Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2014.0063 McAfee Security Bulletin - McAfee ePO update fixes multiple vulnerabilities reported by Oracle 23 May 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: McAfee ePolicy Orchestrator Operating System: Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 VMware ESX Server Citrix XenServer Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Privileged Data -- Remote/Unauthenticated Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-0460 CVE-2014-0457 CVE-2014-0453 CVE-2014-0429 CVE-2013-6954 CVE-2013-6629 Member content until: Sunday, June 22 2014 Reference: ASB-2014.0053 ESB-2014.0741 ESB-2014.0740 ESB-2014.0727 OVERVIEW A number of vulnerabilities have been identified in McAfee ePolicy Orchestrator prior to version 4.5.7, 4.6.7 and 5.1.0. [1] IMPACT The vendor has provided the following details regarding these vulnerabilities: "Six of the CVEs reported below in Oracle’s April 15th, 2014 Java SE update 55 affects ePO. This Oracle Java update resolves the following issues. CVE-2014-0429 CVE-2014-0457 CVE-2014-0460 CVE-2013-6954 CVE-2013-6629 CVE-2014-0453 CVE-2014-0429 McAfee ePO and Oracle JRE (Base CVSS Score = 10.0) Per information in http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html , this applies to client and server deployments of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVE-2014-0457 McAfee ePO and Oracle JRE (Base CVSS Score = 10.0) Unspecified (Libraries) vulnerability in Oracle Java SE 5.0u61, SE 6u71, 7u51, and 8; JRockit R27.8.1 and R28.3.1; and Java SE Embedded 7u51 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. CVE-2014-0460 McAfee ePO and Oracle JRE (Base CVSS Score = 5.8) Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JRockit R27.8.1 and R28.3.1; and Java SE Embedded 7u51 allows remote attackers to affect confidentiality and integrity via vectors related to JNDI. CVE-2013-6954 McAfee ePO and Oracle JRE (Base CVSS Score = 5.0) The png_do_expand_palette function in libpng before 1.6.8 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via (1) a PLTE chunk of zero bytes or (2) a NULL palette, related to pngrtran.c and pngset.c. CVE-2013-6629 McAfee ePO and Oracle JRE (Base CVSS Score = 5.0) The get_sos function in jdmarker.c in (1) libjpeg 6b and (2) libjpeg-turbo through 1.3.0, as used in Google Chrome before 31.0.1650.48, Ghostscript, and other products, does not check for certain duplications of component data during the reading of segments that follow Start Of Scan (SOS) JPEG markers, which allows remote attackers to obtain sensitive information from uninitialized memory locations via a crafted JPEG image. CVE-2014-0453 McAfee ePO and Oracle JRE (Base CVSS Score = 4.0) Unspecified (Security) vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JRockit R27.8.1 and R28.3.1; and Java SE Embedded 7u51 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Security. CWE-200 An information exposure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information. http://cwe.mitre.org/data/definitions/200.html " [1] MITIGATION The vendor recommends applying the appropriate patch or upgrading to the latest release to correct these issues. [1] REFERENCES [1] McAfee Security Bulletin - McAfee ePO update fixes multiple vulnerabilities reported by Oracle https://kc.mcafee.com/corporate/index?page=content&id=SB10072 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU37bphLndAQH1ShLAQIhUQ/9ErIUEK8hOLi7eAkucnez+Foc/OhybHW2 6L76Hv4mSuZkjPbV0EREbv76D/mgdLlFLxEe0s9VWMwoML3hWhQ+vq3X2QcYxl2H iwsCuwKhHwsvvBMhLxignBEHtOT4ru/DQJFPkDWtzfrxAYsufkl+WEdxUcVh1zOD 3EShLQ3o1hPo7WAfED6/aZzvibKl+GIE7F7MlmI46yTl6+zykeRr624hYri/4k49 2eu0MmGcyGsL/r6KDTmvLPFe20zKDkoI+JEh6vuATMD0U2OwwVIVgwd+rbS/gK5s utNq2T/DpzOjyfu8jaT7+ldvUhaDc6IZNB2BspQni0hKfQwe0eDGDQV7C1+ZMrld AVaSl056PuP7856KiIfTMAYIH+eOX8SNfKn/Dt/hlabtH6LKGBtUg+7TDtIATlj8 Jy/HjppSzAWW9nrcK1AoaD/6ccMDjnsd9hDFOLS3B/y5ZZIwPnpQo3o2piO2jk00 n3pR+MtRJnN8+aWDWXLMZqd0BkUQjWLgJ1tqtSSnwB0L+hbZVRXdVu4FknYDnV2O 5sYN5XHur5RKv3vQwZF5P2Q6B1JvNoqVNNr5n2zzd4YyacwfVck/N0A+jmcLeRbR 83IqYI2td2EBC1p5eNw6ixu9UkQzZbEPhqCvVFrRPKlAp40IiGOVST79FD8eoIpw 8HayKndfEXo= =XQ0Z -----END PGP SIGNATURE-----