SECURITY NOTICE: 3rd Party Vulnerability Scans Showing Trend Micro endpoints as vulnerable with new OpenSSL versions

Product / Version includes:

Apex One as a Service2019 , Deep Security20.0 , Apex One2019 , Cloud One - Endpoint and Workload SecurityAll , Worry-Free Business Security Advanced9.5

Last updated: 2023/08/31

Solution ID: KA-0015145

Category: Troubleshoot

Summary

As of August 17, 2023, Trend Micro has received several reports that versions of endpoint solutions that were recently updated with newer versions of OpenSSL are showing up as vulnerable to specific CVEs in 3rd party vulnerability scanning reports.

Our product security team has analyzed the specific vulnerabilities in question, and Trend Micro's endpoint solutions are NOT AFFECTED by these vulnerabilities due to the way that the component is implemented in our products.

Please note that OpenSSL is a large library with various functions. Trend Micro products make use of only certain parts necessary for a specific use in our products. The same is true for almost all third-party libraries. When a vulnerability is found, it is determined if and/or where in the third-party code there may be issues. If this vulnerability is in a function that the agent does not use, there is generally is no risk to the product because the lack of entry vulnerability point.

According to various 3rd party scanning reports, Trend Micro endpoint solutions were being flagged for the following several different vulnerabilities depending on the product:

Trend Micro Apex One / Worry-Free Business Security / OfficeScan

CVE-2023-3446 and CVE-2023-2975: Trend Micro solutions do not utilize the specific functions that pertain to these specific vulnerabilities.

Trend Micro Cloud One - Workload Security / Deep Security

CVE-2023-0286, CVE-2023-0466, CVE-2023-4203, CVE-2023-4304, and CVE-2023-4450: Trend Micro security agents (DSA) are not impacted or affected by any of these vulnerabilities due to the specific implementation of the library and the non-use of most of the vulnerable functions.
CVE-2023-3446: The product's implementation of the library does not utilize the vulnerable functions that pertains to this vulnerability.

Please note, Trend Micro regularly reviews and applies 3rd party open source library updates as needed to its solutions during patch cycles. However, due to the customization, integration and/or quality assurance requirements of updating certain libraries, these libraries may not be updated as frequently unless there are critical vulnerabilities, major feature improvements or other high priority requirements.

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

SECURITY NOTICE: 3rd Party Vulnerability Scans Showing Trend Micro endpoints as vulnerable with new OpenSSL versions

SECURITY NOTICE: 3rd Party Vulnerability Scans Showing Trend Micro endpoints as vulnerable with new OpenSSL versions

Product / Version includes:

Summary