution
Apply the Patch
Apply the patch according to the information provided by the developer.
The developer has released the following patches to address this vulnerability.
Trend Micro Apex One as a Service:
- Trend Micro Apex One as a Service March 2019 Monthly Maintenance Release
- Trend Micro Apex One Build 1071 (repack)
- Trend Micro Apex One Critical Patch (Build 1101)
- Trend Micro OfficeScan XG Service Pack 1 Critical Patch (Build 5338)
- Trend Micro OfficeScan XG (non SP1) Critical Patch (Build 1933)
- Trend Micro OfficeScan 11.0 Service Pack 1 Critical Patch (Build 6598)
- Trend Micro Worry-Free Business Security 10.0 Patch (Build 1531)
- Trend Micro Worry-Free Business Security 9.5 Critical Patch (Build 1487)
- Trend Micro Worry-Free Business Security 9.0 Service Pack 3 Critical Patch (Build 4394)
Vendor Status
| Vendor | Link |
| Trend Micro Incorporated | SECURITY BULLETIN: Directory Traversal Vulnerability in Trend Micro Apex One, OfficeScan and Worry-Free Business Security |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2019-9489 |
| JVN iPedia |
|