JVNVU#99027428
Multiple vulnerabilities in multiple Trend Micro products

Overview

Trend Micro Incorporated has released security updates for multiple Trend Micro products.

Products Affected

CVE-2024-36302, CVE-2024-36303, CVE-2024-36304, CVE-2024-36305, CVE-2024-36306, CVE-2024-36307, CVE-2024-37289

• Apex One 2019 (On-prem)
• Apex One as a Service

• Deep Security Agent 20.x builds below 20.0.0.1-3180

• Deep Security Virtual Appliance (DSVA) and Windows virtual machines protected by DSVA
• Deep Security Agent (for Linux)
• Deep Security Agent (for Unix)

• InterScan Web Security Virtual Appliance (IWSVA) 6.5 versions before b3334

Description

Trend Micro Incorporated has released security updates for multiple Trend Micro products.

Impact

Apex One 2019 (On-prem), Apex One as a Service

• Local privilege escalation due to an origin validation error vulnerability (CVE-2024-36302, CVE-2024-36303)
• Local privilege escalation due to Time-of-Check Time-Of-Use vulnerability (CVE-2024-36304)
• Local privilege escalation due to a link following vulnerability (CVE-2024-36305)
• Denial of Service (DoS) attack due to a link following vulnerability in the damage cleanup engine (CVE-2024-36306)
• Information disclosure due to a link following vulnerability (CVE-2024-36307)
• Local privilege escalation due to an improper access control vulnerability (CVE-2024-37289)

• Local privilege escalation due to a link following vulnerability (CVE-2024-36358)

• Local privilege escalation due to XSS (CVE-2024-36359)

Solution

Update the software
Update the software to the latest version according to the information provided by Trend Micro Incorporated.

Apply the Workaround
Trend Micro Incorporated recommends applying mitigation measures.

For more information, refer to the information provided by Trend Micro Incorporated.