ESB-2018.0730 - [Win][UNIX/Linux] HPE XP Command View: Multiple vulnerabilities 2018-03-13

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0730
          Critical vulnerabilities patched in Hewless-Packard XP
                           Command View software
                               13 March 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           HPE XP Command View
Publisher:         Hewlett-Packard
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-8988 CVE-2017-7679 CVE-2017-7668
                   CVE-2017-5641  

Original Bulletin: 
   https://support.hpe.com/hpsc/doc/public/display?docId=hpesbhf03821en_us
   https://support.hpe.com/hpsc/doc/public/display?docId=hpesbhf03822en_us
   https://support.hpe.com/hpsc/doc/public/display?docId=hpesbhf03823en_us

Comment: This bulletin contains three (3) Hewlett-Packard security 
         advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: hpesbhf03822en_us

Version: 1

HPESBHF03822 rev.1 - HPE XP Command View AE Suite (XPCVAE), Remote Bypass of
Security Restrictions
NOTICE: The information in this Security Bulletin should be acted upon as soon
as possible.

Release Date: 2018-03-03
Last Updated: 2018-03-03

Potential Security Impact: Remote: Bypass Security Restrictions

Source: Hewlett Packard Enterprise, HPE Product Security Response Team

VULNERABILITY SUMMARY

The HPE XP Command View AE Suite (XPCVAE) products (excluding server
components) contain an XML eXternal Entity vulnerability.

  * DevMgr Earlier than 8.5.3-00(for Windows, Linux) (Note 1)
  * RepMgr Earlier than 8.5.3-00(for Windows, Linux) (Note 2)
  * HDLM Earlier than 8.5.3-00(for Windows, Linux, Solaris, AIX)

References: CVE-2017-8988

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

HP XP Command View Advanced Edition Software Earlier than 8.5.3-00

BACKGROUND

CVSS Version 3.0 and Version 2.0 Base Metrics

                                        V3                      V2
  Reference          V3 Vector         Base     V2 Vector      Base
                                      Score                   Score

               CVSS:3.0/AV:N/AC:L/            (AV:N/AC:L/
CVE-2017-8988  PR:N/UI:N/S:U/C:L/I:L  7.3     Au:N/C:P/I:P/   7.5
               /A:L                           A:P)

Information on CVSS is documented in HPE Customer Notice: HPSN-2008-002

RESOLUTION

HPE XP Command View AE Suite (XPCVAE) products (excluding server components)
has resolved this issue with the following update versions:

  * DevMgr 8.5.3-00, Note: Apply Device Manager agent 8.5.0-06 that is bundled
    with this fixed version.
  * RepMgr 8.5.3-00, Note: Apply Application Agent 8.5.3-00 (for Windows) that
    is bundled with this fixed version.
  * HDLM 8.5.3-00

HISTORY
Version:1 (rev.1) - 2 March 2018 Initial release

- --------------------------------------------------------------------------------

HPESBHF03821 rev.1 - HPE XP Command View AE Suite (XPCVAE), Remote Denial of
Service

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: hpesbhf03821en_us

Version: 1

HPESBHF03821 rev.1 - HPE XP Command View AE Suite (XPCVAE), Remote Denial of
Service
NOTICE: The information in this Security Bulletin should be acted upon as soon
as possible.

Release Date: 2018-03-03
Last Updated: 2018-03-03

Potential Security Impact: Local: Denial of Service (DoS); Remote: Denial of
Service (DoS)

Source: Hewlett Packard Enterprise, HPE Product Security Response Team

VULNERABILITY SUMMARY

Certain HPE XP Command View AE Suite (XPCVAE) components contain a
vulnerability that makes them susceptible to denial of service (DoS) attacks.

  * Device Manager (DevMgr)
  * Replication Manager (RepMgr)
  * Tiered Storage Manager (TSMgr)
  * Automation Director (AutoDir)
  * Configuration Manager (CM)

References:

  * CVE-2017-7668 - Apache httpd
  * CVE-2017-7679 - httpd mod_mime

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

HP XP Command View Advanced Edition Software earlier than 8.5.3-00

BACKGROUND

CVSS Version 3.0 and Version 2.0 Base Metrics

                                        V3                      V2
  Reference          V3 Vector         Base     V2 Vector      Base
                                      Score                   Score

               CVSS:3.0/AV:N/AC:L/            (AV:N/AC:L/
CVE-2017-7668  PR:N/UI:N/S:U/C:L/I:L  7.3     Au:N/C:P/I:P/   7.5
               /A:L                           A:P)

               CVSS:3.0/AV:N/AC:L/            (AV:N/AC:L/
CVE-2017-7679  PR:N/UI:N/S:U/C:L/I:L  7.3     Au:N/C:P/I:P/   7.5
               /A:L                           A:P)

Information on CVSS is documented in HPE Customer Notice: HPSN-2008-002

RESOLUTION

HPE has provided XP Command View AE Suite (XPCVAE) product updates to resolve
the vulnerabilities. Upgrade to the versions:

  * DevMgr 8.5.3-00
  * RepDgr 8.5.3-00
  * TSMgr 8.5.3-00
  * AutoDir 8.5.3-00
  * CM 8.5.4-00

HISTORY
Version:1 (rev.1) - 2 March 2018 Initial release

- --------------------------------------------------------------------------------

HPESBHF03823 rev.1 - HPE XP Command View Advanced Edition Software (CVAE),
Remote Arbitrary Code Execution

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: hpesbhf03823en_us

Version: 1

HPESBHF03823 rev.1 - HPE XP Command View Advanced Edition Software (CVAE),
Remote Arbitrary Code Execution
NOTICE: The information in this Security Bulletin should be acted upon as soon
as possible.

Release Date: 2018-03-03
Last Updated: 2018-03-03

Potential Security Impact: Remote: Arbitrary Code Execution

Source: Hewlett Packard Enterprise, HPE Product Security Response Team

VULNERABILITY SUMMARY

A vulnerability in HPE XP Command View Advanced Edition Software (CVAE) was
found. The vulnerability allows for remote execution of arbitrary code.

References: CVE-2017-5641 - Apache Flex BlazeDS

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

HP XP Command View Advanced Edition Software earlier than 8.5.3-00

BACKGROUND

CVSS Version 3.0 and Version 2.0 Base Metrics

                                        V3                      V2
  Reference          V3 Vector         Base     V2 Vector      Base
                                      Score                   Score

               CVSS:3.0/AV:N/AC:L/            (AV:N/AC:L/
CVE-2017-5641  PR:N/UI:N/S:U/C:H/I:H  9.8     Au:N/C:P/I:P/   7.5
               /A:H                           A:P)

Information on CVSS is documented in HPE Customer Notice: HPSN-2008-002

RESOLUTION

HPE has provided an resolution for the vulnerability in HPE XP Command View
Advanced Edition Software (CVAE). Apply the following updates:

  * DevMgr 8.5.3-00 (Vulnerabilities in RepMgr, and TSMgr, will be resolved
    when DevMgr is upgraded)
  * AutoDir 8.5.3-00

HISTORY
Version:1 (rev.1) - 2 March 2018 Initial release

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HPE Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hpe.com.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWqc3D4x+lLeg9Ub1AQipZg/5AZAOd+Auux5rBNn/fVclZaeFB95SGZvZ
q5OgjZ5Y2Fc2rUp+kUZXSqlqbbNRIjbE3PSI9nMGfbPb0hr87Dq3HimSpTb3M6EL
0SYCZEUbbhsGOAXc2ldOyNMmNMha3UkpWRIdCGC3J14bAOXwDWF51keY4xxkp3nX
UuZlZyVppHKkOhGNFSk300E6h2puQ816QJL9DXbyrPewzGfRTCAJiJUke791B4ss
LODcXl/REp7DWa5P0YaqIsm/zqHRSxPwksdGAyMUHwv9smcIXfH/RpMx7yNI3Rdj
NWJN303fjtfH0o/DU474Cfh1k2kCj+PIMqWqwBHj2NVPdUUmjpfWiDEMYAgKG5e6
kAHUCTd3cyAD8zkJBehhEruYCi5IEZu2/TsCIPIpYv9uCSVHWx9fxd1YmKMfNkat
NahfG4vLSioqpJuFio3jHuUSOTYMLvNKGDBaBF+Q59ijoDwEp8RHv0bmi/Tk1KxE
YQBE35N0/2gBL7MJVtX2Pc8Cgw1UucI07Ef9EeZas3mdxBdUG+jEBb/F2uX5lCnI
hQhl/2zOk3YSB6OSv+5/I3hflb2iWqLluyGeZNig8lcNfzCNBQLK2CuEFA+ncm7u
YKdmREq6FOexfNJMHNuVWIn7KUGlUhbaoplN3K3y+tQlYkGNrW1zU0jZIgvm4f60
WsJ0GoWYMjs=
=VvlZ
-----END PGP SIGNATURE-----

« Back to bulletins