Published:2019/11/26 Last Updated:2019/11/27
JVNVU#94282488
Multiple vulnerabilities in multiple Trend Micro products
Overview
Multiple Trend Micro products contain multiple vulnerabilities.
Products Affected
- Trend Micro Deep Security Manager 12.0, 11.0 and 10.0
- Trend Micro Deep Security Agent 12.0, 11.0 and 10.0
- Trend Micro Vulnerability Protection Manager 2.0
Description
- Initial LDAP communication of Trend Micro Deep Security Manager and Trend Micro Vulnerability Protection Manager may be transmitted in clear text - CVE-2019-15626
CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N Base Score: 6.8 CVSS v2 AV:N/AC:H/Au:N/C:C/I:N/A:N Base Score: 5.4 - Arbitrary files may be deleted on the server that Trend Micro Deep Security Agent is installed - CVE-2019-15627
CVSS v3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H Base Score: 6.1 CVSS v2 AV:L/AC:L/Au:S/C:N/I:P/A:C Base Score: 5.2
Impact
- Initial LDAP communication may be sent in clear text, resulting in information disclosure - CVE-2019-15626
- Arbitrary files may be deleted on the server that Trend Micro Deep Security Agent is installed - CVE-2019-15627
Solution
Update the Software or Apply the Patch
Update to the latest version or apply the appropriate patch according to the information provided by the developer.
Vendor Status
| Vendor | Link |
| Trend Micro Incorporated | SECURITY BULLETIN: Trend Micro Deep Security StartTLS LDAP Confidentiality and Local Arbitrary File Overwrite Vulnerabilities |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Trend Micro Incorporated coordinated under the Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2019-15626 |
|
CVE-2019-15627 |
|
| JVN iPedia |
|
Update History
- 2019/11/27
- Fixed the CVSS scores for CVE-2019-15627