<> Trend Micro, Inc. June 30, 2019 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Trend Micro(TM) Smart Protection Server(TM) 3.3 Patch 2 - Build 1158 Smart Protection Server Program Version: 1008 Smart Protection Server Operating System Version: 1003 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Note: This readme file is current as of the date above. However, all customers are advised to check the Trend Micro website for documentation updates. Patch or Service Pack documentation: http://downloadcenter.trendmicro.com/ Full documentation set: http://docs.trendmicro.com Register online with Trend Micro within 30 days of installation to continue downloading new pattern files and product updates from the Trend Micro website. Register during installation or online at: http://olr.trendmicro.com/ Contents ==================================================================== 1. About Smart Protction Server(TM) 3.3 Patch 2 1.1 Overview of This Release 1.2 Who Should Install This Release 2. What's New 2.1 Enhancements 2.2 Resolved Issues 3. Documentation Set 4. System Requirements 5. Installation/Uninstallation 5.1 Installation 5.2 Uninstallation 6. Post-Installation Configuration 6.1 Post-Installation Configuration (from Previous Versions) 7. Known Issues 8. Release History 9. Contact Information 10. About Trend Micro 11. License Agreement ==================================================================== 1. About Smart Protection Server(TM) 3.3 Patch 2 ======================================================================== Trend Micro(TM) Smart Protection Server uses File Reputation and Web Reputation technology to detect security risks. Trend Micro(TM) Smart Protection Server hosts virus/malware/web threat pattern definitions, and makes these definitions available to other computers on the network to verify potential threats. Once installed, Trend Micro Smart Protection Server can be integrated seamlessly with Trend Micro products that support Smart Protection Server. 1.1 Overview of This Release ===================================================================== This patch includes enhancements, system software upgrade packages, and fixes to issues discovered after the release of Smart Protection Server(TM) 3.3. 1.2 Who Should Install This Release ===================================================================== You should install this patch if you are currently running Smart Protection Server(TM) 3.3 Patch 1. 2. What's New ======================================================================== 2.1 Enhancements in Smart Protection Server 3.3 Patch 2 ===================================================================== 2.1.1 Support for Apex Central 2019 ------------------------------------------------------------------ Apex Central 2019 is the latest centralized management console for Trend Micro products. This patch provides support for the following Apex Central 2019 features: * Synchronize suspicious objects and scan actions * Use Apex Central as an alternative update source 2.1.2 System Software Package Upgrade ------------------------------------------------------------------ This patch also resolves the following vulnerabilities: * CVE-2018-6485 (Glibc) * CVE-2019-19052 (Lighttpd) This patch is equivalent to performing a YUM package update for May 2019. 2.2 Resolved Issues ===================================================================== This patch addresses the following issues: Issue 1: Smart Protection Server 3.3 has an authentication bypass vulnerability that allows command injection with invalid user access information to gain full access. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This patch resolves the vulnerability with enhanced authentication. Issue 2: Web services crash frequently and generate too many kernel core dumps when Predictive Machine Learning service requests are heavy. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This patch provides a bug fix for the web services defect. Issue 3: The "User-Defined URLs" screen does not accept regular expressions for adding user-defined URL rules. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: This patch resolves the web console input issue on the "User-Defined URLs" screen. Regular expression rules are now supported. Issue 4: The "Log Maintenance" screen does not save changes to selected log types. Clicking "Save" always selects all log types, even cleared log type check boxes. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 4: This patch fixes the log type selection issue so that the "Log Maintenance" screen saves changes properly. Issue 5: Smart Protection Server 3.3 has an SQL injection vulnerability for User-Defined URL rule management, which potentially allows remote code execution from the web browser. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 5: This patch resolves the vulnerability in the internal process for adding User-Defined URL rules. Issue 6: There is a vulnerability that potentially triggers a denial-of-service attack where the system storage becomes fully occupied by the Smart Query Filter cache files and cannot function properly. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 6: This patch fixes the cache mechanism defect and prevents the denial-of-service attack. Issue 7: Email notifications do not include timezone information, which causes email clients to shift the email receipt time. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 7: This patch fixes the defect and displays the timezone in email notifications. Issue 8: User mailbox files for Smart Protection Server 3.3 continually grow in size. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 8: This patch adds a user mailbox rule to clean the user mailbox once a month. Issue 9: A command error prevents the manual update process from properly fetching the available disk space. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 9: This patch fixes the command error for future program updates. Issue 10: A command error prevents the system text terminal from displaying changes for recently updated network addresses. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 10: This patch fixes the command error and properly displays changes for recently updated network addresses. Issue 11: After Smart Protection Server is upgraded from version 3.2 to 3.3, Smart Protection Server 3.3 cannot be registered to or managed by Trend Micro Control Manager(TM) 7.0. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 11: This patch resolves the issue to ensure that the upgraded Smart Protection Server 3.3 can be registered to and managed by Control Manager 7.0 from the "Server Registration" screen. Issue 12: Smart Protection Server 3.3 cannot add other remote Smart Protection Servers from the "Server Visibility" list on the "Summary" screen. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 12: This patch resolves registration issues to ensure that Smart Protection Server 3.3 can add other remote servers to the list of managed servers. Issue 13: ActiveUpdate may unsuccessfully authenticate proxy servers and disconnect. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 13: This patch resolves the proxy server authenication and connection issue. Issue 14: Only the first page of the user-defined URL rule list displays properly and users are not directed to the next page after clicking the "Next page" link at the bottom of the page. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 14: This patch resolves the issue so that users can view the rest of the list properly. Issue 15: Single-sign On （SSL) sessions to Smart Protection Server 3.3 from Apex Central / Control Manager have an insecure direct object reference vulnerability that can be exploited by Cross-Site Scripting (XSS) attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 15: This patch enhances the session authentication mechanism to protect against XSS attacks. 3. Documentation Set ======================================================================== In addition to this readme.txt, the documentation set for this product includes the following: * Installation Guide (IG) -- Provides product overview, deployment plan, installation steps and basic information intended to help you deploy Smart Protection Server smoothly. * Administrator's Guide (AG) -- Provides post-installation instructions on how to configure the settings to help you get Smart Protection Server "up and running". Also includes instructions on performing other administrative tasks for the day-to-day maintenance of Smart Protection Server. Electronic versions of the printed manuals are available at: http://docs.trendmicro.com/ * Online help -- Context-sensitive help screens that provide guidance for performing a task. * Knowledge Base -- Searchable database of known product issues, including specific problem-solving and troubleshooting topics. http://esupport.trendmicro.com 4. System Requirements ======================================================================== You must upgrade Smart Protection Server 3.3 to Operating System version 1002 before installing this patch. Install the patches in the following sequence: 1) TMSPS v3.3 Patch 1 (TMSPS-3.3-linux-MUI-patch1-B1094.zip) 2) TMSPS v3.3 OS Patch 2 (TMSPS-33-linux-MUI-OSpatch-B1098.zip) The following new virtualization platforms are supported: 1) VMware ESXi Server 6.5 Update 2 (Build 8294253) 2) Citrix XenServer 7.5, 7.4 The following virtualization platform is no longer supported: 1) Citrix XenServer 6.5 5. Installation/Uninstallation ======================================================================== 5.1 Installation ===================================================================== 1) Download "TMSPS_3.3_linux_MUI_patch2_B1158.zip" from the Trend Micro Download Center and then extract the patch package to a temporary folder. 2) Log on to the Smart Protection Server 3.3 web console using an account with administrator privileges. 3) Go to "Updates" > "Program". The "Program" screen appears. 4) Under "Upload Component", click "Browse" and navigate to the temporary folder. 5) Select "tmsss-service-patch-3.3-1008.x86_64.tgz" and click "Upload". Information on the available program files appears. 6) Click "Update Now". A confirmation message opens. 7) Click "OK". The server restarts. This process will take 5 to 10 minutes and reboot multiple times. 8) Log back on to the web console and go to "Updates" > "Program". 9) Verify that the screen displays the following version numbers. - Operating System: 1003 - Smart Protection Server: 1008 10) Verify the service build number: (Help menu > About) - Version: 3.3 Patch 2 - Build: 1158 (Smart Protection Server 1008) NOTE: The total installation time for this patch may take about five to 10 minutes to complete. 5.2 Uninstallation ===================================================================== No uninstallation steps are provided. 6. Post-Installation Configuration ======================================================================== No post-installation steps are required. Note: In order to display all the remote servers properly on the "Server Visibility" list, users must remove all servers from the "Server Visibility" list and then add the remote Smart Protection Servers again after installing this patch. 7. Known Issues ======================================================================== There are no known issues for this patch. 8. Release History ======================================================================== * Smart Protection Server 3.3 11/08/2017 9. Contact Information ======================================================================== A license to the Trend Micro software usually includes the right to product updates,pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, Maintenance must be renewed on an annual basis at Trend Micro's then-current Maintenance fees. You can contact Trend Micro via fax, phone, and email, or visit us at: http://www.trendmicro.com Evaluation copies of Trend Micro products can be downloaded from our Web site. Global Mailing Address/Telephone Numbers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ For global contact information in the Asia/Pacific region, Australia and New Zealand, Europe, Latin America, and Canada, refer to: http://www.trendmicro.com/en/about/overview.htm The Trend Micro "About Us" screen displays. Click the appropriate link in the "Contact Us" section of the screen. Note: This information is subject to change without notice. 10. About Trend Micro ======================================================================== Trend Micro Incorporated, a global leader in Internet content security and threat management, aims to create a world safe for the exchange of digital information for businesses and consumers. A pioneer in server-based antivirus with over 20 years experience, we deliver top-ranked security that fits our customers?needs, stops new threats faster, and protects data in physical, virtualized and cloud environments. Powered by the Trend Micro Smart Protection Network(TM) infrastructure, our industry-leading cloud-computing security technology and products stop threats where they emerge, on the Internet, and are supported by 1,000+ threat intelligence experts around the globe. For additional information, visit www.trendmicro.com. Copyright 2016, Trend Micro Incorporated. All rights reserved. Trend Micro, the t-ball logo, and Smart Protection Server are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies. 11. License Agreement ======================================================================== Information about your license agreement with Trend Micro can be viewed at: http://us.trendmicro.com/us/about/company/user_license_agreements/ Third-party licensing agreements can be viewed at the "About" screen of the web console.