McAfee ePO Hotfix 1038700 & 1038703

McAfee ePO Hotfix 1038700 & 1038703

DearBytesNieuwsProduct updatesMcAfee ePO Hotfix 1038700 & 1038703

Intel Security heeft op 4 maart 2015 een hotfix uitgebracht voor McAfee ePolicy Orchestrator (ePO). De hotfix heeft versie 1038700 (ePO 4.x) and 1038703 (ePO 5.x) en lost diverse Java kwetsbaarheden in de software op.

De kwetsbaarheden bestaan in de volgende versies van ePO:

  • ePO 4.6.8 en eerder
  • ePO 4.6.9 (verwacht eind Q1 2015)
  • ePO 5.1.1 en eerder

Het advies is om deze hotfixes binnenkort te installeren.

Officieel Bericht

ePO Update Fixes Multiple Oracle Java Vulnerabilities

Multiple Java vulnerabilities reported against Oracle’s January 2015 Java SE update have been resolved in ePolicy Orchestrator (ePO).

AFFECTED PRODUCT VERSIONS

  • ePO 4.6.8 and earlier
  • ePO 4.6.9 (end of Q1 2015)
  • ePO 5.1.1 and earlier

PROTECTED VERSIONS

These product versions are NOT affected:

  • ePO 4.6.8 + Hotfix 1038700 (EPO468HF1038700.zip)
  • ePO 4.6.9 (end of Q1 2015) + Hotfix 1038700 (EPO468HF1038700.zip)
  • ePO 5.1.1 + Hotfix 1038703 (EPO511HF1038703.zip)
  • ePO 5.1.2 and later (Q2 2015)

IMPACT

  • CVE-2015-0410 McAfee ePO and Oracle JRE (Base CVSS Score = 5.0) Unspecified vulnerability in the Java SE, Java SE Embedded, JRockit component in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71 and 8u6; and JRockit R27.8.4 and R28.3.4 allows remote attackers to affect availability via unknown vectors related to Security.
  • CVE-2014-3566 McAfee ePO and Oracle JRE (Base CVSS Score = 4.3) The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the “POODLE” issue.
  • CVE-2014-6593 McAfee ePO and Oracle JRE (Base CVSS Score = 4.0) Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71 and 8u6; and JRockit 27.8.4 and 28.3.4 allows remote attackers to affect confidentiality and integrity via vectors related to JSSE.

RECOMMENDATION

McAfee recommends that all customers verify that they have applied the latest updates. Impacted users should install the relevant patches or hotfixes. For full instructions and information, see McAfee KnowledgeBase article SB10104, McAfee Security Bulletin – McAfee ePO update fixes multiple Oracle Java vulnerabilities (https://kc.mcafee.com/corporate/index?page=content&id=SB10104)