[security bulletin] HPSBGN03617 rev.2 - HPE IceWall Federation Agent and IceWall File Manager using libXML2 library, Remote Denial of Service (DoS)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n a-c05157239 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c05157239 Version: 2 HPSBGN03617 rev.2 - HPE IceWall Federation Agent and IceWall File Manager using libXML2 library, Remote Denial of Service (DoS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2016-06-09 Last Updated: 2016-06-09 Potential Security Impact: Remote Denial of Service (DoS) Source: Hewlett Packard Enterprise, Product Security Response Team VULNERABILITY SUMMARY Security vulnerabilities in the libXML2 library could potentially impact HPE IceWall Federation Agent and IceWall File Manager resulting in Remote Denial of Service (DoS). References: - CVE-2016-3627 - CVE-2016-3705 - PSRT110132 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. - IceWall Federation Agent 3.0 using libXML2 - IceWall File Manager 3.0 using libXML2 BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2016-3627(AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2016-3705(AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HPE recommends applying the latest OS vendor security patches for libXML2 to resolve the vulnerabilities in the libXML2 library. HISTORY Version:1 (rev.1) - 9 June 2016 Initial release Version:2 (rev.2) - 9 June 2016 Corrected content Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hpe.com. Report: To report a potential security vulnerability with any HPE supported product, send Email to: security-al...@hpe.com Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HPE General Software HF = HPE Hardware and Firmware MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PV = ProCurve ST = Storage Software UX = HP-UX Copyright 2016 Hewlett Packard Enterprise Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise and the names of Hewlett Packard Enterprise products referenced herein are trademarks of Hewlett Packard Enterprise in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJXWggfAAoJEGIGBBYqRO9/0JwIAM82/ev9SnVBJprHLNY4fZAJ Jrha+4BhuYZJ/Sf2hgoaZVKcveW0Q5fWzrB59Pz5CoZiEeJk4qbmezF0E+iGOV17 W3huowscmTzd/0lM6B85lwH36oSc183VhBd+YrCrFPSwGP9h0xOUQkXpnEWWa9+f L9MTPh++T266mukkGthtbpSK9l4b7GIXDQHIk9xphi6V9HQWbSaWKlWII9tcP45H iLEZ1awphMRqY6WLA8WPCIWvH3LkPEizNP3UMBPt1lNS3g/zvAbPft96x0RMoP2A RCe0eRzcyDMlkGnW8vJRZscwK649RlRdNZCAQGXsJdsV/cO/xhZO5a1HqLRPPwA= =MiD+ -END PGP SIGNATURE-
[SECURITY] [DSA 3600-1] iceweasel/firefox-esr security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-3600-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 09, 2016 https://www.debian.org/security/faq - - Package: firefox-esr CVE ID : CVE-2016-2818 CVE-2016-2819 CVE-2016-2821 CVE-2016-2822 CVE-2016-2828 CVE-2016-2831 Multiple security issues have been found in the Mozilla Firefox web browser: Multiple memory safety errors, buffer overflows and other implementation errors may lead to the execution of arbitrary code or spoofing. Wait, Firefox? No more references to Iceweasel? That's right, Debian no longer applies a custom branding. Please see these links for further information: https://glandium.org/blog/?p=3622 https://en.wikipedia.org/wiki/Mozilla_software_rebranded_by_Debian Debian follows the extended support releases (ESR) of Firefox. Support for the 38.x series has ended, so starting with this update we're now following the 45.x releases and this update to the next ESR is also the point where we reapply the original branding. Transition packages for the iceweasel packages are provided which automatically upgrade to the new version. Since new binary packages need to be installed, make sure to allow that in your upgrade procedure (e.g. by using "apt-get dist-upgrade" instead of "apt-get upgrade"). For the stable distribution (jessie), these problems have been fixed in version 45.2.0esr-1~deb8u1. For the unstable distribution (sid), these problems have been fixed in version 45.2.0esr-1. We recommend that you upgrade your firefox-esr packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJXWdEpAAoJEBDCk7bDfE42cWcP/1QiyaD48+R+Fw33XpPLFMoo SLDVGAcjVVS4cXLPSOW23noxTn1rfB5/woCNDg6ojjiGCE+vWm6S1xSY2fU4SRfL mkHdAQYN/vk0tgnyLs2l2VMvvJw3lyRnACitcU1OsfFdn9wq7tgtgM+fdl7hJ9zE Nza4bXAuBDV4b01GXHLkHCVuh7lcJhRGu2gqzQXs2HsZBo12YYVMiwdpxNxzZDzx e06bMzW2TEWlk0YfjEA3EI5FQCENo7/qemqSe+4mlTUguT2YlLR56CTV5tbR+DGq jvxmKdwwcytyZJn2n4Yft5CafQfJbp928gSivMUvvMccTmgVH9FFtNbPI213tn05 TU2IzIFLZ+za/Kv1FirU6wZ/nXZFgJBIsd2w9K2fdM4uMQqvESLopxtw0VPxxSlV SmF07ONx1Yu9gsJcoVIy/nCbP0F9EtE0NA8cak1KE5in9Q5PCXRzQeDOlP3g93Fo 2FiH3sp6U8aJKBZaNnFJ1qfaWqbMO3vQu7hjj49kOpIHgWEOrpDTeEAvk+PXleMt WExEmzcbfXAmuEiLFmQd+BxR6yd6JyofnapxuThBqHq51grxAdW3gldrK8gPvpFd 1iKkY4w1wTcv8VkRhG0ErJa2B9DEWSAanI7WLMjoE4Vd2Buq4qjNpICWYkDdEvSu B2yCw5JgXx8eHngKUCDJ =RYDx -END PGP SIGNATURE-
SimpleSAMLphp Link Injection
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/SIMPLESAML-PHP-LINK-INJECTION.txt
[+] ISR: apparitionsec
Vendor:
=
simplesamlphp.org
Product:
==
simplesamlphp < 1.14.4
Vulnerability Type:
===
Link Injection
CVE Reference:
==
N/A
Vulnerability Details:
=
Several scripts part of SimpleSAMLphp display a web page with links obtained
from the request parameters. This is supposed to enhance
usability, as the users are presented with links they can follow after
completing a certain action, like logging out.
The following scripts do not check the URLs obtained via the HTTP request
before displaying them as the target of links that the user
may click on:
www/logout.php
modules/core/www/no_cookie.php
The issue allowed attackers to display links targeting a malicious website
inside a trusted site running SimpleSAMLphp, due to the lack
of security checks involving the link_href and retryURL HTTP parameters,
respectively. The issue was resolved by including a verification
of the URLs received in the request against a white list of websites specified
in the trusted.url.domains configuration option.
References:
https://simplesamlphp.org/security/201606-01
Affected versions:
All SimpleSAMLphp versions prior to 1.14.4.
Impact:
A remote attacker could craft a link or pop up webpage pointing to a trusted
website running SimpleSAMLphp, including a parameter pointing
to a malicious website, to fool the victim into visiting that website by
clicking on a link in the page presented by the "trusted" SimpleSAMLphp
application.
Vulnerable Codes:
"no_cookie.php" ...
==
if (isset($_REQUEST['retryURL'])) {
$retryURL = (string)$_REQUEST['retryURL'];
$retryURL = \SimpleSAML\Utils\HTTP::normalizeURL($retryURL);
} else {
$retryURL = NULL;
}
$globalConfig = SimpleSAML_Configuration::getInstance();
$t = new SimpleSAML_XHTML_Template($globalConfig, 'core:no_cookie.tpl.php');
$t->data['retryURL'] = $retryURL;
$t->show();
"logout.php" ...
if (array_key_exists('link_href', $_REQUEST)) {
$link = (string) $_REQUEST['link_href'];
$link = \SimpleSAML\Utils\HTTP::normalizeURL($link);
} else {
$link = 'index.php';
}
if (array_key_exists('link_text', $_REQUEST)) {
$text = $_REQUEST['link_text'];
} else {
$text = '{logout:default_link_text}';
}
$t = new SimpleSAML_XHTML_Template($config, 'logout.php');
$t->data['link'] = $link;
$t->data['text'] = $text;
$t->show();
Exploit code(s):
===
1)
https://victim-server/simplesaml/module.php/core/no_cookie.php?retryURL=https://attacker-server
2)
https://victim-server/simplesaml/logout.php?link_href=http://attacker-server/Evil.php_text=PLEASE%20DOWNLOAD%20THIS%20IMPORTANT%20UPDATE
Disclosure Timeline:
===
Vendor Notification: May 31, 2016
June 9, 2016 : Public Disclosure
Exploitation Technique:
===
Remote
Severity Level:
Low
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
hyp3rlinx
[SECURITY] [DSA 3599-1] p7zip security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-3599-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 09, 2016 https://www.debian.org/security/faq - - Package: p7zip CVE ID : CVE-2016-2335 Debian Bug : 824160 Marcin 'Icewall' Noga of Cisco Talos discovered an out-of-bound read vulnerability in the CInArchive::ReadFileItem method in p7zip, a 7zr file archiver with high compression ratio. A remote attacker can take advantage of this flaw to cause a denial-of-service or, potentially the execution of arbitrary code with the privileges of the user running p7zip, if a specially crafted UDF file is processed. For the stable distribution (jessie), this problem has been fixed in version 9.20.1~dfsg.1-4.1+deb8u2. For the testing distribution (stretch), this problem has been fixed in version 15.14.1+dfsg-2. For the unstable distribution (sid), this problem has been fixed in version 15.14.1+dfsg-2. We recommend that you upgrade your p7zip packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJXWYdlAAoJEAVMuPMTQ89EW6wP/37CB1SuykB+dEnUaYNR5gId fVzPjkFlRTPNsXL3fSNNWXK5wXyys5kyKzLTL2ET92L/7MbjdUNtcSFiMXVCV2Jo PuQAk6h57pFdpEkQiEn1pnmx+SocTnCdtZ9BE5j8f7Ob6v9Q4fTc5kEJU3xn3aNg 7VCbnb7mYA7jN+Uoy3LwtiSCvoovzWmJvncDNhYdhdS0uZ/IVJ35TpRGXCiRds3d Ud13K5uSBVVhOhkSbMza+cujloteQytkumXgKu3s2vtgPpasJrQievDBIv+ouQHu qrqKWoUJyZhsTzKKJUMjCRv3qlsz9k+AtUnCE02Mv2a1FWS7XGwf8O7W7woMElhF NHsYJcQB69zOMRVx+jO6iqoUX9iopeB7tp/SXNUmdAD3U9qv3XsV+9nN4jqecJYm Zm6TAOwGK2QHL3xAySUVPyCxVPaC4yqBCiPCushYsq9wJuuCAHBIjFHYXybX70sZ V+mQvyBK09suDAmaLgpof8RZtMcI7bwN6QqzyIAq8AO3QGJfwEMxqMV4hNIYpoIb pQjAo759VrSm5zVpHkw+vMekMuiwknZPMQWM49pQ9+6cokRSDOwd2hvDhtN+Un31 xu7ZJmB8N9q63Mbc39lEKDmAhXK9zKt8CfnY7/Q5BP5erWMmkJpuqXVDBlTKsJYH 3/SnDKaC1vmgmHB8P+gz =ASUx -END PGP SIGNATURE-
CVE-2016-3085: Apache CloudStack Authentication Bypass Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 CVE-2016-3085: Apache CloudStack Authentication Bypass Vulnerability CVSS v2: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Vendors: The Apache Software Foundation Accelerite, Inc Versions affected: CloudStack versions 4.5.0 and newer Description: Apache CloudStack contains an authentication module providing “single sign-on” functionality via the SAML data format. Under certain conditions, a user could manage to access the user interface without providing proper credentials. As the SAML plugin is disabled by default, this issue only affects installations that have enabled and use SAML-based authentication. Mitigation: Users of Apache CloudStack using the SAML plugin should upgrade to one of the following versions, based on which release they are currently using: 4.5.2.1, 4.6.2.1, 4.7.1.1, or 4.8.0.1. These versions contain only security updates, and no other functionality change. -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJXWNuFAAoJEOom9N0pCN7Sw8EP/0Q5YgomRGEocod2Cmlfd/E9 JKSBdt38hTclPXcdi3w/1Fq88l54erfHuPLPJObpsIR/vQGiOU0K9KkaO5jYDHtR uFzb37PDzkR/x0tpfOvl1LqWOl89dSjF0qNAB8gi5ThqSWhBst70bjq0bR1aFxXx I05JzZgD4eye+3tYRcVoFPOkbP7E5pWFtPo9LKUdRL4bfSwskB7d5MOGUoBMQfBb vuMp7BikT3kMU7kiXNHKMCdd24iAQeiMOocZo7fPn70DiKANqLzinLxlWZHrd4Lh IPO/m35s52tIVFxXAIF5N7ThAhOCoqQykxykCAgZN1Wi5444/bBJ/ppaP3StWq8i gRTPzVYbniCTUfG4ynGZIwLwdDJxMb4M1kBdT3lpQWRhq24vE7/xSPANy8ipegvw rZ8EYS0b0Ud4Bx60+L3rCMBJAwlSaddX/DDHaYUU8hxT5NRoK0eiWf9p4jd40Ob4 BYM/9mi4tv4Wq6tIEqSZfVMdNKgY3+0oBP5HEhEmXSk9Th0rNLySB7Xpix7dC5iF 4I0kpki8BFirE6rBGiKNARdXZJ9QTUTUG/wk1Ndgoe4kJG3PtR6PuY9DAWomqecz aF/tmyIZXLeVEyZrS1rKLPlIjRHarALoQgB0Ln+UAhS0oyVJ5LrR4Ie70UDCMRNv rNjki8AjTUnQarsp14lT =+Tpv -END PGP SIGNATURE-
ESA-2016-064: EMC Data Domain Information Disclosure Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ESA-2016-064: EMC Data Domain Information Disclosure Vulnerability EMC Identifier: ESA-2016-064 CVE Identifier: CVE-2016-0910 Severity Rating: CVSS v3 Base Score: 8.2 (AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H) Affected products: EMC Data Domain OS 5.5: version 5.5.3.3 and below EMC Data Domain OS 5.6: version 5.6.1.0 and below EMC Data Domain OS 5.7: version 5.7.1.0 and below Summary: EMC Data Domain is affected by an information disclosure vulnerability that could potentially be exploited by malicious users to compromise the affected system. Details: Data Domain logs the session identifier of a user logged in via the GUI in a file that is accessible to all users. A malicious user could use the disclosed session identifier to take over the account of the victim, a GUI user whose session identifier was disclosed. Resolution: The following EMC Data Domain releases contain resolutions to these vulnerabilities: EMC Data Domain OS 5.5: version 5.5.4.0 EMC Data Domain OS 5.6: hotfix version 5.6.1.004. Contact EMC Customer Support for access. EMC Data Domain OS 5.7: version 5.7.2.0 EMC strongly recommends all customers upgrade at the earliest opportunity. Link to remedies: Registered EMC Online Support customers can download patches and software from support.emc.com at https://support.emc.com/downloads/32697_DD-OS If you have any questions, contact EMC support. Read and use the information in this EMC Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact EMC Software Technical Support at 1-877-534-2867. For an explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831. EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply. EMC Product Security Response Center security_al...@emc.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (Cygwin) iEYEARECAAYFAldYcLUACgkQtjd2rKp+ALy/vACgxyoNSugQqR4fu5yv0z8Ny4pj 34QAnRkLeIvgR7D4jGM5s3pbePKUpw1K =erAR -END PGP SIGNATURE-
ESA-2016-072: EMC NetWorker Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ESA-2016-072: EMC NetWorker Remote Code Execution Vulnerability EMC Identifier: ESA-2016-072 CVE Identifier: CVE-2016-0916 Severity Rating: CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Affected products: EMC NetWorker 8.2.1.0 and all versions after Summary: EMC NetWorker contains a fix for a remote code execution vulnerability that could potentially be exploited by malicious users to compromise NetWorker systems. Details: A remote attacker from a NetWorker instance may execute commands, unauthenticated, on another NetWorker instance due to an unsafe authentication mechanism. Resolution: The following EMC NetWorker release contains resolutions to these vulnerabilities: EMC NetWorker version 8.2.2.6 EMC NetWorker version 8.2.3 EMC Networker version 9.0.0.6 EMC recommends all customers upgrade to one of the versions mentioned above at the earliest opportunity. Link to remedies: Customers can download software from two different locations: https://support.emc.com/downloads/1095_NetWorker Read and use the information in this EMC Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact EMC Software Technical Support at 1-877-534-2867. For an explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831. EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply. EMC Product Security Response Center security_al...@emc.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (Cygwin) iEYEARECAAYFAldYb98ACgkQtjd2rKp+ALx6VQCggMcR90kvL5XH3aDe/AoEwO0w lwsAoMSzbQwZE4Z8oxp+7tOkk5IlqC2n =d6dG -END PGP SIGNATURE-
[security bulletin] HPSBMU03614 rev.1 - HPE Systems Insight Manager using Samba, Multiple Remote Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n a-c05166182 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c05166182 Version: 1 HPSBMU03614 rev.1 - HPE Systems Insight Manager using Samba, Multiple Remote Vulnerabilities NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2016-06-07 Last Updated: 2016-06-07 Potential Security Impact: Remote Unauthorized Identification of Valid Users, Unqualified Configuration Change Source: Hewlett Packard Enterprise, Product Security Response Team VULNERABILITY SUMMARY Security vulnerabilities in Samba could potentially impact HPE Systems Insight Manager. These vulnerabilities could be remotely exploited using man-in-the-middle (MITM) attacks resulting in unauthorized identification of valid users and unqualified configuration changes. References: CVE-2016-2118 PSRT110143 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Systems Insight Manager (HP SIM), All versions BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2016-2118(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HPE Systems Insight Manager uses Samba from the system library on the system on which it is installed. Please update the Samba package on the operating system to mitigate this vulnerability. HISTORY Version:1 (rev.1) - 7 June 2016 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hpe.com. Report: To report a potential security vulnerability with any HPE supported product, send Email to: security-al...@hpe.com Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HPE General Software HF = HPE Hardware and Firmware MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PV = ProCurve ST = Storage Software UX = HP-UX Copyright 2016 Hewlett Packard Enterprise Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise and the names of Hewlett Packard Enterprise products referenced herein are trademarks of Hewlett Packard Enterprise in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJXVyGaAAoJEGIGBBYqRO9/NDEIAIP5fD+T4HobPyRcRGzisXaJ 551ix4Ka4zemy+1YPz6MSPShS/8u2/ACOtB5VS7oooJTwiZd8Ja03tohHh5J+Kr1 zV2YOssbQIq0/ZWqOYekeN4w5cThLfcGYSWsPE1zOos+YbR0GHQZBejTKHI3+gg6 TiIfygp0npIuNnOxMplES1QpxOwyeECWtzwLH8/PgIiCCwvGPIZFLZhV+0+O3F2p gzS9NSa9MWjdmPgO5AHaksrzx+uKoOm2Wj67NSr0pzQiRn5nkz58iZu0oslT3WXa LQaik8DBGvBjKLnenzigZdNSRQMVfg9Tfl9LhlQVheDzxtv/96kU2J2AdQcDNnQ= =wyxy -END PGP SIGNATURE-
[security bulletin] HPSBMU03584 rev.2 - HPE Network Node Manager I (NNMi), Multiple Remote Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n a-c05103564 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c05103564 Version: 2 HPSBMU03584 rev.2 - HPE Network Node Manager I (NNMi), Multiple Remote Vulnerabilities NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2016-05-03 Last Updated: 2016-06-08 Potential Security Impact: Remote Authentication Bypass, Cross-Site Scripting (XSS), Disclosure of Information, Unauthorized Access Source: Hewlett Packard Enterprise, Product Security Response Team VULNERABILITY SUMMARY Multiple potential vulnerabilities have been addressed by HPE Network Node Manager I (NNMi). These vulnerabilities could be remotely exploited resulting in authentication bypass, Cross-Site Scripting (XSS), disclosure of information, or unauthorized access. References: - CVE-2016-2010 - Cross-Site Scripting (XSS) - CVE-2016-2011 - Cross-Site Scripting (XSS) - CVE-2016-2012 - Remote Authentication Bypass - CVE-2016-2013 - Remote Disclosure of Information - CVE-2016-2014 - Remote Unauthorized Data Access - CVE-2012-6153 - Remote Disclosure of Information, Apache Commons HTTP Client - CVE-2014-3577 - Remote Disclosure of Information, Apache Commons HTTP Client - PSRT110087 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HPE Network Node Manager I (NNMi) Software versions 9.20, 9.20, 9.20, 9.23, 9.24, 9.25; 10.00, and 10.01 BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2016-2010(AV:N/AC:M/Au:S/C:N/I:P/A:P) 4.9 CVE-2016-2011(AV:N/AC:M/Au:S/C:N/I:P/A:P) 4.9 CVE-2012-6153(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2014-3577(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8 CVE-2016-2012(AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8 CVE-2016-2013(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5 CVE-2016-2014(AV:N/AC:M/Au:S/C:N/I:C/A:C) 7.9 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HPE has made the following mitigation information available to resolve the vulnerabilities for HPE Network Node Manager i (NNMi). + NNMi version 9.2x **Note:** Requires 9.2x series patch 5 is installed. - Windows https://softwaresupport.hp.com/group/softwaresupport/search-result/-/ facetsearch/document/KM02020463 - Linux https://softwaresupport.hp.com/group/softwaresupport/search-result/-/ facetsearch/document/LID/NNM920L_00022 - HP-UX https://softwaresupport.hp.com/group/softwaresupport/search-result/-/ facetsearch/document/LID/NNM920H_00022 - Solaris https://softwaresupport.hp.com/group/softwaresupport/search-result/-/ facetsearch/document/KM02020460 + NNMi version 10.0x - Windows https://softwaresupport.hp.com/group/softwaresupport/search-result/-/ facetsearch/document/KM01865498 - Linux https://softwaresupport.hp.com/group/softwaresupport/search-result/-/ facetsearch/document/KM01865484 HISTORY Version:1 (rev.1) - 3 May 2016 Initial release Version:2 (rev.2) - 8 June 2016 Removed Apache Commons Collections (ACC) for handling Java object deserialization vulnerability since it has not been addressed in this bulletin Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hpe.com. Report: To report a potential security vulnerability with any HPE supported product, send Email to: security-al...@hpe.com Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HPE General Software HF = HPE Hardware and Firmware MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PV = ProCurve ST = Storage Software UX = HP-UX Copyright 2016 Hewlett Packard Enterprise Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent
