<> Trend Micro Incorporated April 14, 2017 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Trend Micro(TM) ServerProtect(TM) for Linux(TM) 3.0 Critical Patch - Build 1519 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contents ========================================================== 1. Overview of This Critical Patch Release 1.1 Issues 1.2 Files Included in This Release 2. Documentation Set 3. System Requirements 4. Installation 4.1 Installing 4.2 Uninstalling 5. Post-installation Configuration 6. Known Issues 7. Release History 8. Contact Information 9. About Trend Micro 10. License Agreement ========================================================== 1. Overview of This Critical Patch Release ====================================================================== This critical patch resolves several vulnerabilities in ServerProtect for Linux 3.0. 1.1 Issues =================================================================== This critical patch resolves the following issues: Issue 1: The "log_management.cgi" file in ServerProtect for Linux 3.0 is affected by a Cross-site Scripting (XSS) vulnerability. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This critical patch resolves this XSS vulnerability by adding a checking mechanism to ensure that the data for the HTTP GET/POST method is in the correct format. Issue 2: The "notification.cgi" file in ServerProtect for Linux 3.0 is affected by an XSS vulnerability. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This critical patch resolves this XSS vulnerability by adding a checking mechanism to ensure that the data for the HTTP GET/POST method is in the correct format. Issue 3: Communication to the Active Update (AU) server is unencrypted by default. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: This critical patch resolves this vulnerability by enabling the AU server to encrypt the communication using HTTPS. Issue 4: Packages downloaded from the AU server are not signed or validated by default. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 4: This critical patch resolves this vulnerability by allowing ServerProtect to enable the Digital Signature Check and Server Certificate Verification functions by default when downloading components from the AU server. Issue 5: Users can set or add any path for the quarantine directory. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 5: This critical patch resolves this vulnerability by restricting the quarantine directory path to specific paths only. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure 5: To set or add the "/tmp" folder for the quarantine directory: a. Open the "tmsplx.xml" file under the "/opt/TrendMicro/SProtectLinux" folder using a text editor. b. In the "Scan" group of "tmsplx.xml", locate the "MoveToWhiteList" string, the default string is as follows:

c. Append ":/tmp" to the value:

NOTE: Removing ":/tmp" removes the restriction. d. Save the changes and close the file. Issue 6: Users can set or add any path for the backup directory. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 6: This critical patch resolves this vulnerability by restricting the backup directory path to specific paths only. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure 6: To set or add the "/tmp" folder for the backup directory: a. Open the "tmsplx.xml" file under the "/opt/TrendMicro/SProtectLinux" folder using a text editor. b. In the "Scan" group of "tmsplx.xml", locate the "SaveToWhiteList" string, the default string is as follows:

c. Append ":/tmp" to the value:

NOTE: Removing ":/tmp" removes the restriction. d. Save the changes and close the file. 1.2 Files Included in This Release =================================================================== A. Files for Current Issue ------------------------------------------------------------------- Filename Build Number ------------------------------------------------------------------- install.sh n/a rollback.sh n/a Patch.ini n/a CMconfig 3.0.1519 cmoption.cgi 3.0.1519 DiagnosticTool 3.0.1519 entity 3.0.1519 login_and_register.cgi 3.0.1519 log_management.cgi 3.0.1519 notification.cgi 3.0.1519 proption.cgi 3.0.1519 scanoption.cgi 3.0.1519 scanoption_set.cgi 3.0.1519 showpage.cgi 3.0.1519 Specifying_the_Download_Source.htm 3.0.1519 splxmain 3.0.1519 srv_admin.cgi 3.0.1519 summary.cgi 3.0.1519 tmcm_sso.cgi 3.0.1519 viewlog.cgi 3.0.1519 vsapiapp 3.0.1519 xmlvalidator 3.0.1519 B. Files for Previous Issues ------------------------------------------------------------------- Not applicable. 2. Documentation Set ====================================================================== To download or view electronic versions of the documentation set for this product, go to http://docs.trendmicro.com In addition to this Readme file, the documentation set for this product includes the following: - Online Help: The Online Help contains an overview of features and key concepts, and information on configuring and maintaining ServerProtect. To access the Online Help, go to http://docs.trendmicro.com - Installation Guide (IG): The Installation Guide contains information on requirements and procedures for installing and deploying ServerProtect. - Administrator's Guide (AG): The Administrator's Guide contains an overview of features and key concepts, and information on configuring and maintaining ServerProtect. - Getting Started Guide (GSG): The Getting Started Guide contains product overview, installation planning, installation and configuration instructions, and basic information intended to get ServerProtect "up and running". - Support Portal: The Support Portal contains information on troubleshooting and resolving known issues. To access the Support Portal, go to http://esupport.trendmicro.com 3. System Requirements ====================================================================== Install this critical patch only on computers protected by ServerProtect for Linux 3.0 Patch 7 for Service Pack 1. 4. Installation ====================================================================== This section explains key steps for installing the critical patch. 4.1 Installing =================================================================== To install: 1. Log on as a root user. 2. Upload and copy the critical file to a working directory. For example, "/home/workdir." 3. Run the following command to extract the critical patch files from the "tar.gz" file. # tar zxvf splx_30_lx_en_criticalpatch1519.tar.gz 4. Go to the critical patch directory. Run the following command: #./install.sh The following original files: - "/opt/TrendMicro/SProtectLinux/SPLX.WebUI/cgi-bin/ log_management.cgi" - "/opt/TrendMicro/SProtectLinux/SPLX.WebUI/cgi-bin/ proption.cgi" - "/opt/TrendMicro/SProtectLinux/SPLX.WebUI/cgi-bin/ scanoption_set.cgi" - "/opt/TrendMicro/SProtectLinux/SPLX.WebUI/cgi-bin/ showpage.cgi" - "/opt/TrendMicro/SProtectLinux/SPLX.WebUI/cgi-bin/ tmcm_sso.cgi" - "/opt/TrendMicro/SProtectLinux/SPLX.WebUI/cgi-bin/ cmoption.cgi" - "/opt/TrendMicro/SProtectLinux/SPLX.WebUI/cgi-bin/ login_and_register.cgi" - "/opt/TrendMicro/SProtectLinux/SPLX.WebUI/cgi-bin/ scanoption.cgi" - "/opt/TrendMicro/SProtectLinux/SPLX.WebUI/cgi-bin/ srv_admin.cgi" - "/opt/TrendMicro/SProtectLinux/SPLX.WebUI/cgi-bin/viewlog.cgi" - "/opt/TrendMicro/SProtectLinux/SPLX.WebUI/cgi-bin/ notification.cgi" - "/opt/TrendMicro/SProtectLinux/SPLX.WebUI/cgi-bin/summary.cgi" - "/opt/TrendMicro/SProtectLinux/SPLX.WebUI/html/help/ Specifying_the_Download_Source.htm" - "/opt/TrendMicro/SProtectLinux/SPLX.util/CMconfig" - "/opt/TrendMicro/SProtectLinux/SPLX.util/DiagnosticTool" - "/opt/TrendMicro/SProtectLinux/SPLX.util/xmlvalidator" - "/opt/TrendMicro/SProtectLinux/SPLX.vsapiapp/entity" - "/opt/TrendMicro/SProtectLinux/SPLX.vsapiapp/vsapiapp" - "/opt/TrendMicro/SProtectLinux/SPLX.vsapiapp/splxmain" - "/opt/TrendMicro/SProtectLinux/tmsplx.xml" are backed-up as: - "/opt/TrendMicro/SProtectLinux/SPLX.WebUI/cgi-bin/ log_management.cgi.bak.cp1519" - "/opt/TrendMicro/SProtectLinux/SPLX.WebUI/cgi-bin/ proption.cgi.bak.cp1519" - "/opt/TrendMicro/SProtectLinux/SPLX.WebUI/cgi-bin/ scanoption_set.cgi.bak.cp1519" - "/opt/TrendMicro/SProtectLinux/SPLX.WebUI/cgi-bin/ showpage.cgi.bak.cp1519" - "/opt/TrendMicro/SProtectLinux/SPLX.WebUI/cgi-bin/ tmcm_sso.cgi.bak.cp1519" - "/opt/TrendMicro/SProtectLinux/SPLX.WebUI/cgi-bin/ cmoption.cgi.bak.cp1519" - "/opt/TrendMicro/SProtectLinux/SPLX.WebUI/cgi-bin/ login_and_register.cgi.bak.cp1519" - "/opt/TrendMicro/SProtectLinux/SPLX.WebUI/cgi-bin/ scanoption.cgi.bak.cp1519" - "/opt/TrendMicro/SProtectLinux/SPLX.WebUI/cgi-bin/ srv_admin.cgi.bak.cp1519" - "/opt/TrendMicro/SProtectLinux/SPLX.WebUI/cgi-bin/ viewlog.cgi.bak.cp1519" - "/opt/TrendMicro/SProtectLinux/SPLX.WebUI/cgi-bin/ notification.cgi.bak.cp1519" - "/opt/TrendMicro/SProtectLinux/SPLX.WebUI/cgi-bin/ summary.cgi.bak.cp1519" - "/opt/TrendMicro/SProtectLinux/SPLX.WebUI/html/help/ Specifying_the_Download_Source.htm.bak.cp1519" - "/opt/TrendMicro/SProtectLinux/SPLX.util/CMconfig.bak.cp1519" - "/opt/TrendMicro/SProtectLinux/SPLX.util/ DiagnosticTool.bak.cp1519" - "/opt/TrendMicro/SProtectLinux/SPLX.util/ xmlvalidator.bak.cp1519" - "/opt/TrendMicro/SProtectLinux/SPLX.vsapiapp/ entity.bak.cp1519" - "/opt/TrendMicro/SProtectLinux/SPLX.vsapiapp/ vsapiapp.bak.cp1519" - "/opt/TrendMicro/SProtectLinux/SPLX.vsapiapp/ splxmain.bak.cp1519" - "/opt/TrendMicro/SProtectLinux/tmsplx.xml.bak.cp1519" 4.2 Uninstalling =================================================================== To roll back to the previous build: 1. Log on as a root user. 2. Go to the critical patch directory. Run the following command: #./rollback.sh The backed-up files during installation would replace the original files. 5. Post-Installation Configuration ====================================================================== No post-installation steps are required. NOTE: Trend Micro recommends that you update your scan engine and virus pattern files immediately after installing the product. 6. Known Issues ====================================================================== There are no known issues for this critical patch release. 7. Release History ====================================================================== For more information about updates to this product, go to: http://www.trendmicro.com/download 8. Contact Information ====================================================================== A license to Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, you must renew Maintenance on an annual basis at Trend Micro's then-current Maintenance fees. Contact Trend Micro via fax, phone, and email, or visit our website to download evaluation copies of Trend Micro products. http://www.trendmicro.com/us/about-us/contact/index.html NOTE: This information is subject to change without notice. 9. About Trend Micro ====================================================================== Smart, simple, security that fits As a global leader in IT security, Trend Micro develops innovative security solutions that make the world safe for businesses and consumers to exchange digital information. Copyright 2017, Trend Micro Incorporated. All rights reserved. Trend Micro, ServerProtect, and the t-ball logo are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies. 10. License Agreement ====================================================================== View information about your license agreement with Trend Micro at: http://www.trendmicro.com/us/about-us/legal-policies/ license-agreements Third-party licensing agreements can be viewed: - By selecting the "About" option in the application user interface - By referring to the "Legal" page of the Administrator's Guide