Five vulnerabilities in EPO have been discovered and resolved.
AFFECTED SOFTWARE
The vulnerability is remediated in the following versions:
Intel Security recommends that all customers verify that they have applied the latest updates. Impacted users should install the relevant patches or hotfixes. For full instructions and information, see Knowledge Base article SB10186: Intel Security - Security Bulletin: Intel Security ePO update fixes multiple Oracle Java vulnerabilities. (https://kc.mcafee.com/corporate/index?page=content&id=SB10186)
AFFECTED SOFTWARE
- EPO 5.1.3 and earlier
- EPO 5.3.2 and earlier
The vulnerability is remediated in the following versions:
- ePolicy Orchestrator 5.x with Hotfix 1178101
- CVE-2016-5546 (CVSS: 7.5; Severity: High)
Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE accessible data. - CVE-2016-5547 (CVSS: 5.3; Severity: Medium)
Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. - CVE-2016-5552 (CVSS: 5.3; Severity: Medium)
Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, accessible data. - CVE-2016-2183 (CVSS: 3.1; Severity: Low)
The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack. - CVE-2017-3252 (CVSS: 5.8; Severity: Medium)
Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE accessible data
Intel Security recommends that all customers verify that they have applied the latest updates. Impacted users should install the relevant patches or hotfixes. For full instructions and information, see Knowledge Base article SB10186: Intel Security - Security Bulletin: Intel Security ePO update fixes multiple Oracle Java vulnerabilities. (https://kc.mcafee.com/corporate/index?page=content&id=SB10186)