Loading...

Knowledge Center


McAfee SNS Notice: Updates Resolve McAfee Web Gateway 7.x and 8.0.x Vulnerabilities
SNS Emails ID:   SNS1807
Last Modified:  1/14/2019

Body

Vulnerabilities in McAfee McAfee Web Gateway (MWG) have been discovered and resolved.

AFFECTED SOFTWARE

The vulnerabilities affect the following versions of McAfee McAfee Web Gateway (MWG)

CVE-2019-3581 applies to: 
  • McAfee Web Gateway 7.8.2 earlier than 7.8.2.5
  • McAfee Web Gateway 8.0 earlier than 8.0.2
CVE-2018-11784, CVE-2018-12327 and CVE-2018-7170 apply to: 
  • McAfee Web Gateway 7.7.2 earlier than 7.7.2.19
  • McAfee Web Gateway 7.8.2 earlier than 7.8.2.5
  • McAfee Web Gateway 8.0 earlier than 8.0.2
REMEDIATED/UPDATED VERSIONS

The vulnerabilities are remediated in these versions of McAfee Web Gateway
  • McAfee Web Gateway (MWG) 7.7.2.19
  • McAfee Web Gateway (MWG) 7.8.2.5
  • McAfee Web Gateway (MWG) 8.0.2
IMPACT

CVE-2019-3581 (CVSS: 7.5; Severity: High) An unauthenticated user can cause a denial of service attack against the proxy component of McAfee Web Gateway.
CVE-2018-11784 (CVSS: 4.3; Severity: Medium)

When the default servlet in Apache Tomcat returned a redirect to a directory (for example, redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attacker's choice.
CVE-2018-12327 (CVSS: 7.0; Severity: High) The ntpq and ntpdc command-line utilities that are part of the ntp package are vulnerable to stack-based buffer overflow via crafted hostname. Applications using these vulnerable utilities with an untrusted input may be potentially exploited, resulting in a crash or arbitrary code execution under privileges of that application.

CVE-2018-7170 (CVSS: 3.1; Severity: Medium) A flaw was found in ntpd making it vulnerable to Sybil attacks. An authenticated attacker could target systems configured to use a trusted key in certain configurations and to create an arbitrary number of associations and subsequently modify a victim's clock.

RECOMMENDATION:

McAfee recommends that all customers verify that they have applied the latest updates. Impacted users should install the relevant patches or hotfixes. 
To receive information about McAfee product updates, sign up for the Support Notification Service at https://sns.secure.mcafee.com/signup_login.



 

Original Send Date

January 8, 2019

Rate this document

Languages:

This article is available in the following languages:

English United States
Japanese

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.