McAfee Security Bulletin - GHOST Vulnerability
Security Bulletins ID:
SB10100
Last Modified: 4/26/2018
Last Modified: 4/26/2018
Summary
| Who Should Read This Document: | Technical and Security Personnel |
| Impact of Vulnerability: | Remote Code Execution (CWE-714, OWASP 2007:A3) Buffer Overflow (CWE-726, OWASP 2004:A5) Authentication Bypass (CWE-592) |
| CVE Numbers: | CVE-2015-0235 |
| CERT/CC and Other Numbers: | Qualys Advisory: GHOST-CVE-2015-0235 |
| Severity Rating: | High |
| Base / Overall CVSS Scores: | 10.0 / 7.8 |
| Recommendations: | Deploy the remediation signatures/rules first. Update product patches/hotfixes. |
| Security Bulletin Replacement: | None |
| Caveats: | None |
| Affected Software: | See the McAfee Product Vulnerability Status lists below |
| Location of Updated Software: | http://www.mcafee.com/us/downloads/downloads.aspx |
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
Article contents:
Description
The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the target system without having any prior knowledge of system credentials. This buffer overflow vulnerability can be triggered both locally and remotely. CVE-2015-0235 has been assigned to this issue. This is referred to as the GHOST vulnerability because it can be triggered by the GetHOST functions.
The GNU C Library or glibc is an implementation of the standard C library and is a core part of the Linux operating system. Linux distribution vendors have released patches for all distribution as of January 27, 2015.
- RedHat: https://rhn.redhat.com/errata/RHSA-2015-0090.html
- Ubuntu: https://launchpad.net/ubuntu/+source/eglibc
- Debian: https://security-tracker.debian.org/tracker/CVE-2015-0235
- Oracle Enterprise Linux: https://oss.oracle.com/pipermail/el-errata/2015-January/004810.html
- CentOS: http://lists.centos.org/pipermail/centos-announce/2015-January/020906.html
- GNU C Library: http://www.gnu.org/software/libc/
- Mitre: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235
The first vulnerable version of the GNU C Library was released on November 10, 2000. This vulnerability was actually fixed on May 21, 2013, but was not recognized as a security threat. As a result, most stable and long-term-support distributions were left exposed.
CVE-2015-0235
GHOST: glibc gethostbyname buffer overflow
NIST: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0235
Mitre: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235
GHOST: glibc gethostbyname buffer overflow
NIST: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0235
Mitre: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235
CWE-714
OWASP Top Ten 2007 Category A3 - Malicious File Execution
http://cwe.mitre.org/data/definitions/714.html
OWASP Top Ten 2007 Category A3 - Malicious File Execution
http://cwe.mitre.org/data/definitions/714.html
Qualys Advisory: GHOST-CVE-2015-0235
GHOST Vulnerability
GHOST Vulnerability
- https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability
- https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt
Investigation into all McAfee products is ongoing. Products not on these lists are being investigated. This security bulletin will be updated as additional information is available. Not every version of the "vulnerable and updated" products are vulnerable.
* Products listed as "Vulnerable but Low Risk (given standard deployment best practices)" may contain one or more of the following conditions:
- Contains a vulnerable component, but an attack vector cannot be identified or the component is not used by the product.
- Only rarely used configurations are vulnerable. For example, it is vulnerable only in FIPS-140 mode, which is not the default and is not commonly used.
- Internal controls that block this vulnerability should be deployed as recommended in the installation documents. For example, internal firewalls.
- Privileges are not elevated enough to be vulnerable, unless granted explicitly by the customer.
- The product may be momentarily vulnerable during an install or uninstall, but not during normal operation.
See the version information later in this bulletin.
Vulnerable and Updated
- Advanced Threat Defense (MATD)
- Global Threat Intelligence (GTI) [GTI Cloud Server (CS) / Artemis / REST]
- GTI Proxy 2.0
- McAfee Agent (MA) (Linux 32-bit) 4.8.0 and 5.0.0
- McAfee Asset Manager (MAM)
- McAfee Security for App Store- Cloud (MSAS)
- McAfee Security Information and Event Management (SIEM) / Nitro
- McAfee Web Gateway (MWG)
- Mobile Cloud (MC)
- MOVE AntiVirus Security Virtual Appliance (MOVE SVA)
- McAfee MOVE AntiVirus Security Virtual Appliance Manager (MOVE SVA Manager)
- Network Data Loss Prevention (NDLP)
- TrueKey Password Manager API (TKPM) / You Are the Password (YAP) / PasswordBox
- VirusScan Enterprise Linux (VSEL)
Vulnerable and Not Yet Updated
- Cloud Analysis and Deconstruction Service (CADS)
- Site Advisor Live (SA)
Vulnerable but Low Risk (given standard deployment best practices)*
- CleanBoot (CB)
- Data Exchange Layer (DXL)
- Email and Web Security (EWS)
- Host Intrusion Prevention Services (HIPS)
- McAfee Email Gateway (MEG)
- Network Security Platform (NSP) Sensor
- Network Threat Behavior Analysis (NTBA)
- Network Threat Response (NTR)
- Threat Intelligence Exchange (TIE)
Not Vulnerable
- Anti-Malware Engine (AME)
- Content Security Interlock (CSI)
- Content Security Reporter (CSR)
- Database Activity Monitoring (DAM)
- Database Vulnerability Manager (DVM)
- Deep Defender (DD)
- Drive Encryption (DE)
- Endpoint Encryption Manager (EEM/SafeBoot)
- Endpoint Protection for Mac (EPM)
- Enterprise Mobility Manager (EMM)
- ePO Deep Command (eDC)
- ePolicy Orchestrator (ePO)
- Endpoint Encryption for Files and Folders (EEFF)
- Endpoint Encryption for PCs (EEPC) / McAfee Drive Encryption (MDE)
- Endpoint Encryption for Removable Media – USB (EERM)
- File and Removable Media Protection (FRP)
- McAfee Application Control (MAC)
- McAfee Antivirus Plus (AV+)
- McAfee Endpoint Security 10 (ENS) / Endpoint Protection 10.0 (EP10)
- McAfee Family Protection (MFP)
- McAfee Foundation Services (MFS) [part of ePO]
- McAfee Home Network (MHN)
- McAfee Minimum Escalation Requirements Tool (MER)
- McAfee Mobile Security (MMS)
- McAfee Quarantine Manager (MQM)
- McAfee Security for Domino Windows (MSDW)
- McAfee Security for Email Servers (MSES) / GroupShield
- McAfee Security for Lotus Domino (MSLD) / GroupShield Domino (GSD)
- McAfee Security for Microsoft Exchange (MSME) / GroupShield Exchange
- McAfee Security for Microsoft SharePoint (MSMS)
- McAfee Security for Mac (MSM)
- McAfee Vulnerability Manager (MVM)
- McAfee Virtual Technician (MVT)
- McAfee Web Reporter (MWR)
- Network Security Manager (NSM)
- Rogue System Detection (RSD) [part of ePO]
- SaaS Endpoint Protection (SEP)
- Secure Container (Android and iOS)
- Site Advisor Enterprise (SAE)
- Total Protection Service Client (ToPS)
- Virus-Scan Enterprise (VSE)
- VirusScan for Mac (VSMac)
- Windows Systems Security (WSS)
Being Investigated
- Anti-Malware Core (AMC)
- Anti-Spam Engine (ASE)
- AntiVirus Engine (AVE)
- Boot Attestation Service (BAS) / Open Virtual Appliance (OVA)
- Data Loss Prevention Endpoint (DLPe)
- DeepSAFE (SAFE)
- Endpoint Intelligence Agent (EIA)
- ePO Cloud
- Gateway Anti-Malware Engine (GAM)
- Host Data Loss Prevention (HDLP)
- Management for Optimized Virtual Environments (MOVE) AntiVirus
- McAfee Anti-Theft (MAT)
- McAfee Change Control (MCC)
- McAfee Cloud Single Sign On (MCSSO) / McAfee Cloud Identity Manager (MCIM)
- McAfee Network Access Control (MNAC)
- McAfee Policy Auditor (MPA)
- McAfee Real Time Command (RTC)
- McAfee Real Time for ePO (RTE)
- McAfee SECURE (MS) / Trustmark
- McAfee Security Scan+ (MSS+)
- Network User Behavior Analysis (NUBA)
- One Time Password (OTP) / Nordic Edge / Pledge
- Online Child Protection (OCP)
- PortalShield (PS)
- Pre-Install Scanner (PIS)
- Stinger
- Super DAT Manager (SDAT)
- ToPS Server (TPS)
- Trusted Source Software Development Kit (TS-SDK)
- Whole Disk Encryption (WDE)
For a description of each product, see:
Remediation
| Product | Type | Patch Version | File Name | Release Date |
| ATD | Patch | 3.4.4.63.45665 | March 31, 2015 | |
| MAM | Security Hotfix Script | Hotfix 7 | mam_hotfix_pack7.sh | June 23, 2015 |
| McAfee Agent 4.8.0 | Patch | 3 | MA480P3LNX.zip | February 17, 2015 |
| McAfee Agent 5.0.0 | Security Hotfix | NA | MA500LNXHF1037455.zip | February 19, 2015 |
| MOVE 3.5 SVA Manager | Upgrade to MA 4.8 Patch 3 and VSEL 2.02, and then deploy HF1043657 from ePO. | MOVE 3.5 SVA Manager | ||
| MOVE AL 3.5 | Upgrade to MA 4.8 Patch 3 and VSEL 2.02, and then deploy HF1043655 from ePO. | HF1043655 | N/A | February 23, 2015 |
| MOVE AL 3.0 | Upgrade to MA and VSEL 1.9.1, and then deploy HF1043684 from ePO. | HF1043684 | N/A | After VSEL 1.9.1 release, which is scheduled for February 27, 2015 |
| MOVE MP 3.5 | Development is still under progress. | N/A | N/A | Date will be updated later. |
| MOVE 2.6 | MOVE 2.6 is EOL July 31 — customers are advised to move to MOVE 3.0/3.5. | N/A | N/A | N/A |
| MWG | Patch | 7.5.1 7.4.2.7 |
mwgappl-7.5.1-18935.x86_64.yum mwgappl-7.4.2.7.0-18936.x86_64.yum |
January 29, 2015 |
| MWG | Patch | 7.3.2.13 | mwgappl-7.3.2.13.0-18938.x86_64.yum | February 2, 2015 |
| NDLP | Security Hotfix | Hotfix 1045663 | hotfix_ 1045663_47280.tar.gz | March 12, 2015 |
| SIEM | Maintenance Release | 9.4.2 MR6 9.3.2 MR17 |
January 28, 2015 | |
| TrueKey | Cloud Update | N/A | N/A | January 27, 2015 |
| VSE for Linux 1.7.x | Customers are advised to upgrade to VSEL 1.9.1/2.0.2 to fix all the vulnerabilities. | N/A | N/A | N/A |
| VSE for Linux 2.0.2 | VSEL 2.0.2 is getting reposted and fixes the glibc vulnerability in the field and contains all the previously released hotfixes merged (including the Poodle vulnerability). | N/A | N/A | February 19, 2015 |
| VSE for Linux 1.9.1 | VSEL 1.9.1 is getting reposted and fixes the glibc vulnerability in the field and contains all the previously released hotfixes merged (including the Poodle vulnerability). | N/A | McAfeeVSEForLinux-1.9.1.29107.zip | March 4, 2015 |
- DXL
DXL clients are not vulnerable. The platform the DXL Broker runs on has a vulnerable version of Linux; however, it does not expose the vulnerability. DXL 1.0.1 will still be patched to avoid false positives by vulnerability scanners. - HIPS
'HIPS for Linux' statically links to vulnerable versions of glibc, but there is no attack vector. The Windows version is not vulnerable. - MA
Only (Linux 32-bit) running 4.6, 4.8, and 5.0 Agents are bundled with this runtime library and are affected.NOTE: All other non-Linux, 64-bit Linux, and embedded Linux distributions without this runtime are not impacted. MA 4.6 reaches EOL status on March 31, 2015. Customers are advised to migrate to the latest supported versions for obtaining this fix. - MAM
MAM is vulnerable, not because of the product itself, but because of the underlying Debian Squeezy Linux platform shipped with it.
MAM 6.6 Hotfix 7 has superseded the release previously posted in this article. Hotfix 7 is a rollup that includes the content of hotfixes 1-6.
- MC
McAfee Mobile Cloud was updated by McAfee in the cloud. No actions are required by customers. - MWG
MWG appliances use the vulnerable glibc, but investigation shows that there is no attack vector for the MWG proxy for user traffic because MWG uses a different implementation for DNS lookups (uDNS). MWG ships with several third-party products, such as Dante Socks Proxy and Helix Streaming Proxy, which may be vulnerable. These third-party products are NOT enabled by default. - TIE
The platform the TIE Server runs on has a vulnerable version of Linux; however, it does not expose the vulnerability. TIE 1.0.1 will still be patched to avoid false positives by vulnerability scanners. - TrueKey/YAP
All production systems related to the TrueKey platform were updated by McAfee on January 27, 2015. No customer action is required.
- Launch Internet Explorer.
- Navigate to: http://www.mcafee.com/us/downloads/downloads.aspx.
- Provide your valid McAfee Grant Number. *
- Click your product suite.
- Click the applicable product (see table above) and click I Agree.
- Click the Patches tab and click the link to download the product .ZIP file under the Product column.
* NOTE: The Content and Cloud Security portal does not require a McAfee Grant number; however, customers have received login credentials together with their MWG license.
For instructions on how to download McAfee products, documentation, security updates, patches, or hotfixes, see: KB56057.
For instructions on how to install/upgrade this hotfix/patch, please review the Release Notes and the Installation Guide (which you can download from the Documentation tab) following the same steps above.
For instructions on how to download McAfee products, documentation, security updates, patches, or hotfixes, see: KB56057.
For instructions on how to install/upgrade this hotfix/patch, please review the Release Notes and the Installation Guide (which you can download from the Documentation tab) following the same steps above.
Workaround
Linux distribution vendors have all released patches as of January 27, 2015. McAfee products that rely upon these vulnerable Linux distributions will be patched by product-specific McAfee tested and approved patches and hotfixes.
Mitigations
Several McAfee products have signatures to help mitigate this vulnerability. These include:
- MVM – McAfee Vulnerability Manager
- FSL vulnerability checks: http://www.mcafee.com/us/content-release-notes/foundstone/index.aspx
- http://www.mcafee.com/us/resources/release-notes/foundstone/fsl_01-28-2015.pdf
- 85863 - CentOS 6, 7 CESA-2015-0092 Update Is Not Installed
- 85864 - CentOS 5 CESA-2015-0090 Update Is Not Installed
- 91712 - Oracle Enterprise Linux ELSA-2015-0090 Update Is Not Installed
- 140663 - Red Hat Enterprise Linux RHSA-2015-0092 Update Is Not Installed
- 140667 - Red Hat Enterprise Linux RHSA-2015-0090 Update Is Not Installed
- 170448 - Amazon Linux AMI ALAS-2015-473 Update Is Not Installed
- 174625 - Scientific Linux Security ERRATA Critical: glibc on SL5.x i386/x86_64 (1501-2696)
- 174629 - Scientific Linux Security ERRATA Critical: glibc on SL6.x, SL7.x i386/x86_64 (1501-2821)
- 91713 - Oracle Enterprise Linux ELSA-2015-0092 Update Is Not Installed
- 130059 - Debian Linux 7.0 DSA-3142-1 Update Is Not Installed
- 184697 - Ubuntu Linux 10.04, 12.04 USN-2485-1 Update Is Not Installed
- http://www.mcafee.com/us/resources/release-notes/foundstone/fsl_01-29-2015.pdf
- 17685 - GNU glibc gethostbyname Remote Code Execution
- 88666 - Slackware Linux 13.0, 13.1, 13.37, 14.0, 14.1 SSA:2015-028-01 Update Is Not Installed
- 181328 - FreeBSD glibc Gethostbyname Buffer Overflow (0765de84-a6c1-11e4-a0c1-c485083ca99c)
- http://www.mcafee.com/us/resources/release-notes/foundstone/fsl_02-03-2015.pdf
- 143408 - SuSE Linux 11.4 openSUSE-SU-2015:0162-1 Update Is Not Installed
Support
Corporate Technical Support:
1-800-338-8754
http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-techsupport
1-800-338-8754
http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-techsupport
Frequently Asked Questions (FAQs)
McAfee recommends that all customers verify that they have applied the latest updates.
Does this vulnerability affect McAfee enterprise products?
Yes. Several enterprise products are vulnerable. No consumer products are vulnerable.
How do I know if my McAfee product is vulnerable or not?
For Endpoint products:
Use the following instructions for endpoint or client based products:
Use the following instructions for server based products:
Use the following instructions for Appliance based products:
Use the following instructions:
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score between 0 and 10 that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website at: http://www.first.org/cvss/.
When calculating CVSS v2 scores, McAfee has adopted a philosophy that fosters consistency and repeatability. Our guiding principle for CVSS scoring is to score the exploit under consideration by itself. We consider only the immediate and direct impact of the exploit under consideration. We do not factor into a score any potential follow-on exploits that might be made possible by successful exploitation of the issue being scored.
What are the CVSS scoring metrics that have been used?
CVE-2015-0235: GHOST Vulnerability
Does this vulnerability affect McAfee enterprise products?
Yes. Several enterprise products are vulnerable. No consumer products are vulnerable.
How do I know if my McAfee product is vulnerable or not?
For Endpoint products:
Use the following instructions for endpoint or client based products:
- Right-click on the McAfee tray shield icon on the Windows task bar.
- Select Open Console.
- In the console, select Action Menu.
- In the Action Menu, select Product Details. The product version is displayed.
Use the following instructions for server based products:
- Check the version and build of ePO that is installed. For more information on how to check the version, see: KB52634.
- Or, create a query in ePO for the product version of the product installed within your organization.
Use the following instructions for Appliance based products:
- Open the Administrator's User Interface (UI).
- Click the About link. The product version is displayed.
Use the following instructions:
- Log on to the ePO server.
- Click Menu, Data Protection, DLP Policy.
- Inside the DLP console, click the Help menu item, About. The product version is displayed.
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score between 0 and 10 that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website at: http://www.first.org/cvss/.
When calculating CVSS v2 scores, McAfee has adopted a philosophy that fosters consistency and repeatability. Our guiding principle for CVSS scoring is to score the exploit under consideration by itself. We consider only the immediate and direct impact of the exploit under consideration. We do not factor into a score any potential follow-on exploits that might be made possible by successful exploitation of the issue being scored.
CVE-2015-0235: GHOST Vulnerability
| Base Score | 10.0 |
| Related exploit range (AccessVector) | Network |
| Attack complexity (AccessComplexity) | Low |
| Level of authentication needed (Authentication) | None |
| Confidentiality impact | Complete |
| Integrity impact | Complete |
| Availability impact | Complete |
| Temporal Score (Overall) | 7.8 |
| Availability of exploit (Exploitability) | Proof of concept code |
| Type of fix available (RemediationLevel) | Official fix |
| Level of verification that vulnerability exists (ReportConfidence) | Confirmed |
NOTE: CVSS version 2.0 was used to generate this score.
https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C)
NOTE: The CVSS base score was adjusted higher (10.0) since NIST (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0235) scored the CVE. The initial score (6.8) was from RedHat: https://access.redhat.com/security/cve/CVE-2015-0235.
McAfee will be releasing several product updates to address this security flaw.
Where do I download the fix?
You can download the fix from: http://www.mcafee.com/us/downloads/downloads.aspx.
Users will need to provide their McAfee Grant Number to initiate the download.
How does McAfee respond to this and any other security flaws?
McAfee’s key priority is the security of our customers. In the event that a vulnerability is found within any of McAfee’s software, we work closely with the relevant security research group to ensure rapid and effective development of a fix and communication plan.
McAfee only publishes product vulnerability bulletins together with an actionable workaround, hotfix, patch, or version update; otherwise we would simply be informing the hacker community that our products are a target, putting our customers at greater risk.
McAfee may publish lists of known vulnerable and not vulnerable products if the product vulnerability is already generally known publicly, but no actionable workaround is ready yet.
Where can I find a list of all Security Bulletins?
To view all published Security Bulletins, visit the McAfee ServicePortal at https://mysupport.mcafee.com, click Knowledge Center, and select Security Bulletins in the left navigation pane under Content Source. Alternatively, you can use this link: https://support.mcafee.com/ServicePortal/faces/knowledgecenter?s=true&lang=en-us&sm=false&tab=SCtdl&facets=Security+Bulletin@INQUIRA_TYPE&sb=mostViewed&sbv=numberofviews%3Anumberdecreasing&scps=q.
To view all published Security Bulletins, visit the McAfee ServicePortal at https://mysupport.mcafee.com, click Knowledge Center, and select Security Bulletins in the left navigation pane under Content Source. Alternatively, you can use this link: https://support.mcafee.com/ServicePortal/faces/knowledgecenter?s=true&lang=en-us&sm=false&tab=SCtdl&facets=Security+Bulletin@INQUIRA_TYPE&sb=mostViewed&sbv=numberofviews%3Anumberdecreasing&scps=q.
If you know the Security Bulletin ID, use the following link after replacing the example Security Bulletin ID (SB10071) with the Security Bulletin ID you are searching for: https://kc.mcafee.com/corporate/index?page=content&id=SB10071.
How do I report a product vulnerability?
If you have information about a security issue or vulnerability with a McAfee product, please visit our product security website at: http://www.mcafee.com/us/threat-center/product-security-bulletins.aspx#=tab-vulnerability.
If you have information about a security issue or vulnerability with a McAfee product, please visit our product security website at: http://www.mcafee.com/us/threat-center/product-security-bulletins.aspx#=tab-vulnerability.
Resources
For contact details: Go to http://www.mcafee.com/us/about/contact/index.html. Non-US customers - select your country from the list of Worldwide Offices.
- If you are a registered user, type your User ID and Password and click Log In.
- If you are not a registered user, click Register and complete the required fields. Your password and login instructions will be emailed to you.
To download McAfee products, updates, and documentation, visit the Downloads page at http://www.mcafee.com/us/downloads/downloads.aspx. For instructions on downloading, see KB56057.
To download new Beta software or to read about the latest Beta information, go to http://www.mcafee.com/us/downloads/beta-programs/index.aspx.
To submit Beta feedback on any McAfee product, email: mcafee_beta@mcafee.com.
For copyright, trademark attributions, and license information, go to http://us.mcafee.com/root/aboutUs.asp?id=copyright.
For patents protecting this product, see your product documentation.
To download new Beta software or to read about the latest Beta information, go to http://www.mcafee.com/us/downloads/beta-programs/index.aspx.
To submit Beta feedback on any McAfee product, email: mcafee_beta@mcafee.com.
For copyright, trademark attributions, and license information, go to http://us.mcafee.com/root/aboutUs.asp?id=copyright.
For patents protecting this product, see your product documentation.
Disclaimer
The information provided in this security bulletin is provided as is without warranty of any kind. McAfee disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall McAfee or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits, or special damages, even if McAfee or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Any future product release dates mentioned in this bulletin are intended to outline our general product direction and they should not be relied on in making a purchasing decision. The product release dates are for information purposes only, and may not be incorporated into any contract. The product release dates are not a commitment, promise, or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remains at our sole discretion and may be changed or cancelled at any time.
Any future product release dates mentioned in this bulletin are intended to outline our general product direction and they should not be relied on in making a purchasing decision. The product release dates are for information purposes only, and may not be incorporated into any contract. The product release dates are not a commitment, promise, or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remains at our sole discretion and may be changed or cancelled at any time.
