CVE-2022-44647: 
Trend Micro Apex One Agent vulnerability analysis and mitigation

An Out-of-bounds read vulnerability was discovered in Trend Micro Apex One and Apex One as a Service. The vulnerability, identified as CVE-2022-44647, could allow a local attacker to disclose sensitive information on affected installations. This vulnerability was publicly disclosed on December 12, 2022, and received a CVSS v3.1 score of 5.5 (Medium) (ZDI, NVD).

The specific vulnerability exists within the User Mode Hooking Monitor Engine. The issue stems from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (Medium) with the vector string: AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L (ZDI).

When successfully exploited, this vulnerability can lead to the disclosure of sensitive information on affected installations. Additionally, an attacker can potentially leverage this vulnerability in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of SYSTEM (ZDI).

Trend Micro has issued an update to correct this vulnerability. Users are advised to apply the security update as detailed in the vendor's solution document (ZDI).