<> Trend Micro, Inc. December 16, 2019 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Trend Micro(TM) Smart Protection Server(TM) 3.3 Patch 4 - Build 1227 Smart Protection Server Program Version: 1010 Smart Protection Server Operating System Version: 1005 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Note: This readme file is current as of the date above. However, all customers are advised to check the Trend Micro website for documentation updates. Patch or Service Pack documentation: http://downloadcenter.trendmicro.com/ Full documentation set: http://docs.trendmicro.com Register online with Trend Micro within 30 days of installation to continue downloading new pattern files and product updates from the Trend Micro website. Register during installation or online at: http://olr.trendmicro.com/ Contents ==================================================================== 1. About Smart Protction Server(TM) 3.3 Patch 4 1.1 Overview of This Release 1.2 Who Should Install This Release 2. What's New 2.1 Enhancements 2.2 Resolved Issues 3. Documentation Set 4. System Requirements 5. Installation/Uninstallation 5.1 Installation 5.2 Uninstallation 6. Post-Installation Configuration 6.1 Post-Installation Configuration (from Previous Versions) 7. Known Issues 8. Release History 9. Contact Information 10. About Trend Micro 11. License Agreement ==================================================================== 1. About Smart Protection Server(TM) 3.3 Patch 4 ======================================================================== Trend Micro(TM) Smart Protection Server uses File Reputation and Web Reputation technology to detect security risks. Trend Micro(TM) Smart Protection Server hosts virus/malware/web threat pattern definitions, and makes these definitions available to other computers on the network to verify potential threats. Once installed, Trend Micro Smart Protection Server can be integrated seamlessly with Trend Micro products that support Smart Protection Server. 1.1 Overview of This Release ===================================================================== This patch includes enhancements, system software upgrade packages, and fixes to issues discovered after the release of Smart Protection Server(TM) 3.3. 1.2 Who Should Install This Release ===================================================================== You should install this patch if you are currently running Smart Protection Server(TM) 3.3. 2. What's New ======================================================================== 2.1 Enhancements in Smart Protection Server 3.3 Patch 4 ===================================================================== 2.1.1 Operating System Security Enhancement ------------------------------------------------------------------ This patch executes several security policies to enhance operating system security. Notable actions include: * Enable Address Space Layout Randomization (ASLR) * Enhance network security in kernel options * Strengthen OpenSSH server configuration with new cipher and key settings 2.1.2 System Software Package Upgrade ------------------------------------------------------------------ This patch also resolves the following vulnerabilities: * CVE-2018-15473 (OpenSSH) This patch is equivalent to performing a YUM package update for November 2019. 2.1.3 System Logging Optimization ------------------------------------------------------------------ This patch suppresses redundant and unused logs that may cause system log files to flood. 2.2 Resolved Issues ===================================================================== New issues resolved in this patch: --------------------------------------------------------------------- Issue 20: When redirecting queries for Predictive Machine Learning, Smart Protection Server 3.3 may experience system resource leaking. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 20: This patch resolves the resource leaking issue by check- ing and freeing up the resources properly. Issue 21: When upgrading to Smart Protection Server 3.3 Patch 3 from a Smart Protection Server 3.3 Patch 2 server, the Java runtime environment is unable to upgrade during the upgrade process. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 21: This patch ensures the Java runtime environment upgrades successfully. After applying this patch, the Java runtime environment version should be: OpenJDK Runtime Environment (build 1.8.0_232-b09) Issue 22: Under heavy loading, the Lighttpd web service may crash and produce memory dump files, which fills up the disk drive and disables the service. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 22: This patch enhances memory management and recycling to decrease the possibility of the Lighttpd service crashing. Scheduled maintenance mechanisms are also included to remove memory dump files if the overall file size exceeds 1 GB. Other issues resolved in earlier patches: --------------------------------------------------------------------- Issue 1: Smart Protection Server 3.3 has an authentication bypass vulnerability that allows command injection with invalid user access information to gain full access. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This patch resolves the vulnerability with enhanced authentication. Issue 2: Web services crash frequently and generate too many kernel core dumps when Predictive Machine Learning service requests are heavy. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This patch provides a bug fix for the web services defect. Issue 3: The "User-Defined URLs" screen does not accept regular expressions for adding user-defined URL rules. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: This patch resolves the web console input issue on the "User-Defined URLs" screen. Regular expression rules are now supported. Issue 4: The "Log Maintenance" screen does not save changes to selected log types. Clicking "Save" always selects all log types, even cleared log type check boxes. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 4: This patch fixes the log type selection issue so that the "Log Maintenance" screen saves changes properly. Issue 5: Smart Protection Server 3.3 has an SQL injection vulnerability for User-Defined URL rule management, which potentially allows remote code execution from the web browser. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 5: This patch resolves the vulnerability in the internal process for adding User-Defined URL rules. Issue 6: There is a vulnerability that potentially triggers a denial-of-service attack where the system storage becomes fully occupied by the Smart Query Filter cache files and cannot function properly. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 6: This patch fixes the cache mechanism defect and prevents the denial-of-service attack. Issue 7: Email notifications do not include timezone information, which causes email clients to shift the email receipt time. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 7: This patch fixes the defect and displays the timezone in email notifications. Issue 8: User mailbox files for Smart Protection Server 3.3 continually grow in size. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 8: This patch adds a user mailbox rule to clean the user mailbox once a month. Issue 9: A command error prevents the manual update process from properly fetching the available disk space. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 9: This patch fixes the command error for future program updates. Issue 10: A command error prevents the system text terminal from displaying changes for recently updated network addresses. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 10: This patch fixes the command error and properly displays changes for recently updated network addresses. Issue 11: After Smart Protection Server is upgraded from version 3.2 to 3.3, Smart Protection Server 3.3 cannot be registered to or managed by Trend Micro Control Manager(TM) 7.0. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 11: This patch resolves the issue to ensure that the upgraded Smart Protection Server 3.3 can be registered to and managed by Control Manager 7.0 from the "Server Registration" screen. Issue 12: Smart Protection Server 3.3 cannot add other remote Smart Protection Servers from the "Server Visibility" list on the "Summary" screen. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 12: This patch resolves registration issues to ensure that Smart Protection Server 3.3 can add other remote servers to the list of managed servers. Issue 13: ActiveUpdate may unsuccessfully authenticate proxy servers and disconnect. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 13: This patch resolves the proxy server authenication and connection issue. Issue 14: Only the first page of the user-defined URL rule list displays properly and users are not directed to the next page after clicking the "Next page" link at the bottom of the page. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 14: This patch resolves the issue so that users can view the rest of the list properly. Issue 15: Single-sign On （SSL) sessions to Smart Protection Server 3.3 from Apex Central / Control Manager have an insecure direct object reference vulnerability that can be exploited by Cross-Site Scripting (XSS) attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 15: This patch enhances the session authentication mechanism to protect against XSS attacks. Issue 16: The Smart Protection Service Proxy may disconnect while processing Predictive Machine Learning requests. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 16: This patch resolves the issue and ensures that Predictive Machine Learning requests are processed properly. Issue 17: System resource (file descriptor) leakage by the Smart Protection Service Proxy may prevent the lighttpd web service from receiving requests. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 17: This patch resolves the file descriptor leakage issue. Issue 18: The Postgresql database is unable to apply new system timezone settings configured by Clish. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 18: This patch ensures that the Postgresql database applies the new system timezone setting. Issue 19: The Smart Protection Service Proxy may lose some HTTP headers and prevent some integrated Trend Micro product features from working properly. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 19: This patch resolves the HTTP header issue and ensures the integrated Trend Micro product features work properly. 3. Documentation Set ======================================================================== In addition to this readme.txt, the documentation set for this product includes the following: * Installation Guide (IG) -- Provides product overview, deployment plan, installation steps and basic information intended to help you deploy Smart Protection Server smoothly. * Administrator's Guide (AG) -- Provides post-installation instructions on how to configure the settings to help you get Smart Protection Server "up and running". Also includes instructions on performing other administrative tasks for the day-to-day maintenance of Smart Protection Server. Electronic versions of the printed manuals are available at: http://docs.trendmicro.com/ * Online help -- Context-sensitive help screens that provide guidance for performing a task. * Knowledge Base -- Searchable database of known product issues, including specific problem-solving and troubleshooting topics. http://esupport.trendmicro.com 4. System Requirements ======================================================================== You must install Smart Protection Server 3.3 before installing this patch. The following new virtualization platforms are supported: 1) VMware ESXi Server 6.7 Update 2 (Build 13006603) 5. Installation/Uninstallation ======================================================================== 5.1 Installation ===================================================================== 1) Download "TMSPS_3.3_linux_MUI_patch4_B1227.zip" from the Trend Micro Download Center and then extract the patch package to a temporary folder. 2) Log on to the Smart Protection Server 3.3 web console using an account with administrator privileges. 3) Go to "Updates" > "Program". The "Program" screen appears. 4) Under "Upload Component", click "Browse" and navigate to the temporary folder. 5) Select "tmsss-service-patch-3.3-1010.x86_64.tgz" and click "Upload". Information on the available program files appears. 6) Click "Update Now". A confirmation message opens. 7) Click "OK". The server restarts. This process will take 5 to 10 minutes and reboot multiple times. 8) Log back on to the web console and go to "Updates" > "Program". 9) Verify that the screen displays the following version numbers. - Operating System: 1005 - Smart Protection Server: 1010 10) Verify the service build number: (Help menu > About) - Version: 3.3 Patch 4 - Build: 1227 (Smart Protection Server 1010) 5.2 Uninstallation ===================================================================== No uninstallation steps are provided. 6. Post-Installation Configuration ======================================================================== No post-installation steps are required. 7. Known Issues ======================================================================== 7.1 Pattern Update Schedule --------------------------------------------------------------------- If the pattern update schedule is set to "hourly", the pattern update session may become unstable or unsuccessful. To resolve this issue, use the default pattern update schedule ("every 15 minutes"). 7.2 Online Help Version --------------------------------------------------------------------- After upgrading from Smart Protection Server 3.3 Patch 3, the "Contents and Index" link in the "Help" drop-down menu redirects to the Smart Protection Server 3.3 Patch 3 version of the online help. This issue will be fixed in the next patch. 8. Release History ======================================================================== * Smart Protection Server 3.3 11/08/2017 9. Contact Information ======================================================================== A license to the Trend Micro software usually includes the right to product updates,pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, Maintenance must be renewed on an annual basis at Trend Micro's then-current Maintenance fees. You can contact Trend Micro via fax, phone, and email, or visit us at: http://www.trendmicro.com Evaluation copies of Trend Micro products can be downloaded from our Web site. Global Mailing Address/Telephone Numbers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ For global contact information in the Asia/Pacific region, Australia and New Zealand, Europe, Latin America, and Canada, refer to: http://www.trendmicro.com/en/about/overview.htm The Trend Micro "About Us" screen displays. Click the appropriate link in the "Contact Us" section of the screen. Note: This information is subject to change without notice. 10. About Trend Micro ======================================================================== Trend Micro Incorporated, a global leader in Internet content security and threat management, aims to create a world safe for the exchange of digital information for businesses and consumers. A pioneer in server-based antivirus with over 20 years experience, we deliver top-ranked security that fits our customers?needs, stops new threats faster, and protects data in physical, virtualized and cloud environments. Powered by the Trend Micro Smart Protection Network(TM) infrastructure, our industry-leading cloud-computing security technology and products stop threats where they emerge, on the Internet, and are supported by 1,000+ threat intelligence experts around the globe. For additional information, visit www.trendmicro.com. Copyright 2016, Trend Micro Incorporated. All rights reserved. Trend Micro, the t-ball logo, and Smart Protection Server are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies. 11. License Agreement ======================================================================== Information about your license agreement with Trend Micro can be viewed at: http://us.trendmicro.com/us/about/company/user_license_agreements/ Third-party licensing agreements can be viewed at the "About" screen of the web console.