<> Trend Micro Incorporated ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Trend Micro(TM) Smart Protection Server(TM) 3.3 Patch 7 - Build 1263 Smart Protection Server Program Version: 1014 Smart Protection Server Operating System Version: 1008 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NOTICE: This Readme file was current as of the date above. However, all customers are advised to check Trend Micro's website for documentation updates. GM release documentation: http://docs.trendmicro.com Patch/SP release documentation: http://www.trendmicro.com/download TIP: Register online with Trend Micro within 30 days of installation to continue downloading new pattern files and product updates from the Trend Micro website. Register during installation or online at: https://clp.trendmicro.com/FullRegistration?T=TM Contents ========================================================== 1. About Smart Protction Server(TM) 3.3 Patch 7 1.1 Overview of This Release 1.2 Who Should Install This Release 2. What's New 2.1 Enhancements 2.2 Resolved Known Issues 3. Documentation Set 4. System Requirements 5. Installation 5.1 Installing 5.2 Uninstalling 6. Post-Installation Configuration 7. Known Issues 8. Release History 9. Files Included in This Release 10. Contact Information 11. About Trend Micro 12. License Agreement ========================================================== 1. About Smart Protection Server(TM) 3.3 Patch 7 ======================================================================== Trend Micro(TM) Smart Protection Server uses File Reputation and Web Reputation technology to detect security risks. Trend Micro(TM) Smart Protection Server hosts virus/malware/web threat pattern definitions, and makes these definitions available to other computers on the network to verify potential threats. Once installed, Trend Micro Smart Protection Server can be integrated seamlessly with Trend Micro products that support Smart Protection Server. 1.1 Overview of This Release ===================================================================== This patch includes enhancements, system software upgrade packages, and fixes to issues discovered after the release of Smart Protection Server(TM) 3.3. 1.2 Who Should Install This Release ===================================================================== You should install this patch if you are currently running Smart Protection Server(TM) 3.3. 2. What's New ======================================================================== 2.1 Enhancements in Smart Protection Server 3.3 Patch 7 ==================================================================== 2.1.1 System Security Enhancement ------------------------------------------------------------------ There's no major system security enhancement included in this patch release. 2.1.2 System Software Package Upgrade ------------------------------------------------------------------ This patch includes the following major system software package upgrade: * CentOS 7.9.2009 (centos-release-7-9.2009.0.el7.centos.x86_64) Major Software Security Updates: * CVE-2020-12352, CVE-2020-12351 * kernel (kernel-3.10.0-1160.2.2.el7.x86_64) * kernel-headers (kernel-headers-3.10.0-1160.2.2.el7.x86_64) * kernel-tools (kernel-tools-3.10.0-1160.2.2.el7.x86_64) * kernel-tools-libs (kernel-tools-libs-3.10.0-1160.2.2.el7.x86_64) * python-perf (python-perf-3.10.0-1160.2.2.el7.x86_64) * CESA-2020:1190 * libxml2 (libxml2-2.9.1-6.el7.5.x86_64) * CESA-2019:1128 * wget( wget-1.14-18.el7_6.1. x86_64) * CVE-2019-5482 * curl ( curl-7.29.0-59.el7. x86_64) * libcurl ( libcurl-7.29.0-59.el7. x86_64) * CVE-2020-14363 * libX11 ( libX11-1.6.7-3.el7_9. x86_64) * libX11-common ( libX11-common-1.6.7-3.el7_9.noarch) * CVE-2019-5094, CVE-2019-5188 * e2fsprogs ( e2fsprogs-1.42.9-19.el7. x86_64) * e2fsprogs-libs ( e2fsprogs-libs-1.42.9-19.el7. x86_64) * libcom_err ( libcom_err-1.42.9-19.el7. x86_64) * libcom_err ( libcom_err-1.42.9-19.el7. i686) * libss ( libss-1.42.9-19.el7. x86_64) * CVE-2020-12825 * libcroco ( libcroco-6.12-6.el7_9. x86_64) * CVE-2019-17498 * libssh2 ( libssh2-1.8.0-4.el7. x86_64) * CVE-2019-18197, CVE-2019-11068 * libxslt ( libxslt-1.1.28-6.el7. x86_64) * CVE-2020-12243 * openldap (openldap-2.4.44-22.el7. x86_64) * openldap (openldap-2.4.44-22.el7. i686) * CVE-2020-8597 * ppp (ppp-2.4.5-34.el7_7. x86_64) * CVE-2019-16935 * python (python-2.7.5-89.el7. x86_64) * python-libs (python-libs -2.7.5-89.el7. x86_64) This patch is equivalent to performing a YUM package update for November 2020. 2.1.3 Other Enhancements ------------------------------------------------------------------ This patch has the following additional enhancements: * Improves the lighttpd configuration merge process when upgrading the lighttpd package. * Supports the new Microsoft Edge (Chromium) web browser. 2.2 Resolved Known Issues ===================================================================== New issues resolved in this patch: Issue 1: The product information in the Smart Protection Server configuration files may be inconsistent. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This patch corrects the product information in the configuration files. Issue 2: Some file owners were accidentally changed to the wrong user in the previous patch. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This patch corrects the file ownership. Issue 3: Smart Protection Server 3.3 has a timing attack vulnerability that allows attacks to enumerate the users on the Smart Protection Server 3.3 web console. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: This patch patches the timing attack vulnerability. For other issues resolved in previous patches, see section 8.1.2. 3. Documentation Set ======================================================================== To download or view electronic versions of the documentation set for this product, go to http://docs.trendmicro.com - Online Help: The Online Help contains an overview of features and key concepts, and information on configuring and maintaining Smart Protection Server. To access the Online Help, go to http://docs.trendmicro.com - Installation Guide (IG): The Installation Guide contains information on requirements and procedures for installing and deploying Smart Protection Server. - Administrator's Guide (AG): The Administrator's Guide contains an overview of features and key concepts, and information on configuring and maintaining Smart Protection Server. - Support Portal: The Support Portal contains information on troubleshooting and resolving known issues. To access the Support Portal, go to http://esupport.trendmicro.com 4. System Requirements ======================================================================== You must install Smart Protection Server 3.3 before installing this patch. The following new virtualization platforms are supported: 1) VMware ESXi Server 6.7.0 Update 3 (Build 15160138) 5. Installation ======================================================================== 5.1 Installing ===================================================================== 1) Download "TMSPS_3.3_linux_MUI_patch7_B1263.zip" from the Trend Micro Download Center and then extract the patch package to a temporary folder. 2) Log on to the Smart Protection Server 3.3 web console using an account with administrator privileges. 3) Go to "Updates" > "Program". The "Program" screen appears. 4) Under "Upload Component", click "Browse" and navigate to the temporary folder. 5) Select "tmsss-service-patch-3.3-1014.x86_64.tgz" and click "Upload". Information on the available program files appears. 6) Click "Update Now". A confirmation message opens. 7) Click "OK". The server restarts. This process will take 5 to 10 minutes and reboot multiple times. DO NOT MANUALLY INTERRUPT THE BOOTING PROCESS OR REBOOT MANUALLY, OR THE SYSTEM WILL BE DAMAGED AND UNABLE TO RECOVER. 8) Log back on to the web console and go to "Updates" > "Program". 9) Verify that the screen displays the following version numbers. - Operating System: 1008 - Smart Protection Server: 1014 10) Verify the service build number: (Help menu > About) - Version: 3.3 Patch 7 - Build: 1263 (Smart Protection Server 1014) 5.2 Uninstalling ======================================================= No uninstallation steps are provided. 6. Post-Installation Configuration ======================================================================== No post-installation steps are required. 7. Known Issues ======================================================================== There are no known issues in this patch release. 8. Release History ======================================================================== For more information about updates to this product, go to: http://www.trendmicro.com/download * Smart Protection Server 3.3 11/08/2017 8.1 Changes In Previous Patches ===================================================================== 8.1.1 Enhancements In Previous Patches ================================================================= 8.1.1.1 System Security Enhancement -------------------------------------------------------------- There are several notable security policies to enhance operating system security in previous patches: * Enable Address Space Layout Randomization (ASLR) * Enhance network security in kernel options * Strengthen OpenSSH server configuration with new cipher and key settings * Upgrade kernel to resolve vulnerabilities from speculative execution and indirect branch prediction (Meltdown and Spectre). CVE-2017-5754, CVE-2017-5753, CVE-2017-5715 * Upgrade kernel to resolve TCP SACK PANIC vulnerabilities. CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 8.1.1.2 System Software Package Upgrade -------------------------------------------------------------- Several vulnerabilities are fixed in previous patches by upgrading the software packages: * CVE-2018-15473 (OpenSSH) * CVE-2018-6485 (Glibc) * CESA-2017:3270 (apr) * CESA-2017:2832 (nss) * CESA-2017:1100 (nss) * CESA-2017:0286 (OpenSSL) * CESA-2017:0252 (ntp) * CESA-2016:2972 (vim) * CESA-2016:2674 (libgcrypt) * PHP 7.1.33 * CentOS 7.8.2003 (centos-release-7-8.2003.0.el7.centos.x86_64) * CESA-2020:1512 (java) * CESA-2020:1000 (rsyslog) * CESA-2020:2664 (kernel) * CESA-2020:0839 (kernel) * CESA-2020:1016 (kernel) * CESA-2020:1011 (expat) * CESA-2020:2663 (ntp) * CESA-2020:1020 (curl) * CESA-2020:1113 (bash) * CESA-2020:1138 (gettext) * CESA-2020:2344 (bind) 8.1.1.3 Other Enhancements -------------------------------------------------------------- Enhancement 1: Support for Apex Central 2019. This patch provides support for the following Apex Central 2019 features: * Synchronize suspicious objects and scan actions. * Use Apex Central as an alternative update source. Enhancement 2: System Logging Optimization This enhancement suppresses redundant and unused logs that may cause system log files to flood. Enhancement 3: Extra System Monitoring Mechanisms Provides an internal monitor tool to keep track and log the system resource usage and network traffic statistics. The log is also integrated with the Support Tool (CDT). Enhancement 4: ActiveUpdate Message Optimization Refined an error message to describe the ActiveUpdate signature file verification error more precisely. 8.1.2 Resolved Known Issues In Previous Patches ================================================================= The following known issues were resolved in previous patch releases: Issue 1: Smart Protection Server 3.3 has an authentication bypass vulnerability that allows command injection with invalid user access information to gain full access. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This patch resolves the vulnerability with enhanced authentication. Issue 2: Web services crash frequently and generate too many kernel core dumps when Predictive Machine Learning service requests are heavy. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This patch provides a bug fix for the web services defect. Issue 3: The "User-Defined URLs" screen does not accept regular expressions for adding user-defined URL rules. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: This patch resolves the web console input issue on the "User-Defined URLs" screen. Regular expression rules are now supported. Issue 4: The "Log Maintenance" screen does not save changes to selected log types. Clicking "Save" always selects all log types, even cleared log type check boxes. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 4: This patch fixes the log type selection issue so that the "Log Maintenance" screen saves changes properly. Issue 5: Smart Protection Server 3.3 has an SQL injection vulnerability for User-Defined URL rule management, which potentially allows remote code execution from the web browser. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 5: This patch resolves the vulnerability in the internal process for adding User-Defined URL rules. Issue 6: There is a vulnerability that potentially triggers a denial-of-service attack where the system storage becomes fully occupied by the Smart Query Filter cache files and cannot function properly. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 6: This patch fixes the cache mechanism defect and prevents the denial-of-service attack. Issue 7: Email notifications do not include timezone information, which causes email clients to shift the email receipt time. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 7: This patch fixes the defect and displays the timezone in email notifications. Issue 8: User mailbox files for Smart Protection Server 3.3 continually grow in size. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 8: This patch adds a user mailbox rule to clean the user mailbox once a month. Issue 9: A command error prevents the manual update process from properly fetching the available disk space. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 9: This patch fixes the command error for future program updates. Issue 10: A command error prevents the system text terminal from displaying changes for recently updated network addresses. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 10: This patch fixes the command error and properly displays changes for recently updated network addresses. Issue 11: After Smart Protection Server is upgraded from version 3.2 to 3.3, Smart Protection Server 3.3 cannot be registered to or managed by Trend Micro Control Manager(TM) 7.0. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 11: This patch resolves the issue to ensure that the upgraded Smart Protection Server 3.3 can be registered to and managed by Control Manager 7.0 from the "Server Registration" screen. Issue 12: Smart Protection Server 3.3 cannot add other remote Smart Protection Servers from the "Server Visibility" list on the "Summary" screen. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 12: This patch resolves registration issues to ensure that Smart Protection Server 3.3 can add other remote servers to the list of managed servers. Issue 13: ActiveUpdate may unsuccessfully authenticate proxy servers and disconnect. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 13: This patch resolves the proxy server authenication and connection issue. Issue 14: Only the first page of the user-defined URL rule list displays properly and users are not directed to the next page after clicking the "Next page" link at the bottom of the page. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 14: This patch resolves the issue so that users can view the rest of the list properly. Issue 15: Single-sign On (SSL) sessions to Smart Protection Server 3.3 from Apex Central / Control Manager have an insecure direct object reference vulnerability that can be exploited by Cross-Site Scripting (XSS) attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 15: This patch enhances the session authentication mechanism to protect against XSS attacks. Issue 16: The Smart Protection Service Proxy may disconnect while processing Predictive Machine Learning requests. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 16: This patch resolves the issue and ensures that Predictive Machine Learning requests are processed properly. Issue 17: System resource (file descriptor) leakage by the Smart Protection Service Proxy may prevent the lighttpd web service from receiving requests. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 17: This patch resolves the file descriptor leakage issue. Issue 18: The Postgresql database is unable to apply new system timezone settings configured by clish. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 18: This patch ensures that the Postgresql database applies the new system timezone setting. Issue 19: The Smart Protection Service Proxy may lose some HTTP headers and prevent some integrated Trend Micro product features from working properly. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 19: This patch resolves the HTTP header issue and ensures the integrated Trend Micro product features work properly. Issue 20: When redirecting queries for Predictive Machine Learning, Smart Protection Server 3.3 may experience system resource leaking. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 20: This patch resolves the resource leaking issue by checking and freeing up the resources properly. Issue 21: When upgrading to Smart Protection Server 3.3 Patch 3 from a Smart Protection Server 3.3 Patch 2 server, the Java runtime environment is unable to upgrade during the upgrade process. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 21: This patch ensures the Java runtime environment upgrades successfully. After applying this patch, the Java runtime environment version should be: OpenJDK Runtime Environment (build 1.8.0_232-b09) Issue 22: Smart Protection Server and connected Trend Micro products become unstable and crash due to high network traffic loading and memory leaking issues from the Lighttpd web service. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 22: This patch eliminates the third-party software issues from Lighttpd and increases the stability of Smart Protection Server in high traffic loading environments. Issue 23: When the debug level value for the Smart Protection Server Proxy is set to 16, Smart Protection Server cannot send Predictive Machine Learning queries and the Lighttpd web service crashes. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 23: This patch resolves the issue so that the debug level value does not cause the web service to crash. Issue 24: When redirecting Predictive Machine Learning queries, Smart Protection Server sends incorrect Smart Protection Server product information to the Trend Micro Predictive Machine Learning service. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 24: This patch allows Smart Protection Server to send the correct product information to the Trend Micro Predictive Machine Learning service. Issue 25: When the Smart Protection Server is registered to Apex Central, the product build number of the Smart Protection Server displays incorrectly. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 25: This patch corrects the build number of the Smart Protection Server. Issue 26: Unable to connect Smart Protection Server 3.3 to another Smart Protection Server through the Server Visibility feature. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 26: This patch installs a missing PHP library to resolve the Server Visibility connection issue. 9. Files Included in This Release ======================================================================== N/A 10. Contact Information ======================================================================== A license to Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, you must renew Maintenance on an annual basis at Trend Micro's then-current Maintenance fees. Contact Trend Micro via fax, phone, and email, or visit our website to download evaluation copies of Trend Micro products. https://www.trendmicro.com/en_us/contact.html NOTE: This information is subject to change without notice. 11. About Trend Micro ======================================================================== Smart, simple, security that fits As a global leader in IT security, Trend Micro develops innovative security solutions that make the world safe for businesses and consumers to exchange digital information. Copyright 2020, Trend Micro Incorporated. All rights reserved. Trend Micro, Smart Protection Network(TM), Trend Micro Control Manager(TM) and the t-ball logo are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies. 12. License Agreement ======================================================================== View information about your license agreement with Trend Micro at: https://www.trendmicro.com/en_us/about/legal.html Third-party licensing agreements can be viewed: - By selecting the "About" option in the application user interface - By referring to the "Legal" page of the Administrator's Guide