Loading...

Knowledge Center


McAfee Security Bulletin – ePO update fixes multiple Java vulnerabilities reported by Oracle
Security Bulletins ID:  SB10058
Last Modified:  12/11/2013
Rated:


Summary

Who Should Read This Document: Technical and Security Personnel
Impact of Vulnerability: Unauthorized Information Disclosure
Unauthorized Information Modification
Denial of Service
CVE Numbers:
  • CVE-2013-5782
  • CVE-2013-5802
  • CVE-2013-5830
  • CVE-2013-4002
  • CVE-2013-5823
  • CVE-2013-5825
  • CVE-2013-5780
CERT/CC Number: None
Severity Rating: Critical
Overall CVSS Score: See the Description section below.
Recommendations:
  • Install or update to ePO 4.6.7 or ePO 5.1 (EPO510L2.Zip) released on November 7, 2013.
  • For ePO 4.6.6, install Hotfix 925585 (EPO466HF925585.Zip) released on December 3, 2013.
Security Bulletin Replacement: None
Caveats: None
Affected Software:
  • ePO 4.5 Patch 7 (and earlier)
  • ePO 4.6.6 (and earlier)
  • ePO 5.0.1 (and earlier)
Location of Updated Software: http://www.mcafee.com/us/downloads

Description

ePO is vulnerable to seven of the CVEs reported in Oracle’s October 15, 2013 Java SE update. Collectively, these vulnerabilities could allow unauthorized disclosure of information, unauthorized modification, or disruption of service. 
  • CVE-2013-5782 McAfee ePO and Oracle JRE (Base CVSS Score = 10.0)
    Vulnerability in the Java SE, JRockit, Java SE Embedded component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier and Java SE Embedded 7u40 and earlier. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5782 
     
  • CVE-2013-5802 McAfee ePO and Oracle JRE (Base CVSS Score = 10.0)
    Vulnerability in the Java SE, JRockit, Java SE Embedded component of Oracle Java SE (subcomponent: JAXP). Supported versions that are affected are Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier and Java SE Embedded 7u40 and earlier. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java SE, JRockit, Java SE Embedded accessible data as well as read access to a subset of Java SE, JRockit, Java SE Embedded accessible data and ability to cause a partial denial of service (partial DOS) of Java SE, JRockit, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5802
     
  • CVE-2013-5830 McAfee ePO and Oracle JRE (Base CVSS Score = 10.0)
    Vulnerability in the Java SE, JRockit, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier and Java SE Embedded 7u40 and earlier. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5830
     
  • CVE-2013-4002 McAfee ePO and Oracle JRE (Base CVSS Score = 7.1)
    Vulnerability in the Java SE, JRockit, Java SE Embedded component of Oracle Java SE (subcomponent: JAXP). Supported versions that are affected are Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier and Java SE Embedded 7u40 and earlier. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, JRockit, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4002
     
  • CVE-2013-5823 McAfee ePO and Oracle JRE (Base CVSS Score = 5.0)
    Vulnerability in the Java SE, JRockit, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE 7u40 and earlier, Java SE 6u60 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier and Java SE Embedded 7u40 and earlier. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, JRockit, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5823
     
  • CVE-2013-5825 McAfee ePO and Oracle JRE (Base CVSS Score = 5.0)
    Vulnerability in the Java SE, JRockit, Java SE Embedded component of Oracle Java SE (subcomponent: JAXP). Supported versions that are affected are Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier and Java SE Embedded 7u40 and earlier. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, JRockit, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5825
     
  • CVE-2013-5780 McAfee ePO and Oracle JRE (Base CVSS Score = 4.3)
    Vulnerability in the Java SE, JRockit, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier and Java SE Embedded 7u40 and earlier. Difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java SE, JRockit, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5780
     
Affected Components:
ePO Java Core Web Services

Remediation

The remediation plan is to upgrade the currently supported versions of ePO 4.5, 4.6, and 5.0. These fixes are included in versions 4.6.7 and 5.1.0.
  • Users of ePO 4.5.x and 4.6.x should upgrade to ePO 4.6.7 or ePO 5.1 (EPO510L2.Zip) released on November 7, 2013.
  • Users of ePO 5.0.x should upgrade to ePO 5.1 (EPO510L2.Zip) released on November 7, 2013.
Update: Hotfix 925585 (EPO466HF925585.Zip) has been released for ePO 4.6.6. ePO 4.5.x and 4.6.x users may upgrade to ePO 4.6.6 (build 4.6.6.176) and then apply Hotfix 925585.


Refer to the upgrade instructions in the ePO 4.6.7 or 5.1 Release Notes for further details.

NOTE: All FIPS 140-2 installed customers running ePO 4.6.4 can upgrade to ePO 5.1.0 for maintaining FIPS compliant installations.

Go to the McAfee Downloads site and download the applicable product patch/hotfix file: 

Product Type File Name Release Date
ePO 4.6.6 HF925585 Hotfix EPO466HF925585.Zip December 3, 2013
ePO 4.6.7 Patch ePO467L.zip January 2014
ePO 5.1.0 Patch/Release ePO510L2.zip November 7, 2013


ePO 4.6.7 and 5.1.0 download instructions

  1. Launch Internet Explorer.
  2. Go to: http://www.mcafee.com/us/downloads.
  3. Provide your valid McAfee Grant Number.
  4. Click your product suite.
  5. Click the applicable product (see table above) and click I Agree.
  6. Click the Software Downloads tab and click the link to download the applicable product .ZIP file.

For instructions on how to download McAfee products, documentation, security updates, patches, or hotfixes, see article KB56057.

For instructions on how to install / upgrade this patch, review the Release Notes and the Installation Guide (available from the Documentation tab) following the same steps above. 

Workaround

There are no Java workarounds currently available for these issues.

McAfee strongly recommends that all customers upgrade to ePO 4.6.7 or 5.1, or apply the hotfix as noted in the Remediation section.

Acknowledgements

This vulnerability was first disclosed in Oracle’s pre-patch announcement for the October 15, 2013 quarterly Security Bulletin.

Support

Corporate Technical Support:
1-800-338-8754
http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-techsupport

Frequently Asked Questions (FAQs)

What is affected by this security vulnerability?

Affected versions:
  • ePO 4.5 Patch 7 (and earlier)
  • ePO 4.6.6 (and earlier)
  • ePO 5.0.1 (and earlier)
Protected versions:
  • ePO 4.6.7 (and later)
  • ePO 5.1 (and later)  - (EPO510L2.Zip released on November 7, 2013)
McAfee recommends that all customers verify that they have applied the latest updates.

What issues does this Java update address?
  • CVE-2013-5782
  • CVE-2013-5802
  • CVE-2013-5830
  • CVE-2013-4002
  • CVE-2013-5823
  • CVE-2013-5825
  • CVE-2013-5780

How do I know if my McAfee product is vulnerable or not?

Check the version and build of ePO that is installed. For more information on how to check the version, see KB52634.

NOTE: See KB79702 for additional FAQ information on this vulnerability.


What is CVSS?
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website at: http://www.first.org/cvss/.


What are the CVSS scoring metrics that have been used?

CVE-2013-5782 ePO and Oracle JRE

 Base Score 10.0
 Related exploit range (AccessVector) Network
 Attack complexity (AccessComplexity) Low
 Level of authentication needed (Authentication) None
 Confidentiality impact Complete
 Integrity impact Complete
 Availability impact Complete
 Temporal Score 6.7
 Availability of exploit (Exploitability) Unproven that exploit exists
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Unconfirmed

NOTE: CVSS version 2.0 vector was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:[N]/AC:[L]/Au:[N]/C:[C]/I:[C]/A:[C]/E:[U]/RL:[O]/RC:[UC]) 


CVE-2013-5802 ePO and Oracle JRE

 Base Score 10.0
 Related exploit range (AccessVector) Network
 Attack complexity (AccessComplexity) Low
 Level of authentication needed (Authentication) None
 Confidentiality impact Complete
 Integrity impact Complete
 Availability impact Complete
 Temporal Score 6.7
 Availability of exploit (Exploitability) Unproven that exploit exists
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Unconfirmed

NOTE: CVSS version 2.0 vector was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:[N]/AC:[L]/Au:[N]/C:[C]/I:[C]/A:[C]/E:[U]/RL:[O]/RC:[UC]) 



CVE-2013-5830 ePO and Oracle JRE

 Base Score 10.0
 Related exploit range (AccessVector) Network
 Attack complexity (AccessComplexity) Low
 Level of authentication needed (Authentication) None
 Confidentiality impact Complete
 Integrity impact Complete
 Availability impact Complete
 Temporal Score 6.7
 Availability of exploit (Exploitability) Unproven that exploit exists
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Unconfirmed

NOTE: CVSS version 2.0 vector was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:[N]/AC:[L]/Au:[N]/C:[C]/I:[C]/A:[C]/E:[U]/RL:[O]/RC:[UC])  



CVE-2013-4002 ePO and Oracle JRE

 Base Score 7.1
 Related exploit range (AccessVector) Network
 Attack complexity (AccessComplexity) Medium
 Level of authentication needed (Authentication) None
 Confidentiality impact None
 Integrity impact None
 Availability impact Complete
 Temporal Score 4.7
 Availability of exploit (Exploitability) Unproven that exploit exists
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Unconfirmed

NOTE: CVSS version 2.0 vector was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:[N]/AC:[M]/Au:[N]/C:[N]/I:[N]/A:[N]/E:[U]/RL:[O]/RC:[UC])  


CVE-2013-5823 ePO and Oracle

 Base Score 5.0
 Related exploit range (AccessVector) Network
 Attack complexity (AccessComplexity) Low
 Level of authentication needed (Authentication) None
 Confidentiality impact None
 Integrity impact None
 Availability impact Partial
 Temporal Score 3.3
 Availability of exploit (Exploitability) Unproven that exploit exists
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Unconfirmed

NOTE: CVSS version 2.0 vector was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:[N]/AC:[L]/Au:[N]/C:[N]/I:[N]/A:[P]/E:[U]/RL:[O]/RC:[UC])


CVE-2013-5825 ePO and Oracle

 Base Score 5.0
 Related exploit range (AccessVector) Network
 Attack complexity (AccessComplexity) Low
 Level of authentication needed (Authentication) None
 Confidentiality impact None
 Integrity impact None
 Availability impact Partial
 Temporal Score 3.3
 Availability of exploit (Exploitability) Unproven that exploit exists
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Unconfirmed

NOTE: CVSS version 2.0 vector was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:[N]/AC:[L]/Au:[N]/C:[N]/I:[N]/A:[P]/E:[U]/RL:[O]/RC:[UC])  


CVE-2013-5780 ePO and Oracle JRE

 Base Score 4.3
 Related exploit range (AccessVector) Network
 Attack complexity (AccessComplexity) Medium
 Level of authentication needed (Authentication) None
 Confidentiality impact Partial
 Integrity impact None
 Availability impact None
 Temporal Score 2.9
 Availability of exploit (Exploitability) Unproven that exploit exists
 Type of fix available (RemediationLevel) Official fix
 Level of verification that vulnerability exists (ReportConfidence) Unconfirmed

NOTE: CVSS version 2.0 vector was used to generate this score.
http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:[N]/AC:[M]/Au:[N]/C:[N]/I:[P]/A:[N]/E:[U]/RL:[O]/RC:[UC])


What has McAfee done to resolve the issue?
McAfee will release ePO 4.6.7 and ePO 5.1.0 to address these security flaws.

Where do I download the fix?
You can download the fix from http://www.mcafee.com/us/downloads. Users will need to provide their McAfee Grant Number to initiate the download.

How does McAfee respond to this and any other security flaws?
The McAfee key priority is the security of our customers. In the event that a vulnerability is found within any McAfee software, we work closely with the relevant security research group to ensure rapid and effective development of a fix and communication plan. McAfee is an active member of the Organization for Internet Safety (OIS), which is dedicated to developing guidelines and best practices for the reporting and fixing of software vulnerabilities.

McAfee only publishes product vulnerability bulletins together with an actionable workaround, patch, or hotfix; otherwise we would simply be informing the hacker community that our products are a target, putting our customers at greater risk.

Resources

To download new Beta software or to read about the latest Beta information, go to: http://www.mcafee.com/us/downloads/beta-programs/index.aspx
 
To submit Beta feedback on any McAfee product, email: mcafee_beta@mcafee.com
 
For contact information, go to: http://www.mcafee.com/uk/about/contact-us.aspx
 
For copyright, trademark attributions, and license information, go to: http://us.mcafee.com/root/aboutUs.asp?id=copyright
 
For patents protecting this product, see your product documentation.

Disclaimer

The information provided in this security bulletin is provided as is without warranty of any kind. McAfee disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall McAfee or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if McAfee or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Any future product release dates mentioned in this bulletin are intended to outline our general product direction and they should not be relied on in making a purchasing decision. The product release dates are for information purposes only, and may not be incorporated into any contract. The product release dates are not a commitment, promise or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remains at our sole discretion and may be changed or cancelled at any time.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Languages:

This article is available in the following languages:

English United States
Japanese

Glossary of Technical Terms


Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.
United States - English
© 2003-2013 McAfee, Inc.