Patch Resolves TIE Server Vulnerabilities

Patch Resolves TIE Server Vulnerabilities

DearBytesNieuwsProduct updatesPatch Resolves TIE Server Vulnerabilities

dinsdag 12 september 2017

Two vulnerabilities in Threat Intelligence Exchange (TIE) Server have been discovered and resolved.

AFFECTED SOFTWARE

  • TIE Server 1.2.0 and later

REMEDIATED/PATCHED VERSIONS
The vulnerability is remediated in these versions:

  • TIE 2.1.0 Hotfix 1

IMPACT

  • CVE-2017-1000364
    A flaw was found in how memory is allocated on the stack for user space binaries. If heap (or other memory region) and stack memory regions are adjacent to each other, an attacker can use this flaw to jump over the stack guard gap, cause controlled memory corruption on the process stack or the adjacent memory region, and increase their privileges on the system.
  • CWE-119
    The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.
  • CVE-2017-3907
    Code injection vulnerability in the ePolicy Orchestrator (ePO) extension in McAfee Threat Intelligence Exchange (TIE) Server 2.1.0 and earlier allows remote attackers to execute arbitrary HTML code to be reflected in the response web page via unspecified attack vector.
  • CWE-80
    The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as “<“, “>”, and “&” that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

RECOMMENDATION
McAfee recommends that all customers verify that they have applied TIE Server 2.1.0 Hotfix 1. For full instructions and information, see Knowledge Base article SB10207, McAfee Security Bulletin – Threat Intelligence Exchange Server 2.1.0 Hotfix 1 update fixes Kernel related vulnerability and possible cross-site scripting attack (CVE-2017-1000364 and CVE-2017-3907)
(https://kc.mcafee.com/corporate/index?page=content&id=SB10207)

Als u informatie over productupgrades van McAfee wilt ontvangen, meldt u zich aan voor de Support Notification Service via https://sns.secure.mcafee.com/signup_login