Published:2023/03/01 Last Updated:2023/03/01
JVNVU#96221942
Multiple vulnerabilities in Trend Micro Apex One and Apex One as a Service
Overview
Trend Micro Incorporated has released security updates for Apex One and Apex One as a Service.
Products Affected
- Apex One On Premise (2019)
- Apex One as a Service
Description
Trend Micro Incorporated has released security updates for Apex One and Apex One as a Service.
Impact
- Uploading of a large number of files to fill up the file system on the affected server - CVE-2023-0587
- Arbitrary code execution due to an uncontrolled search path element vulnerability - CVE-2023-25143
- Privilege escalation due to an incorrect access control vulnerability - CVE-2023-25144
- Privilege escalation due to a link following vulnerability - CVE-2023-25145
- Quarantining of a file, deletion of the original folder and replacing with a junction to an arbitrary location due to a link following vulnerability - CVE-2023-25146
- Agent protection bypass - CVE-2023-25147
- Privilege escalation using symbolic links due to a link following vulnerability - CVE-2023-25148
Solution
Apply the Patch
Apply the patch according to the information provided by the developer.
The developer has released the following patch to fix these vulnerabilities.
- Trend Micro Apex One On Premise (2019) Service Pack 1 b11564 (repack)
Apply the Workaround
Applying the following workaround may mitigate the impact of these vulnerabilities.
- Permit access to the product only from the trusted network
Vendor Status
| Vendor | Link |
| Trend Micro Incorporated | SECURITY BULLETIN: February 2023 Security Bulletin for Trend Micro Apex One |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Trend Micro Incorporated reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.