FreeBSD Security Advisory FreeBSD-SA-15:25.ntp [REVISED]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-15:25.ntpSecurity Advisory The FreeBSD Project Topic: Multiple vulnerabilities of ntp [REVISED] Category: contrib Module: ntp Announced: 2015-10-26, revised on 2015-11-04 Credits:Network Time Foundation Affects:All supported versions of FreeBSD. Corrected: 2015-10-26 11:35:40 UTC (stable/10, 10.2-STABLE) 2015-11-04 11:27:13 UTC (releng/10.2, 10.2-RELEASE-p7) 2015-11-04 11:27:21 UTC (releng/10.1, 10.1-RELEASE-p24) 2015-11-02 10:39:26 UTC (stable/9, 9.3-STABLE) 2015-11-04 11:27:30 UTC (releng/9.3, 9.3-RELEASE-p30) CVE Name: CVE-2015-7701, CVE-2015-7702, CVE-2015-7703, CVE-2015-7704, CVE-2015-7848, CVE-2015-7849, CVE-2015-7850, CVE-2015-7851, CVE-2015-7852, CVE-2015-7853, CVE-2015-7854, CVE-2015-7855, CVE-2015-7871 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/. 0. Revision history. v1.0 2015-10-26 Initial release. v1.1 2015-11-04 Revised patches to address regression in ntpq(8), ntpdc(8) utilities and lack of RAWDCF reference clock support in ntpd(8). I. Background The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. II. Problem Description Crypto-NAK packets can be used to cause ntpd(8) to accept time from an unauthenticated ephemeral symmetric peer by bypassing the authentication required to mobilize peer associations. [CVE-2015-7871] FreeBSD 9.3 and 10.1 are not affected. If ntpd(8) is fed a crafted mode 6 or mode 7 packet containing an unusually long data value where a network address is expected, the decodenetnum() function will abort with an assertion failure instead of simply returning a failure condition. [CVE-2015-7855] If ntpd(8) is configured to allow remote configuration, and if the (possibly spoofed) source IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password or if ntpd(8) was configured to disable authentication, then an attacker can send a set of packets to ntpd(8) that may cause it to crash, with the hypothetical possibility of a small code injection. [CVE-2015-7854] A negative value for the datalen parameter will overflow a data buffer. The NTF ntpd(8) driver implementation always sets this value to 0 and are therefore not vulnerable to this weakness. If the system runs a custom refclock driver in ntpd(8) and that driver supplies a negative value for datalen (no custom driver of even minimal competence would do this), then ntpd(8) would overflow the data buffer. It is even hypothetically possible in this case that instead of simply crashing ntpd(8), the attacker could effect a code injection attack. [CVE-2015-7853] If an attacker can figure out the precise moment that ntpq(8) is listening for data and the port number on which it is listening, or if the attacker can provide a malicious instance ntpd(8) that victims will connect to, then an attacker can send a set of crafted mode 6 response packets that, if received by ntpq(8), can cause ntpq(8) to crash. [CVE-2015-7852] If ntpd(8) is configured to allow remote configuration, and if the (possibly spoofed) IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password or if ntpd(8) was configured to disable authentication, then an attacker can send a set of packets to ntpd that may cause ntpd(8) to overwrite files. [CVE-2015-7851] The default configuration of ntpd(8) within FreeBSD does not allow remote configuration. If ntpd(8) is configured to allow remote configuration, and if the (possibly spoofed) source IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password or if ntpd(8) was configured to disable authentication, then an attacker can send a set of packets to ntpd that will cause it to crash and/or create a potentially huge log file. Specifically, the attacker could enable extended logging, point the key file at the log file, and cause what amounts to an infinite loop. [CVE-2015-7850] The default configuration of ntpd(8) within FreeBSD does not allow remote configuration. If ntpd(8) is configured to allow remote configuration, and if the (possibly spoofed) source IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password or if ntpd(8) was configured to disable authentication, then an attacker can send a set of pa
[SECURITY] [DSA 3392-1] freeimage security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-3392-1 secur...@debian.org https://www.debian.org/security/ Sebastien Delafond November 04, 2015 https://www.debian.org/security/faq - - Package: freeimage CVE ID : CVE-2015-0852 Debian Bug : 797165 Pengsu Cheng discovered that FreeImage, a library for graphic image formats, contained multiple integer underflows that could lead to a denial of service: remote attackers were able to trigger a crash by supplying a specially crafted image. For the oldstable distribution (wheezy), this problem has been fixed in version 3.15.1-1.1. For the stable distribution (jessie), this problem has been fixed in version 3.15.4-4.2. For the testing distribution (stretch) and unstable distribution (sid), this problem has been fixed in version 3.15.4-6. We recommend that you upgrade your freeimage packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCgAGBQJWOc9cAAoJEBC+iYPz1Z1kC/UH/AhAe5MJ9NSS9wT95K5qhe/Z m4FKLdGDzGqWY82DhWyNYVTTeKit44rR70HnMQ4Ekj/s0SmOyXDAwhE5FR0lLnhW MM5U4Ub3Zhms3uQdayo8tKmlW3eS7lS5w6rpXk0406TVfSy23XUf8C9rjcIVruYS IBa1ROapH2pfo/LwFVwS3fm+ZzQ6M105WV1/TJEXG4sRCLKku470WPr8sDFGgWdZ 7UcdA1q8WbhGaELHI1Z7P86ycuz3hUTO9CzeYgUlcNBCOH27Uo4NiDQ5rOSHIY8N qWLiE8eIlBqn+9Nyr+JcQ1t/mvAI1aAZAfL0w3MUNQ+IPTG6Cx3mbrKTUw5jaLA= =klen -END PGP SIGNATURE-
[security bulletin] HPSBGN03429 rev.2 - HP Arcsight Logger, Remote Disclosure of Information
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n a-c04863612 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04863612 Version: 2 HPSBGN03429 rev.2 - HP Arcsight Logger, Remote Disclosure of Information NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2015-10-23 Last Updated: 2015-11-03 Potential Security Impact: Remote disclosure of information Source: Hewlett Packard Enterprise, Product Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP ArcSight Logger. The vulnerability could be exploited remotely to disclose information. References: CVE-2015-6029 (CWE-307) CERT-VU#842252 SSRT102157 SSRT101901 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP ArcSight Logger prior to v6.0 P2 BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2015-6029(AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 The Hewlett-Packard Company thanks Hubert mach and Julian Horoszkiewicz for reporting this vulnerability CERT and to security-al...@hp.com. RESOLUTION HP has made the following software updates available to resolve the vulnerabilities. The updates may be downloaded from: https://softwaresupport.hp.com/ HP ArcSight Logger v6.0P2 or subsequent HP ArcSight Logger v6.1 or subsequent HISTORY Version:1 (rev.1) - 23 October 2015 Initial release Version:2 (rev.2) - 3 November 2015 Updated acknowledgement text Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hpe.com. Report: To report a potential security vulnerability with any HPE supported product, send Email to: security-al...@hpe.com Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HPE General Software HF = HPE Hardware and Firmware MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PV = ProCurve ST = Storage Software UX = HP-UX Copyright 2015 Hewlett Packard Enterprise Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise and the names of Hewlett Packard Enterprise products referenced herein are trademarks of Hewlett Packard Enterprise in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJWOPiuAAoJEGIGBBYqRO9/B8cH/2NM1aqS7kjPSZXnUFRVa1xN M6PLJYxM0U+yhph++YeHMJBJc1RvigHh+DNUA2RDarvt1X+VjQHmwhfRNT7BaXmL ULq0bMPzVJQyhmKEXz1mYBqJH6hmgokzTbmrYrQFqhPpnWHni9cy6gP3q8zxp5hh VKP88l8rd+TVPsozF24FueAY4ZCqoywbe26Q6jGQpjA4papxHwuDrvz6u3kUlZET GC9eBXaFIvZkPgiyhkrb+2yFO56d9lEj/gGpZGHeUTq42RXX5xMly7frnfuTOkyQ FqMvGMD1WMufmHUrqeb1AuQM2eGfStpQH/AVb8SwrqXX5HAEpyPZ2WKsUaacUhI= =sAHB -END PGP SIGNATURE-
[security bulletin] HPSBGN03425 rev.1 - HP ArcSight SmartConnectors, Remote Disclosure of Information, Local Escalation of Privilege
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n a-c04850932 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04850932 Version: 1 HPSBGN03425 rev.1 - HP ArcSight SmartConnectors, Remote Disclosure of Information, Local Escalation of Privilege NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2015-11-03 Last Updated: 2015-11-03 Potential Security Impact: Remote disclosure of information, local escalation of privilege Source: Hewlett Packard Enterprise, Product Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP ArcSight SmartConnectors. The vulnerabilities could be exploited remotely to allow disclosure of information, and locally to allow escalation of privilege. References: CVE-2015-2902, (CWE-295), SSRT102148, VU#350508 CVE-2015-2903 (CWE-259), VU#350508 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. ArcSight SmartConnectors any version prior to v7.1.6 BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2015-2902(AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8 CVE-2015-2903(AV:L/AC:M/Au:S/C:C/I:C/A:C) 6.6 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 The Hewlett-Packard Company thanks Jefferson Ogata for reporting a vulnerability CERT and to security-al...@hp.com. RESOLUTION HP has made the following software updates available to resolve the vulnerabilities. The updates may be downloaded from: https://softwaresupport.hp.com/ HP ArcSight SmartConnectors v7.1.6 or later Note: SmartConnectors now require local clients to communicate over an encrypted channel, however the default credentials for the SmartConnectors should also be changed. This can be performed either if the SmartConnector is managed by ArcSight Management Center (ArcMC) or ArcSight Connector Appliance. HISTORY Version:1 (rev.1) - 3 November 2015 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hpe.com. Report: To report a potential security vulnerability with any HPE supported product, send Email to: security-al...@hpe.com Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HPE General Software HF = HPE Hardware and Firmware MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PV = ProCurve ST = Storage Software UX = HP-UX Copyright 2015 Hewlett Packard Enterprise Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise and the names of Hewlett Packard Enterprise products referenced herein are trademarks of Hewlett Packard Enterprise in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJWOQprAAoJEGIGBBYqRO9/2fQIAIAJG95O6uwL31lZjQyKu8F1 PA/0P5Z/2BnFvVcr7HbQlrt3/kPpo4eOIkeO4Jzwvo4Q69fWZoE9ZYQlQTQm6uW3 OdNUtMY0iaMauERg1CpJG2iAJNdmDIp85mGHi06WX1yOq4fHXNvYxzGpOXrs4k5q FF68/ZjEyASi4+5M9OLRuAgTLvaTDke2+uzwGMPePVX+zxPxi3J5sS+/eDLm3++U bmO6A4FbspEi2kLvvu6qx8T2S+WlghQ4k6HUu/Mi9Zzlp32tnXGtTpU2EFU3UrEe keJVhhEOxsiXNhKe3y9AqBpQhJp3qUEuHT3Lq9MfcgpNQqkvQwV2sK8S8/Le8L8= =WYrO -END PGP SIGNATURE-
[security bulletin] HPSBGN03430 rev.1 - HP ArcSight products, Local Elevation of Privilege
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n a-c04872416 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04872416 Version: 1 HPSBGN03430 rev.1 - HP ArcSight products, Local Elevation of Privilege NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2015-11-03 Last Updated: 2015-11-03 Potential Security Impact: Elevation of privilege Source: Hewlett Packard Enterprise, Product Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with ArcSight Management Center ArcSight Connector Appliance ArcSight Logger and ArcSight SmartConnectors. The vulnerability could be exploited locally to allow elevation of privilege. Note: The following products are not vulnerable if installed as a non-root user: ArcSight Management Center ArcSight Connector Appliance ArcSight Logger ArcSight SmartConnectors References: CVE-2015-6030, CERT-VU#842252 (CWE-653) SSRT101901 SSRT102157 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. ArcSight Connector Appliance all releases ArcSight Logger any release prior to 6.0P2 ArcSight ESM 6.x releases prior to 6.5SP1P2 ArcSight Connectors any version prior to 7.1.4 ArcSight Management Center 2.0P2 security update 071515 BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2015-6030(AV:L/AC:M/Au:S/C:C/I:C/A:C) 6.6 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 The Hewlett-Packard Company thanks Hubert mach and Julian Horoszkiewicz for reporting this vulnerability CERT and to security-al...@hp.com. RESOLUTION HP has made the following software updates available to resolve the vulnerabilities. The updates may be downloaded from: https://softwaresupport.hp.com/ ArcSight Management Center v2.0P2 security update 071515 v2.1 or later ArcSight Logger v6.0P2 or later, v6.1 or later ArcSight ESM v6.5SP1P2 or later, v6.8P1 or later ArcSight SmartConnectors v7.1.4 or later HISTORY Version:1 (rev.1) - 3 November 2015 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hpe.com. Report: To report a potential security vulnerability with any HPE supported product, send Email to: security-al...@hpe.com Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HPE General Software HF = HPE Hardware and Firmware MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PV = ProCurve ST = Storage Software UX = HP-UX Copyright 2015 Hewlett Packard Enterprise Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise and the names of Hewlett Packard Enterprise products referenced herein are trademarks of Hewlett Packard Enterprise in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJWOSfDAAoJEGIGBBYqRO9/8j8IALvZgwsqLL3fuJd0srRAChsc SIaNyVPp143zhjOjc5T86ag++CfeNsDXigk1+nSlfQuuY1Z+iXDWtZDgT8beKRjI wfJ3M2co+OeIpTEHNPy+NtpcDGj3S4jDKwecykKsPnj1fzBVAPzu340wnvX8JSsY y/jH3bpf6RLTK9GX5jK+cA/Q0FOMn1vKUVghlDzfeeoQZdDAbnoIvBj+p5h4xAfT 76NcHF3nm1LE6+kGFxGbyunAUYA0N2k1ftFPs1XDUEei1Yhm9rbUQnBF4GXAavBf Bfg7bZV4r8C50kgsgzxYzSvWwJNK5oU+NO9HMvi01BLFOGLryvpoIj+g2JWVnhw= =NwTH -END PGP SIGNATURE-
[SECURITY] [DSA 3391-1] php-horde security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-3391-1 secur...@debian.org https://www.debian.org/security/ Florian Weimer November 03, 2015 https://www.debian.org/security/faq - - Package: php-horde Debian Bug : 803641 It was discovered that the web-based administration interface in the Horde Application Framework did not guard against Cross-Site Request Forgery (CSRF) attacks. As a result, other, malicious web pages could cause Horde applications to perform actions as the Horde user. The oldstable distribution (wheezy) did not contain php-horde packages. For the stable distribution (jessie), this problem has been fixed in version 5.2.1+debian0-2+deb8u2. For the testing distribution (stretch) and the unstable distribution (sid), this problem has been fixed in version 5.2.8+debian0-1. We recommend that you upgrade your php-horde packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJWOStoAAoJEL97/wQC1SS+MHEIAJ2sxGyD96tbSiN0TkkYy6VZ SmjY9xuw7VE1fDJippuyI3uSWpcg7X1Lp4lZaoa5kNYpbEwTQBAqAlsW7G5sanqt LguF01ds1w1is4Tw796ukdT12nGY/DFo/t3DwbS+F0DIpZkvR2cNCHIVvw4Uu1mh Mtr9mQe0oyPshxJoZmsjPSJW3JAlM9PE47YfvgNhONVFFl+95MMcjCzg2boRhl4k fSS5S2mcZ/C8fRxUHdcywmZ/wE7NReIqBZPRptMWew2oWAENDrtCCGiqIxzoCwnT s75dtELRXfneQ70bkTZnIyLQZKVDN+1YO9nGaOgCdoyxoT8r+hBuuXnmAtEP3H8= =PQ4n -END PGP SIGNATURE-
[security bulletin] HPSBGN03386 rev.2 - HP Central View Fraud Risk Management, Revenue Leakage Control, Dealer Performance Audit, Credit Risk Control, Roaming Fraud Control, Subscription Fraud Prevent
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n a-c04751893 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04751893 Version: 2 HPSBGN03386 rev.2 - HP Central View Fraud Risk Management, Revenue Leakage Control, Dealer Performance Audit, Credit Risk Control, Roaming Fraud Control, Subscription Fraud Prevention, Remote Disclosure of Information, Local Disclosure of Information NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2015-08-12 Last Updated: 2015-11-02 Potential Security Impact: Remote disclosure of information, local disclosure of information Source: Hewlett Packard Enterprise, Product Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP Central View Fraud Risk Management, Revenue Leakage Control, Dealer Performance Audit, Credit Risk Control, Roaming Fraud Control, and Subscription Fraud Prevention. The vulnerabilities could be exploited remotely and locally to allow disclosure of information. References: CVE-2015-5406 (SSRT101995) CVE-2015-5407 CVE-2015-5408 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP CentralView Fraud Risk Management v11.1, v11.2, v11.3 Windows Client HP CentralView Revenue Leakage Control v4.1, v4.2, v4.3 Windows Client HP CentralView Dealer Performance Audit v2.0, v2.1 Windows Client Software HP CentralView Credit Risk Control v2.1, v2.2, v2.3 Windows Client Software HP CentralView Roaming Fraud Control v2.1, v2.2, v2.3 Windows Client Software HP CentralView Subscription Fraud Prevention v2.0, v2.1 Windows Client Software BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2015-5406(AV:N/AC:L/Au:S/C:C/I:C/A:C)9 CVE-2015-5407(AV:L/AC:H/Au:S/C:C/I:C/A:C)6 CVE-2015-5408(AV:L/AC:H/Au:S/C:C/I:C/A:C)6 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 The Hewlett-Packard Company thanks Spyridon Chatzimichail for reporting this issue to security-al...@hp.com. RESOLUTION Customers are recommended to use the latest product versions that provide a web client for secure access to HP CentralView systems. The windows client has been deprecated and replaced by the web client in the latest releases. Remote access to information issues are addressed with a FRM12.0 (ERM6.0) Patch 4 and FRM11.1 (ERM5.0/ERM5.1) - patch 5. The patch is addressing SQL Injection described in the associated patch documents. For this latest available security patch, customers will be required to update to latest product versions before applying this update. Please contact HP CentralView product support to request this update. HISTORY Version:1 (rev.1) - 12 August 2015 Initial release Version:2 (rev.2) - 2 November 2015 Patches available Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hpe.com. Report: To report a potential security vulnerability with any HPE supported product, send Email to: security-al...@hpe.com Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HPE General Software HF = HPE Hardware and Firmware MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PV = ProCurve ST = Storage Software UX = HP-UX Copyright 2015 Hewlett Packard Enterprise Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise and the names
