==================================================================== CERT-Renater Note d'Information No. 2018/VULN072 _____________________________________________________________________ DATE : 23/02/2018 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running McAfee ePolicy Orchestrator versions 5.3.3, 5.3.2, 5.3.1, 5.3.0, 5.9.10, 5.9.1. ===================================================================== https://kc.mcafee.com/corporate/index?page=content&id=SB10225 _____________________________________________________________________ McAfee Security Bulletin - ePolicy Orchestrator update fixes multiple Java vulnerabilities First Published: February 20, 2018 Impact of Vulnerability: Unauthorized Access Denial of Service (CWE-730, OWASP 2004:A9) CVE Numbers: CVE-2018-2633 CVE-2018-2637 CVE-2018-2582 CVE-2018-2618 CVE-2018-2629 CVE-2018-2603 CVE-2018-2657 CVE-2018-2599 CVE-2018-2678 CVE-2018-2588 CVE-2018-2663 CVE-2018-2579 Severity Rating: High, Medium, Low CVSS v3 Base and Overall Scores: CVE-2018-2633: 8.3/7.2 CVE-2018-2637: 7.4/6.4 CVE-2018-2582: 6.5/5.7 CVE-2018-2618: 5.9/5.2 CVE-2018-2629: 5.3/4.6 CVE-2018-2603: 5.3/4.6 CVE-2018-2657: 5.3/4.6 CVE-2018-2599: 4.8/4.2 CVE-2018-2678: 4.3/3.8 CVE-2018-2588: 4.3/3.8 CVE-2018-2663: 4.3/3.8 CVE-2018-2579: 3.7/3.2 Recommendations: Apply the hotfix specified in the Remediation table Replacement: None Affected Software: • ePolicy Orchestrator (ePO) 5.3.3, 5.3.2, 5.3.1, and 5.3.0 • ePO 5.9.1 and 5.9.0 Location of updated software: http://www.mcafee.com/us/downloads/downloads.aspx Vulnerability Description ePO is vulnerable to the Java CVEs mentioned above. This ePO update resolves the following issues: 1) CVE-2018-2633 Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2633 2) CVE-2018-2637 Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized creation, deletion, or modification access to critical data or all Java SE accessible data as well as unauthorized access to critical data or complete access to all Java SE accessible data. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2637 3) CVE-2018-2582 Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion, or modification access to critical data or all Java SE accessible data. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2582 4) CVE-2018-2618 Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE accessible data. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2618 5) CVE-2018-2629 Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion, or modification access to critical data or all Java SE accessible data. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2629 6) CVE-2018-2603 Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2603 7) CVE-2018-2657 Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2657 8) CVE-2018-2599 Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert, or delete access to some of Java SE accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2599 9) CVE-2018-2678 Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2678 10) CVE-2018-2588 Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2588 11) CVE-2018-2663 Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2663 12) CVE-2018-2579 Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2579 Affected Components: • ePO Java core web services Remediation To remediate this issue: • Users of ePO 5.3.2 or earlier are recommended to upgrade to ePO 5.3.3 or 5.9.1 and apply EPO5xHF1225856. • Users of ePO 5.3.3 are recommended to apply EPO5xHF1225856. • Users of ePO 5.9.0 are recommended to upgrade to ePO 5.9.1 and apply EPO5xHF1225856. • Users of ePO 5.9.1 are recommended to apply EPO5xHF1225856. Go to the Product Downloads site and download the applicable product hotfix files. Download and Installation Instructions See KB56057 for instructions on how to download McAfee products, documentation, security updates, patches, and hotfixes. Review the Release Notes and the Installation Guide, which you can download from the Documentation tab, for instructions on how to install these updates. Product Specific Notes ePO 5.1.x reached End of Life on December 31, 2017. McAfee highly recommends that all customers upgrade to ePO 5.3.x or 5.9.x. Workaround None. McAfee strongly encourages installing the latest ePO hotfix specified in the Remediation table. Acknowledgements None. 1.) CVE-2018-2633:McAfeeePOandJava NOTE: The below CVSS version 3.0 vector was used to generate this score. https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C 2.) CVE-2018-2637:McAfeeePOandJava NOTE: The below CVSS version 3.0 vector was used to generate this score. https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C 3.) CVE-2018-2582:McAfeeePOandJava NOTE: The below CVSS version 3.0 vector was used to generate this score. https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C 4.) CVE-2018-2618:McAfeeePOandJava NOTE: The below CVSS version 3.0 vector was used to generate this score. https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C 5.) CVE-2018-2629:McAfeeePOandJava NOTE: The below CVSS version 3.0 vector was used to generate this score. https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C 6.) CVE-2018-2603: McAfee ePO and Java NOTE: The below CVSS version 3.0 vector was used to generate this score. https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C 7.) CVE-2018-2657: McAfee ePO and Java NOTE: The below CVSS version 3.0 vector was used to generate this score. https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C 8.) CVE-2018-2599: McAfee ePO and Java NOTE: The below CVSS version 3.0 vector was used to generate this score. https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L/E:U/RL:O/RC:C 9.) CVE-2018-2678: McAfee ePO and Java NOTE: The below CVSS version 3.0 vector was used to generate this score. https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C 10.) CVE-2018-2588: McAfee ePO and Java NOTE: The below CVSS version 3.0 vector was used to generate this score. https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C 11.) CVE-2018-2663: McAfee ePO and Java NOTE: The below CVSS version 3.0 vector was used to generate this score. https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C 12.) CVE-2018-2579: McAfee ePO and Java NOTE: The below CVSS version 3.0 vector was used to generate this score. https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================