CVE-2022-24678: 
Trend Micro Apex One Agent vulnerability analysis and mitigation

A security vulnerability (CVE-2022-24678) was identified in Trend Micro Apex One, Trend Micro Apex One as a Service, and Trend Micro Worry-Free Business Security products. The vulnerability was discovered and reported on October 27, 2021, with public disclosure occurring on February 16, 2022. This security flaw affects Apex One versions 2019 (On-prem) without the CP B10071 patch (ZDI Advisory, CERT-FR).

The vulnerability is classified as a resource exhaustion denial-of-service condition within the Trend Micro Apex One Security Agent. The specific flaw exists within the logging of requests received on the management port. The vulnerability has been assigned a CVSS score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L), indicating a medium severity level (ZDI Advisory).

When exploited, this vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Trend Micro Apex One Security Agent. By sending a large number of requests, an attacker can cause log files to grow without limit, potentially leading to system resource exhaustion (ZDI Advisory).

Trend Micro has released security updates to address this vulnerability. For Apex One versions 2019 (On-prem), users should apply the CP B10071 patch. The fix is already included in Apex One SaaS versions 2021-12 (14.0.10154) and 2022-01 (14.0.10223) (CERT-FR).