<<USE COURIER REGULAR 10 FONT IF YOU WOULD LIKE TO PRINT THIS DOCUMENT>>
Trend Micro Incorporated June 21, 2017
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Trend Micro(TM) ServerProtect(TM) for Linux(TM) 3.0
Critical Patch - Build 1536
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Contents
==========================================================
1. Overview of This Critical Patch Release
1.1 Issues
1.2 Files Included in This Release
2. Documentation Set
3. System Requirements
4. Installation
4.1 Installing
4.2 Uninstalling
5. Post-installation Configuration
6. Known Issues
7. Release History
8. Contact Information
9. About Trend Micro
10. License Agreement
==========================================================
1. Overview of This Critical Patch Release
======================================================================
This critical patch resolves several vulnerabilities and updates
the Apache(TM) server and its OpenSSL module in ServerProtect for
Linux 3.0.
NOTE: Please install this critical patch before completing any
procedure in this section (see "Installation").
1.1 Issues
===================================================================
This critical patch resolves the following issues and includes the
following enhancement:
Issue 1: The "log_management.cgi" file in ServerProtect for
Linux 3.0 is affected by a Cross-site Scripting (XSS)
vulnerability.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution 1: This critical patch resolves this XSS vulnerability by
adding a checking mechanism to ensure that the data
for the HTTP GET/POST method is in the correct format.
-------------------------------------------------------------------
Issue 2: The "notification.cgi" file in ServerProtect for Linux
3.0 is affected by an XSS vulnerability.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution 2: This critical patch resolves this XSS vulnerability by
adding a checking mechanism to ensure that the data
for the HTTP GET/POST method is in the correct format.
-------------------------------------------------------------------
Issue 3: Communication to the Active Update (AU) server is
unencrypted by default.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution 3: This critical patch resolves this vulnerability by
enabling the AU server to encrypt the communication
using HTTPS.
-------------------------------------------------------------------
Issue 4: Packages downloaded from the AU server are not signed
or validated by default.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution 4: This critical patch resolves this vulnerability by
enabling the Digital Signature Check and Server
Certificate Verification functions by default when
downloading components from the AU server.
-------------------------------------------------------------------
Issue 5: Users can set or add any path for the quarantine
directory.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution 5: This critical patch resolves this vulnerability by
restricting the quarantine directory path to specific
paths only.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Procedure 5: To set or add the "/tmp" folder for the quarantine
directory:
a. Install this critical patch (see "Installation").
b. Open the "tmsplx.xml" file under the
"/opt/TrendMicro/SProtectLinux" folder using a text
editor.
c. In the "Scan" group of "tmsplx.xml", locate the
"MoveToWhiteList" string, the default string is as
follows:
<P Name="MoveToWhiteList" Value=
"/opt/TrendMicro/SProtectLinux/SPLX.Quarantine"/>
d. Append ":/tmp" to the value:
<P Name="MoveToWhiteList" Value=
"/opt/TrendMicro/SProtectLinux/SPLX.Quarantine:/tmp"/>
NOTE: Removing ":/tmp" removes the restriction.
e. Save the changes and close the file.
-------------------------------------------------------------------
Issue 6: Users can set or add any path for the backup
directory.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution 6: This critical patch resolves this vulnerability by
restricting the backup directory path to specific
paths only.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Procedure 6: To set or add the "/tmp" folder for the backup
directory:
a. Install this critical patch (see "Installation").
b. Open the "tmsplx.xml" file under the
"/opt/TrendMicro/SProtectLinux" folder using a text
editor.
c. In the "Scan" group of "tmsplx.xml", locate the
"SaveToWhiteList" string, the default string is as
follows:
<P Name="SaveToWhiteList" Value=
"/opt/TrendMicro/SProtectLinux/SPLX.Backup"/>
d. Append ":/tmp" to the value:
<P Name="SaveToWhiteList" Value=
"/opt/TrendMicro/SProtectLinux/SPLX.Backup:/tmp"/>
NOTE: Removing ":/tmp" removes the restriction.
e. Save the changes and close the file.
-------------------------------------------------------------------
Issue 7: The ServerProtect for Linux 3.0 web console is
affected by a CSRF vulnerability.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution 7: This critical patch resolves the CSRF vulnerability by
adding a secure random token for the web console.
-------------------------------------------------------------------
Issue 8: Some feedback data are generated in duplicate.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution 8: This critical patch removes the duplicate feedback
data.
-------------------------------------------------------------------
Enhancement: This critical patch updates the Apache server to
version 2.4.25 and its OpenSSL module to version
1.0.2k.
1.2 Files Included in This Release
===================================================================
A. Files for Current Issue
-------------------------------------------------------------------
Filename Build Number
-------------------------------------------------------------------
install.sh n/a
rollback.sh n/a
Patch.ini n/a
log_management.cgi 3.0.1536
proption.cgi 3.0.1536
scanoption_set.cgi 3.0.1536
showpage.cgi 3.0.1536
tmcm_sso.cgi 3.0.1536
cmoption.cgi 3.0.1536
login_and_register.cgi 3.0.1536
scanoption.cgi 3.0.1536
srv_admin.cgi 3.0.1536
viewlog.cgi 3.0.1536
notification.cgi 3.0.1536
summary.cgi 3.0.1536
CMconfig 3.0.1536
DiagnosticTool 3.0.1536
xmlvalidator 3.0.1536
entity 3.0.1536
vsapiapp 3.0.1536
splxmain 3.0.1536
splxhttpd 3.0.1536
splxhttpd.conf 3.0.1536
Specifying_the_Download_Source.htm 3.0.1536
summary.htm 3.0.1536
backup_directory.htm 3.0.1536
cmsettings_no_reg.htm 3.0.1536
cmsettings_reged.htm 3.0.1536
password.htm 3.0.1536
pr_activate.htm 3.0.1536
pr_activate_rej.htm 3.0.1536
pr_licenseinfo_full_ac_end.htm 3.0.1536
pr_licenseinfo_full_ac.htm 3.0.1536
pr_licenseinfo_full_ac_progress.htm 3.0.1536
pr_licenseinfo_no_ac.htm 3.0.1536
proxy_settings.htm 3.0.1536
proxy_settings_update.htm 3.0.1536
quarantine_directory.htm 3.0.1536
registration.htm 3.0.1536
exclusion_manual.htm 3.0.1536
exclusion_manual_response.htm 3.0.1536
exclusion_real.htm 3.0.1536
exclusion_real_response.htm 3.0.1536
exclusion_scheduled.htm 3.0.1536
exclusion_scheduled_response.htm 3.0.1536
script_splx.js 3.0.1536
log_directory.htm 3.0.1536
logs_on_disk.htm 3.0.1536
purge_now.htm 3.0.1536
scan_logs.htm 3.0.1536
spyware_logs.htm 3.0.1536
system_logs.htm 3.0.1536
virus_logs.htm 3.0.1536
Alerts.htm 3.0.1536
Recipients.htm 3.0.1536
Manual.htm 3.0.1536
Real-time.htm 3.0.1536
scan_progress0.htm 3.0.1536
scan_progress.htm 3.0.1536
Scheduled.htm 3.0.1536
Update_Manual.htm 3.0.1536
Update_Scheduled.htm 3.0.1536
B. Files for Previous Issues
-------------------------------------------------------------------
Not applicable.
2. Documentation Set
======================================================================
To download or view electronic versions of the documentation set
for this product, go to http://docs.trendmicro.com
In addition to this Readme file, the documentation set for this
product includes the following:
- Online Help: The Online Help contains an overview of features
and key concepts, and information on configuring and
maintaining ServerProtect.
To access the Online Help, go to http://docs.trendmicro.com
- Installation Guide (IG): The Installation Guide contains
information on requirements and procedures for installing and
deploying ServerProtect.
- Administrator's Guide (AG): The Administrator's Guide contains
an overview of features and key concepts, and information on
configuring and maintaining ServerProtect.
- Getting Started Guide (GSG): The Getting Started Guide
contains product overview, installation planning, installation
and configuration instructions, and basic information intended
to get ServerProtect "up and running".
- Support Portal: The Support Portal contains information on
troubleshooting and resolving known issues.
To access the Support Portal, go to
http://esupport.trendmicro.com
3. System Requirements
======================================================================
Install this critical patch only on computers protected by
ServerProtect for Linux 3.0 Patch 7 for Service Pack 1.
4. Installation
======================================================================
This section explains key steps for installing the critical patch.
4.1 Installing
===================================================================
To install:
1. Log on as a root user.
2. Upload and copy the critical file to a working directory.
For example, "/home/workdir."
3. Run the following command to extract the critical patch files
from the "tar.gz" file.
# tar zxvf splx_30_lx_en_criticalpatch1536.tar.gz
4. Go to the critical patch directory. Run the following command:
#./install.sh
The original files are backed-up in folder:
/opt/TrendMicro/SProtectLinux/backup/cp1536
4.2 Uninstalling
===================================================================
To roll back to the previous build:
1. Log on as a root user.
2. Go to the critical patch directory. Run the following command:
#./rollback.sh
All current files are replaced with the back up files generated
during installation.
3. Clear the cookies from the web browser.
NOTE: You can rollback ServerProtect only to the last build,
rollback to any older build is NOT supported.
5. Post-Installation Configuration
======================================================================
No post-installation steps are required.
NOTE: Trend Micro recommends that you update your scan engine and
virus pattern files immediately after installing the product.
6. Known Issues
======================================================================
There are no known issues for this critical patch release.
7. Release History
======================================================================
For more information about updates to this product, go to:
http://www.trendmicro.com/download
8. Contact Information
======================================================================
A license to Trend Micro software usually includes the right to
product updates, pattern file updates, and basic technical support
for one (1) year from the date of purchase only. After the first
year, you must renew Maintenance on an annual basis at
Trend Micro's then-current Maintenance fees.
Contact Trend Micro via fax, phone, and email, or visit our website
to download evaluation copies of Trend Micro products.
http://www.trendmicro.com/us/about-us/contact/index.html
NOTE: This information is subject to change without notice.
9. About Trend Micro
======================================================================
Smart, simple, security that fits
As a global leader in IT security, Trend Micro develops innovative
security solutions that make the world safe for businesses and
consumers to exchange digital information.
Copyright 2017, Trend Micro Incorporated. All rights reserved.
Trend Micro, ServerProtect, and the t-ball logo are trademarks of
Trend Micro Incorporated and are registered in some jurisdictions.
All other marks are the trademarks or registered trademarks of
their respective companies.
10. License Agreement
======================================================================
View information about your license agreement with Trend Micro at:
http://www.trendmicro.com/us/about-us/legal-policies/
license-agreements
Third-party licensing agreements can be viewed:
- By selecting the "About" option in the application user interface
- By referring to the "Legal" page of the Administrator's Guide