製品・ソフトウェアに関する情報

JVN脆弱性詳細

McAfee ePolicy Orchestrator が SSL/TLS 証明書を適切に検証しない脆弱性

Title	McAfee ePolicy Orchestrator が SSL/TLS 証明書を適切に検証しない脆弱性
Summary	McAfee ePolicy Orchestrator には、SSL/TLS 証明書を適切に検証しない脆弱性が存在します。証明書の不適切な検証 (CWE-295) - CVE-2015-2859 McAfee ePolicy Orchestrator (ePO) は、データの収集、集約など様々な目的のために外部サーバと連携する機能をサポートしており、外部サーバとの通信を SSL/TLS を使って暗号化するよう指定することが可能です。ePO は、認証局 (CA)、および証明書のコモンネーム (CN) やドメインネーム (DN) の検証処理に不備があります。結果として、これらの通信は中間者攻撃やスプーフィング攻撃に対して脆弱になります。 CWE-295: Improper Certificate Validation http://cwe.mitre.org/data/definitions/295.html
Possible impacts	攻撃者によって、当該製品と外部サーバ間の HTTPS 通信の内容を閲覧されたり改ざんされたりする可能性があります。
Solution	[アップデートする] 本脆弱性はバージョン 4.6.9 および 5.1.2 で修正されています。開発者が提供する情報をもとに、最新版へアップデートしてください。
Publication Date	June 4, 2015, midnight
Registration Date	June 8, 2015, 1:53 p.m.
Last Update	June 25, 2015, 5:24 p.m.

Affected System

マカフィー

McAfee ePolicy Orchestrator 4.6.8 およびそれ以前

McAfee ePolicy Orchestrator 5.1.1 およびそれ以前

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2015-2859	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2859
National Vulnerability Database (NVD)
2	CVE-2015-2859	https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2859

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-310	https://jvndb.jvn.jp/ja/cwe/CWE-310.html
2	CWE-Other	https://www.ipa.go.jp/security/vuln/CWE.html#CWEOther

ベンダー情報

No	Name	URL
McAfee
1	McAfee ePolicy Orchestrator 4.6.9 Software (PDF)	https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25856/en_US/EPO_4_6_9_release_notes.pdf
McAfee Security Bulletin
2	KB84628	https://kc.mcafee.com/corporate/index?page=content&id=KB84628
3	SB10120	https://kc.mcafee.com/corporate/index?page=content&id=SB10120

その他

Change Log

No	Changed Details	Date of change
0	[2015年06月08日] 掲載 [2015年06月25日] CVSS による深刻度：内容を更新 CWE による脆弱性タイプ一覧：CWE-ID を追加ベンダ情報：マカフィー (KB84628) を追加ベンダ情報：マカフィー (SB10120) を追加参考情報：National Vulnerability Database (NVD) (CVE-2015-2859) を追加	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2015-2859

Summary	Intel McAfee ePolicy Orchestrator (ePO) 4.x through 4.6.9 and 5.x through 5.1.2 does not validate server names and Certification Authority names in X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
Publication Date	June 24, 2015, 6:59 a.m.
Registration Date	Jan. 26, 2021, 2:48 p.m.
Last Update	Nov. 21, 2024, 11:28 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:mcafee:epolicy_orchestrator:4.6.0:::::::*
cpe:2.3:a:mcafee:epolicy_orchestrator:4.5.4:::::::*
cpe:2.3:a:mcafee:epolicy_orchestrator:4.5.7:::::::*
cpe:2.3:a:mcafee:epolicy_orchestrator:4.6.5:::::::*
cpe:2.3:a:mcafee:epolicy_orchestrator:5.0.0:::::::*
cpe:2.3:a:mcafee:epolicy_orchestrator:5.1.0:::::::*
cpe:2.3:a:mcafee:epolicy_orchestrator:5.1.1:::::::*
cpe:2.3:a:mcafee:epolicy_orchestrator:4.6.7:::::::*
cpe:2.3:a:mcafee:epolicy_orchestrator:4.5.0:::::::*
cpe:2.3:a:mcafee:epolicy_orchestrator:4.0:::::::*
cpe:2.3:a:mcafee:epolicy_orchestrator:4.5.5:::::::*
cpe:2.3:a:mcafee:epolicy_orchestrator:4.6.3:::::::*
cpe:2.3:a:mcafee:epolicy_orchestrator:5.0.1:::::::*
cpe:2.3:a:mcafee:epolicy_orchestrator:4.6.8:::::::*
cpe:2.3:a:mcafee:epolicy_orchestrator:4.6.2:::::::*
cpe:2.3:a:mcafee:epolicy_orchestrator:4.6.9:::::::*
cpe:2.3:a:mcafee:epolicy_orchestrator:4.6.4:::::::*
cpe:2.3:a:mcafee:epolicy_orchestrator:4.6.6:::::::*
cpe:2.3:a:mcafee:epolicy_orchestrator:5.1.2:::::::*
cpe:2.3:a:mcafee:epolicy_orchestrator:4.5.3:::::::*
cpe:2.3:a:mcafee:epolicy_orchestrator:4.5.6:::::::*
cpe:2.3:a:mcafee:epolicy_orchestrator:4.6.1:::::::*

Related information, measures and tools

No	URL	タグ
1	http://www.kb.cert.org/vuls/id/264092	Third Party Advisory US Government Resource
2	http://www.kb.cert.org/vuls/id/264092	Third Party Advisory US Government Resource
3	http://www.securityfocus.com/bid/75020
4	http://www.securityfocus.com/bid/75020
5	http://www.securitytracker.com/id/1032571
6	http://www.securitytracker.com/id/1032571
7	https://kc.mcafee.com/corporate/index?page=content&id=KB84628	Patch Vendor Advisory
8	https://kc.mcafee.com/corporate/index?page=content&id=KB84628	Patch Vendor Advisory
9	https://kc.mcafee.com/corporate/index?page=content&id=SB10120	Patch Vendor Advisory
10	https://kc.mcafee.com/corporate/index?page=content&id=SB10120	Patch Vendor Advisory

Common Vulnerabilities List

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:mcafee:epolicy_orchestrator:4.6.0:::::::*
cpe:2.3:a:mcafee:epolicy_orchestrator:4.5.4:::::::*
cpe:2.3:a:mcafee:epolicy_orchestrator:4.5.7:::::::*
cpe:2.3:a:mcafee:epolicy_orchestrator:4.6.5:::::::*
cpe:2.3:a:mcafee:epolicy_orchestrator:5.0.0:::::::*
cpe:2.3:a:mcafee:epolicy_orchestrator:5.1.0:::::::*
cpe:2.3:a:mcafee:epolicy_orchestrator:5.1.1:::::::*
cpe:2.3:a:mcafee:epolicy_orchestrator:4.6.7:::::::*
cpe:2.3:a:mcafee:epolicy_orchestrator:4.5.0:::::::*
cpe:2.3:a:mcafee:epolicy_orchestrator:4.0:::::::*
cpe:2.3:a:mcafee:epolicy_orchestrator:4.5.5:::::::*
cpe:2.3:a:mcafee:epolicy_orchestrator:4.6.3:::::::*
cpe:2.3:a:mcafee:epolicy_orchestrator:5.0.1:::::::*
cpe:2.3:a:mcafee:epolicy_orchestrator:4.6.8:::::::*
cpe:2.3:a:mcafee:epolicy_orchestrator:4.6.2:::::::*
cpe:2.3:a:mcafee:epolicy_orchestrator:4.6.9:::::::*
cpe:2.3:a:mcafee:epolicy_orchestrator:4.6.4:::::::*
cpe:2.3:a:mcafee:epolicy_orchestrator:4.6.6:::::::*
cpe:2.3:a:mcafee:epolicy_orchestrator:5.1.2:::::::*
cpe:2.3:a:mcafee:epolicy_orchestrator:4.5.3:::::::*
cpe:2.3:a:mcafee:epolicy_orchestrator:4.5.6:::::::*
cpe:2.3:a:mcafee:epolicy_orchestrator:4.6.1:::::::*