<<<>>> Trend Micro Incorporated May 12, 2016 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Trend Micro(TM) InterScan(TM) Web Security Virtual Appliance 6.5 Service Pack 2 Critical Patch - Build 1620 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NOTICE: Trend Micro developed this Critical Patch as a workaround or solution to a problem reported by customers. As such, this Critical Patch has received limited testing and has not been certified as an official product update. Consequently, THIS Critical Patch IS PROVIDED "AS IS". TREND MICRO MAKES NO WARRANTY OR PROMISE ABOUT THE OPERATION OR PERFORMANCE OF THIS Critical Patch NOR DOES TREND MICRO WARRANT THIS Critical Patch AS ERROR FREE. TO THE FULLEST EXTENT PERMITTED BY LAW, TREND MICRO DISCLAIMS ALL IMPLIED AND STATUTORY WARRANTIES, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, NONINFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE. Contents =================================================================== 1. Critical Patch Release Information 1.1 Resolved Known Issues 1.2 Enhancements 1.3 Files Included in this Release 2. Documentation Set 3. System Requirements 4. Installation 4.1 Installing 4.2 Uninstalling 5. Post-installation Configuration 6. Known Issues 7. Release History 7.1 Prior Critical Patches 8. Contact Information 9. About Trend Micro 10. License Agreement =================================================================== 1. Critical Patch Release Information ====================================================================== Installing this Critical Patch enables InterScan Web Security Virtual Appliance (IWSVA) 6.5 to enclose input parameters with double quotation marks and to ignore special characters in these parameters to protect computers against remote code execution attacks. 1.1 Resolved Known Issues =================================================================== This Critical Patch resolves the following issue: Issue1: [Critical Patch 1620] (TT-338692, TT-338693, TT-338695, and TT-340002) Several APIs which are used by IWSVA could allow remote code execution ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution1: This Critical Patch resolves the issue. 1.2 Enhancements =================================================================== There are no enhancements in this Critical Patch. 1.3 Files Included in this Release =================================================================== A. Files for Current Issues ------------------------------------------------------------------- Filename Build No. ------------------------------------------------------------------- libdaemon.so 1620 svcmonitor 1620 isdelvd 1620 Files for Issue ------------------------------------------------------------------- Filename Build No. ------------------------------------------------------------------- IWSSGui.jar 1620 B. Files for Previous Solutions ------------------------------------------------------------------- S99ISappd 1609 http_config_user_idetification.jsp 1612 LDAP_query_handler.py 1612 libuiauutil.so 1612 IWSSGui.jar 1612 email_sender.py 1613 email_sender.py 1616 FtpDownload.sh 1616 libhttpproxy.so 1617 libtmprotocols.so.2003317 1618 libicap.so 1619 2. Documentation Set ====================================================================== To download or view electronic versions of the documentation set for this product, go to http://docs.trendmicro.com. 3. System Requirements ====================================================================== Trend Micro recommends installing IWSVA 6.5 Service Pack 2 cpb1608 before installing this Critical Patch. 4. Installation ====================================================================== This section explains key steps for installing the Critical Patch. 4.1 Installing =================================================================== To install: 1. Download the "iwsva_65_sp2_ar64_en_cpb1620.tgz" Critical Patch file to your local hard disk. 2. Log on to the IWSVA admin console GUI. 3. Go to the "Administration > System Updates" page. 4. Click "Browse". 5. Browse your local hard disk for the "iwsva_65_sp2_ar64_en_cpb1620.tgz" Critical Patch file and click "Open". 6. Click "Upload". Your browser uploads the Critical Patch file to IWSVA which validates if the file is a legitimate Critical Patch. 7. Click "Install" to apply the Critical Patch and update IWSVA to build 1620. The HTTP and FTP services in IWSVA restart automatically. NOTE: Applying this Critical Patch interrupts the HTTP and FTP services for several minutes. Plan appropriately for this downtime. 8. Clear the browser cache. 4.2 Uninstallation =================================================================== To roll-back to the previous build: 1. Log on to the IWSVA admin console GUI. 2. Go to the "Administration > System Updates" page. 3. Click "Uninstall" next to "cpb1620" and verify the Critical Patch ID and description in the confirmation page that appears. 4. Click "Uninstall" to remove the Critical Patch and rollback IWSVA to the previous build. The HTTP and FTP services in IWSVA restart automatically. NOTE: Removing this Critical Patch interrupts the HTTP and FTP services for several minutes. Plan appropriately for this downtime. 5. Post-installation Configuration ====================================================================== No post-installation steps are required. Note: Trend Micro recommends that you update your scan engine and virus pattern files immediately after installing the product. 6. Known Issues ====================================================================== There are no known issues for this Critical Patch release. 7. Release History ====================================================================== For more information about updates to this product, go to: http://www.trendmicro.com/download 7.1 Prior Hotfix =================================================================== NOTE: Only this Critical Patch was tested for this release. Prior Hotfix were tested at the time of their release. Hotfix 1609 Issue: [Hotfix 1609] (TT-332780) A race issue between the appd daemon and kernel prevents clients from connecting to the Internet in proxy mode. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This Critical Patch enables users to allow only the HTTP scanning daemon to handle application control. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure: To allow only the HTTP scanning daemon to handle application traffic: a. Open the "intscan.ini" file in the "/etc/iscan/" folder. b. Locate or add the "enable_appd_daemon" key in the "app-control" section and set its value to "no". [app-control] enable_appd_daemon=no c. Save the changes and close the file. d. Restart the appd daemon by running the following command: /usr/iwss/S99ISappd restart Hotfix 1612 Issue 1: [Hotfix 1612] (TT-337279) Under certain conditions, when users add a period "." to an organizational unit (OU) in the "Base distinguished name" Active Directory (AD) setting and save the configuration, a "DC=" string is inserted instead. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This Hotfix ensures that the correct setting is saved in the "http_config_user_idetification.jsp" file. Issue 2: [Hotfix 1612] (TT-337061) An issue related to how IWSVA receives HTTP data triggers a high CPU usage issue. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This Hotfix resolves these issues. Issue 3: [Hotfix 1612] (TT-338606) When IWSVA generates reports based on an LDAP group that starts with the "&" token, the reports do not display any information. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: This Hotfix ensures that these reports display complete and accurate information. Hotfix 1613 Issue: [Hotfix 1613] (TT-339400) Users receive blank pattern update notifications from IWSVA. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This Hotfix ensures that pattern update notifications from IWSVA contain complete and accurate information. Hotfix 1616 Issue 1: [Hotfix 1616] (TT-341216) Email notifications from IWSVA 6.5 Service Pack 2 cannot be displayed correctly because IWSVA cannot recognize and parse the "\n" characters. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This Hotfix ensures that IWSVA can correctly recognize and handle "\n" as line breaks. Issue 2: [Hotfix 1616] (TT-335781) A line in the Diagnostic Tool script file causes the FTP download testing to fail. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This Hotfix resolves the issue to ensure that the Diagnostic Tool can perform FTP download testing correctly. Hotfix 1617 Issue1: [Hotfix 1617] (TT-338216) Users may not be able to access certain HTTPS websites through IWSVA when the HTTPS decryption feature is enabled. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution1: This hotfix ensures that users can access HTTPS websites normally when HTTPS decryption is enabled. Issue2: [Hotfix 1617] (TT-339799) When users download a file to the computer and the "Scan before delivery" option is enabled, the download process stops unexpectedly and the file will not be saved. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution2: This hotfix updates the way IWSVA 6.5 Service Pack 2 determines if a download has completed when the "Scan before delivery" option is enabled. This helps ensure that users can download files normally under this scenario. Hotfix 1618 Issue: [Hotfix 1618] (TT-343197) ixEngine is unable to identify the upload protocol from "Google Drive" and "DropBox", which prevents IWSVA from blocking the programs using Application Control. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hotfix ensures that the ixEngine includes the new protocols that block specific programs. Hotfix 1619 Issue: [Hotfix 1619] (TT-343676) The "X-Infection-Found:" header in ICAP responses is followed by two space characters. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This hotfix removes the extra space character so that the "X-Infection-Found:" header in ICAP responses is followed by a single space character. 8. Contact Information ====================================================================== A license to Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, you must renew Maintenance on an annual basis at Trend Micro's then-current Maintenance fees. Contact Trend Micro via fax, phone, and email, or visit our website to download evaluation copies of Trend Micro products. http://www.trendmicro.com/us/about-us/contact/index.html NOTE: This information is subject to change without notice. 9. About Trend Micro ====================================================================== Smart, simple, security that fits As a global leader in IT security, Trend Micro develops innovative security solutions that make the world safe for businesses and consumers to exchange digital information. Copyright 2016, Trend Micro Incorporated. All rights reserved. Trend Micro, InterScan, and the t-ball logo are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies. 10. License Agreement ====================================================================== View information about your license agreement with Trend Micro at: http://www.trendmicro.com/us/about-us/legal-policies/ license-agreements/ Third-party licensing agreements can be viewed: - By selecting the "About" option in the application user interface - By referring to the "Legal" page of the Administrator's Guide