Three vulnerabilities in ePolicy Orchestrator (ePO) have been discovered and resolved.
AFFECTED SOFTWARE
The vulnerability is remediated in these versions:
McAfee recommends that all customers verify that they have applied the latest updates. Impacted users should install the relevant patches or hotfixes. For full instructions and information, see Knowledge Base article SB10206, McAfee – Security Bulletin: ePO update fixes multiple latest apache vulnerabilities. (https://kc.mcafee.com/corporate/index?page=content&id=SB10206
AFFECTED SOFTWARE
- 5.1.3 and earlier
- 5.3.2 and earlier
- 5.9.0
The vulnerability is remediated in these versions:
- 5.9.0 with EPO590HF1202868
- 5.3.3
- 5.3.2 with EPO532HF1202868
- 5.3.1 with EPO531HF1202868
- 5.1.3 with EPO513HF1202868
- CVE-2017-3169 (CVSS: 3.7; Severity: Low)- In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port.
- CVE-2017-7668 (CVSS: 6.5; Severity: Medium)- The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may be able to cause a segmentation fault, or to force ap_find_token() to return an incorrect value.
- CVE-2017-7679 (CVSS: 3.7; Severity: Low) - In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header.
McAfee recommends that all customers verify that they have applied the latest updates. Impacted users should install the relevant patches or hotfixes. For full instructions and information, see Knowledge Base article SB10206, McAfee – Security Bulletin: ePO update fixes multiple latest apache vulnerabilities. (https://kc.mcafee.com/corporate/index?page=content&id=SB10206