Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2019.0045 ePolicy Orchestrator Cloud update fixes multiple Cross-Site Request Forgery vulnerabilities (CVE-2019-3604) 5 February 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: McAfee Legacy ePolicy Orchestrator Cloud Operating System: Virtualisation Impact/Access: Cross-site Request Forgery -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-3604 Member content until: Thursday, March 7 2019 OVERVIEW Multiple CSRF vulnerabilities have been identified in McAfee Legacy ePolicy Orchestrator (ePO) Cloud. [1] IMPACT Details of the vulnerabilities can be found below: "CVE-2019-3604: Multiple Cross-Site Request Forgery issues in ePO Cloud +------------------------+-----------------------------+ |Base Score |4.8 | +------------------------+-----------------------------+ |Attack Vector (AV) |Network (N) | +------------------------+-----------------------------+ |Attack Complexity (AC) |High (H) | +------------------------+-----------------------------+ |Privileges Required (PR)|High (H) | +------------------------+-----------------------------+ |User Interaction (UI) |Required (R) | +------------------------+-----------------------------+ |Scope (S) |Unchanged (U) | +------------------------+-----------------------------+ |Confidentiality (C) |High (H) | +------------------------+-----------------------------+ |Integrity (I) |Low (L) | +------------------------+-----------------------------+ |Availability (A) |None (N) | +------------------------+-----------------------------+ |Temporal Score (Overall)|4.5 | +------------------------+-----------------------------+ |Exploitability (E) |Functional exploit exists (F)| +------------------------+-----------------------------+ |Remediation Level (RL) |Official Fix (O) | +------------------------+-----------------------------+ |Report Confidence (RC) |Confirmed (C) | +------------------------+-----------------------------+" [1] MITIGATION McAfee recommends installing or updating to the latest version. [1] REFERENCES [1] McAfee Security Bulletin - ePolicy Orchestrator Cloud update fixes multiple Cross-Site Request Forgery vulnerabilities (CVE-2019-3604) https://kc.mcafee.com/corporate/index?page=content&id=SB10268 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXFjYYWaOgq3Tt24GAQg/7xAAnWXViw+EleExF5Jkfl9oy8SBLnAAwfFO fhSoAJUKm5ufs4HnnKyuJNFDcx7fAe2SZP4d4+TXjRF19v41BC1RV+iQZEFUwMns emGe2wKtlRlBvAeZDbWpoNbXs4QfxIdfnyX4HoXgPFqLd9U5VeFgaW8GjywTHrlp Dt6f3HAVoOfpOG7seZ46oJf6m+72GO308yCr7x+hlK+gdPRd39lgGXO3pCMH2NYY tLEkEkqR1MDflJ1KJUjGjyvdJ6Z/alHvnANt8x9URDXc3fffBEW68J3kSjU+I0SI McgmNbXY3Ehqo+3m+O65BppH5h4yFUZ8xow+DiJ+loMA6leSe5nU62it3zYSYht9 JXnr5TfJunT+ka4q6VSi9V3z9mqCe3gv0562xlH117Kas7Q94kzBIksvbP4/9UIp 21OgpiFTwOfWUVsmVAka0N2PD8t3QoN/naO0stm9QzJ9/PBV/acy8Pwk3SGQRwt1 GMcT7XwmvOVwHSupysfDpq8leo4eD3XKPsWKOziw4ySxzuxH8RMOUyxyNQBqC38e 5UiMJbPigWMlq4ipQU0zpp8nKm1iYNCdyD6I2TzNWH7E6oQPyPMteDAye3bxKQKA vEhrJWC1n5nU3tEx+reSg+YIHp25iKPRiqi43lmmOZev8VcHpDJ9xfrur2Nl/FJ+ 0kvXC+IH9mc= =PMjG -----END PGP SIGNATURE-----