Security Bulletin - Updates and product status for HTTP/2 vulnerabilities (CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9516, CVE-2019-9517, CVE-2019-9518, CVE-2019-3643, and CVE-2019-3644)
Security Bulletins ID:
SB10296
Last Modified: 2022-05-04 16:45:50 Etc/GMT
Last Modified: 2022-05-04 16:45:50 Etc/GMT
Summary
First Published: September 10, 2019
Article contents:
Multiple products of ours offer HTTP services or process the HTTP protocol. On August 13, 2019 there was a disclosure of multiple vulnerabilities in the way products had implemented HTTP/2. You can find more information in the Netflix advisory - https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md.
This Security Bulletin describes which of our products are and are not impacted.
Investigation into all products is ongoing. This Security Bulletin will be updated as additional information is available. Not every version of the "Vulnerable and Updated" products are vulnerable. See the Product Specific Notes section below for details. Products not on these lists are being investigated.
Remediation
Go to the Product Downloads site, and download the applicable product update/hotfix files:
Download and Installation Instructions
For instructions to download product updates and hotfixes, see KB56057 - How to download Enterprise product updates and documentation. Review the Release Notes and Installation Guide for instructions on how to install these updates. All documentation is available at our Product Documentation site.
Product Specific Notes
MLOS
MLOS ships with NGINX. For customers using MLOS from the public repository, we have updated NGINX to version 1.16.1 to address CVE-2019-9511, CVE-2019-9513, and CVE-2019-9516. MLOS and its components are not affected by CVE-2019-9512, CVE-2019-9514, CVE-2019-9515, CVE-2019-9517, and CVE-2019-9518.
Frequently Asked Questions (FAQs)
How do I know if my product is vulnerable?
For Endpoint products:
Use the following instructions for endpoint or client-based products:
Use the following instructions for ePO:
Check the version and build of ePO that is installed. For information about how to check the version, see: KB52634.
For Appliances:
Use the following instructions for Appliance-based products:
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council's effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score between 0 and 10 that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, visit the CVSS website at: http://www.first.org/cvss/.
When calculating CVSS scores, we've adopted a philosophy that fosters consistency and repeatability. Our guiding principle for CVSS scoring is to score the exploit under consideration by itself. We consider only the immediate and direct impact of the exploit under consideration. We do not factor into a score any potential follow-on exploits that might be made possible by the successful exploitation of the issue being scored.
What are the CVSS scoring metrics?
所有安全/Security 公告都发布在我们的 知识中心上。如果产品已停止销售和终止支持(停产),则会停用(删除)安全/Security 公告。
如何向您报告产品漏洞?
如果您有关于某个产品的安全问题或漏洞的信息,请按照 KB95563 中提供的说明进行操作 -报告漏洞。
您如何应对此问题以及报告的任何其他安全漏洞?
我们的主要优先级是我们客户的安全。如果在任何软件或服务中发现漏洞,我们会与相关的安全软件开发团队密切合作,以确保快速有效地开发修复和通信计划。
仅当公告中包含一些可操作的(例如解决方法、缓解、版本更新或修补程序)时,我们才会发布安全/Security 公告。否则,我们只是通知黑客社区我们的产品是一个目标,让客户面临更大的风险。对于自动更新的产品,可能会发布无法操作的安全/Security 公告,以确认 discoverer。
要查看我们的 PSIRT 策略,请参阅 KB95564-关于 PSIRT。
Resources
Disclaimer
本安全/Security 公告中提供的信息按原样提供,不作任何形式的担保。我们不提供任何明示或暗示的保证,包括针对特定用途的适销性和适用性的担保。在任何情况下,我们或我们的供应商对任何损害(包括直接、间接、偶然、后果性、业务利润损失或特殊损害)都不承担任何责任,即使我们或我们的供应商已被告知有此类损害的可能性。某些省/市/自治区不允许排除或限制对后果性或偶然损害的责任,因此上述限制可能不适用。
本安全/Security 公告中提及的任何未来产品发布日期都旨在概述我们的一般产品方向,不应依赖于做出购买决定。产品发行日期仅供参考,不得纳入任何合同。产品的发行日期不是提供任何材料、代码或功能的承诺、承诺或法律义务。我们产品中所述的任何功能或功能的开发、发布和执行时间均由我们自行决定,并可随时更改或取消。
Impact of Vulnerability: | Denial of Service |
CVE ID: | McAfee Linux Operating System (MLOS) NGINX: CVE-2019-9511, CVE-2019-9513, CVE-2019-9516 McAfee Web Gateway (MWG): CVE-2019-3643, CVE-2019-3644 |
Severity Rating: | CVE-2019-3643: Medium CVE-2019-3644: High |
CVSS v3 Base/Temporal Scores: | CVE-2019-3643: 5.3 / 4.9 CVE-2019-3644: 7.5 / 7.0 |
Recommendations: | Deploy product updates as they are made available. |
Security Bulletin Replacement: | None |
Affected Software: |
|
Location of updated software: | Product Downloads site |
要在更新本文时收到电子邮件通知,请单击 订阅 位于页面右侧。您必须登录后才能订购。
Article contents:
- Vulnerability Description
- McAfee Product Vulnerability Status
- Remediation
- Product Specific Notes
- Frequently Asked Questions (FAQs)
- Resources
- Disclaimer
Multiple products of ours offer HTTP services or process the HTTP protocol. On August 13, 2019 there was a disclosure of multiple vulnerabilities in the way products had implemented HTTP/2. You can find more information in the Netflix advisory - https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md.
This Security Bulletin describes which of our products are and are not impacted.
- MWG is impacted by CVE-2019-9511 and CVE-2019-9517, addressed through CVE-2019-3643 and CVE-2019-3644 respectively. The scanning proxies support HTTP/2 and have been updated to address these issues.
- MLOS offers NGINX and has updated the NGINX version to 1.16.1. NGINX is vulnerable to CVE-2019-9511, CVE-2019-9513, and CVE-2019-9516. You can find more details about NGINX's website at: https://www.NGINX.com/blog/NGINX-updates-mitigate-august-2019-http-2-vulnerabilities/.
- A vulnerable version of NGINX is used in MAR Server and ATD. Neither of these products offer HTTP/2 and are not exploitable.
- A vulnerable version of Apache is used in ESM SIEM. SIEM does not offer HTTP/2 and is not exploitable.
- No other products are impacted by the HTTP/2 vulnerabilities.
- CVE-2019-3643
McAfee Web Gateway (MWG) earlier than 7.8.2.13 is vulnerable to a remote attacker exploiting CVE-2019-9511, potentially leading to a denial of service. This affects the scanning proxies.
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-3643
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3643
- CVE-2019-3644
McAfee Web Gateway (MWG) earlier than 7.8.2.13 is vulnerable to a remote attacker exploiting CVE-2019-9517, potentially leading to a denial of service. This affects the scanning proxies.
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-3644
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3644
Investigation into all products is ongoing. This Security Bulletin will be updated as additional information is available. Not every version of the "Vulnerable and Updated" products are vulnerable. See the Product Specific Notes section below for details. Products not on these lists are being investigated.
Product Status and Remediation Availability | ||
Product | Version |
Notes
|
Vulnerable and Updated | ||
MLOS | 3 | Available from our public repository: http://mcafeelinux.org/mlos/mlosrepo/3/updates/ See Product Specific Notes |
MLOS | 2 | Available from our public repository: http://mcafeelinux.org/mlos/mlosrepo/2/updates/ See Product Specific Notes |
MWG | 8.x, 7.8.2.x, 7.7.2.x | Updates released - see the Remediation table |
Vulnerable and Not Exploitable | ||
ATD | All versions | ATD ships with a vulnerable version of NGINX. No HTTP/2 functionality is offered. |
MAR Server | All versions | MAR ships with a vulnerable version of NGINX. No HTTP/2 functionality is offered. |
ESM SIEM | All versions | SIEM ships with a vulnerable version of Apache. No HTTP/2 functionality is offered. |
Not Vulnerable | ||
Data Loss Prevention Monitor (DLP Monitor) | 11.x, 10.x | |
Data Loss Prevention Prevent (DLP Prevent) | 11.x, 10.x | |
Data Exchange Layer (DXL) Broker | All versions | |
ePolicy Orchestrator (ePO) | All versions | |
McAfee Email Gateway (MEG) | All versions | |
Network Data Loss Prevention (Network DLP) | 9.3 | |
Network Security Manager (NSM) | All versions | |
Network Security Platform (NSP) | All versions | |
Network Threat Behavioral Analysis (NTBA) | All versions | |
Threat Intelligence Exchange (TIE) Server | All versions |
Remediation
Go to the Product Downloads site, and download the applicable product update/hotfix files:
- ATD, MAR, and SIEM - Future updates will update their web servers.
- MLOS - For customers using the MLOS repository, go directly to the repository and pull the latest updates.
- MWG:
- Customers using 8.1.x: Update to 8.2.
- Customers using 7.8.2.x: Update to 7.8.2.13.
- Customers using 7.7.2.x: Update to 7.7.2.24, and consider updating to 7.8.2.13.
Product | Versions | Type | Earliest Fixed Version | Release Date |
MWG | 8.1.x 7.8.2.x 7.7.2.x |
Update Update Update |
8.2 7.8.2.13 7.7.2.24 |
September 10, 2019 |
Download and Installation Instructions
For instructions to download product updates and hotfixes, see KB56057 - How to download Enterprise product updates and documentation. Review the Release Notes and Installation Guide for instructions on how to install these updates. All documentation is available at our Product Documentation site.
Product Specific Notes
MLOS
MLOS ships with NGINX. For customers using MLOS from the public repository, we have updated NGINX to version 1.16.1 to address CVE-2019-9511, CVE-2019-9513, and CVE-2019-9516. MLOS and its components are not affected by CVE-2019-9512, CVE-2019-9514, CVE-2019-9515, CVE-2019-9517, and CVE-2019-9518.
Frequently Asked Questions (FAQs)
How do I know if my product is vulnerable?
For Endpoint products:
Use the following instructions for endpoint or client-based products:
- Right-click on the McAfee tray shield icon on the Windows taskbar.
- Select Open Console.
- In the console, select Action Menu.
- In the Action Menu, select Product Details. The product version displays.
Use the following instructions for ePO:
Check the version and build of ePO that is installed. For information about how to check the version, see: KB52634.
For Appliances:
Use the following instructions for Appliance-based products:
- Open the Administrator's User Interface (UI).
- Click the About link. The product version displays.
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council's effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score between 0 and 10 that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, visit the CVSS website at: http://www.first.org/cvss/.
When calculating CVSS scores, we've adopted a philosophy that fosters consistency and repeatability. Our guiding principle for CVSS scoring is to score the exploit under consideration by itself. We consider only the immediate and direct impact of the exploit under consideration. We do not factor into a score any potential follow-on exploits that might be made possible by the successful exploitation of the issue being scored.
What are the CVSS scoring metrics?
- CVE-2019-3643: MWG scanners updated to address CVE-2019-9511
Base Score 5.3 Attack Vector (AV) Network (N) Attack Complexity (AC) Low (L) Privileges Required (PR) None (N) User Interaction (UI) None (N) Scope (S) Unchanged (U) Confidentiality (C) None (N) Integrity (I) None (N) Availability (A) Low (L) Temporal Score (Overall) 4.9 Exploitability (E) Functional (F) Remediation Level (RL) Official Fix (O) Report Confidence (RC) Confirmed (C)
NOTE: The below CVSS version 3.0 vector was used to generate this score.
https://nvd.nist.gov/cvss/v3-calculator?vector=CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:F/RL:O/RC:C
- CVE-2019-3644: MWG scanners updated to address CVE-2019-9517
Base Score 7.5 Attack Vector (AV) Network (N) Attack Complexity (AC) Low (L) Privileges Required (PR) None (N) User Interaction (UI) None (N) Scope (S) Unchanged (U) Confidentiality (C) None (N) Integrity (I) None (N) Availability (A) High (H) Temporal Score (Overall) 7.0 Exploitability (E) Functional (F) Remediation Level (RL) Official Fix (O) Report Confidence (RC) Confirmed (C)
NOTE: The below CVSS version 3.0 vector was used to generate this score.
https://nvd.nist.gov/cvss/v3-calculator?vector=CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C
所有安全/Security 公告都发布在我们的 知识中心上。如果产品已停止销售和终止支持(停产),则会停用(删除)安全/Security 公告。
如何向您报告产品漏洞?
如果您有关于某个产品的安全问题或漏洞的信息,请按照 KB95563 中提供的说明进行操作 -报告漏洞。
您如何应对此问题以及报告的任何其他安全漏洞?
我们的主要优先级是我们客户的安全。如果在任何软件或服务中发现漏洞,我们会与相关的安全软件开发团队密切合作,以确保快速有效地开发修复和通信计划。
仅当公告中包含一些可操作的(例如解决方法、缓解、版本更新或修补程序)时,我们才会发布安全/Security 公告。否则,我们只是通知黑客社区我们的产品是一个目标,让客户面临更大的风险。对于自动更新的产品,可能会发布无法操作的安全/Security 公告,以确认 discoverer。
要查看我们的 PSIRT 策略,请参阅 KB95564-关于 PSIRT。
Resources
要联系技术支持, 请转至 "创建服务请求" 页面 ,然后登录到 ServicePortal。
- 如果您是注册用户,请键入您的用户 ID 和密码,然后单击 " 登录"。
- 如果您不是注册用户,请单击 " 注册 " 并填写相应的字段,以通过电子邮件将您的密码和说明发送给您。
Disclaimer
本安全/Security 公告中提供的信息按原样提供,不作任何形式的担保。我们不提供任何明示或暗示的保证,包括针对特定用途的适销性和适用性的担保。在任何情况下,我们或我们的供应商对任何损害(包括直接、间接、偶然、后果性、业务利润损失或特殊损害)都不承担任何责任,即使我们或我们的供应商已被告知有此类损害的可能性。某些省/市/自治区不允许排除或限制对后果性或偶然损害的责任,因此上述限制可能不适用。
本安全/Security 公告中提及的任何未来产品发布日期都旨在概述我们的一般产品方向,不应依赖于做出购买决定。产品发行日期仅供参考,不得纳入任何合同。产品的发行日期不是提供任何材料、代码或功能的承诺、承诺或法律义务。我们产品中所述的任何功能或功能的开发、发布和执行时间均由我们自行决定,并可随时更改或取消。