- Network DLP 18.104.22.168.5 and earlier
The vulnerabilities are remediated in these versions:
- Network DLP 22.214.171.124.5 plus hotfix 1201697_47868
- CVE-2017-3933 (CVSS: 3.4; Severity: Medium) Embedding Script (XSS) in HTTP headers in McAfee Data Loss Prevention 9.3.x now does not allow remote authenticated users to view confidential information through a cross site request forgery attack.
- CVE-2017-3934 (CVSS: 4.7; Severity: Medium) Missing HTTP Strict Transport Security state information in the server in McAfee Data Loss Prevention 9.3.x now does not allow man-in-the-middle attackers to expose confidential data through read files on the webserver.
- CVE-2017-3935 (CVSS: 2.6; Severity: Low) McAfee Data Loss Prevention is no longer vulnerable to MIME type sniffing. MIME type sniffing allows older versions of Internet Explorer to perform MIME-sniffing on the response body. This potentially caused the response body to be interpreted and displayed as a content type other than the intended content type.
McAfee recommends that all customers verify that they have applied the latest updates. Impacted users should install the relevant patches or hotfixes. For full instructions and information, see Knowledge Base article SB10198, McAfee Security Bulletin - Network Data Loss Prevention update fixes eleven vulnerabilities (CVE-2017-3933, CVE-2017-3934, CVE-2017-3935, CVE-2017-3968, CVE-2017-4011, CVE-2017-4012, CVE-2017-4013, CVE-2017-4014, CVE-2017-4015, CVE-2017-4016, and CVE-2017-4017) (https://kc.mcafee.com/corporate/index?page=content&id=SB10198)