Published:
09 August 2012
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.0752 HP Arcsight Logger and Connector appliances cross-site scripting vulnerability 9 August 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: HP Arcsight Logger HP Arcsight Connector Publisher: US-CERT Impact/Access: Increased Privileges -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Mitigation CVE Names: CVE-2012-2960 Original Bulletin: http://www.kb.cert.org/vuls/id/960468 Comment: There is currently no patch at the time of publication for this vulnerability. The recommended mitigation is to not import host files from untrusted sources. - --------------------------BEGIN INCLUDED TEXT-------------------- Vulnerability Note VU#960468 HP Arcsight Logger and Connector appliances cross-site scripting vulnerability Original Release date: 06 Aug 2012 | Last revised: 06 Aug 2012 Overview HP's Arcsight Connector appliance v6.2.0.6244.0 and Arcsight Logger appliance v5.2.0.6288.0 (and possibly other versions) contain a file import facility which is vulnerable to cross-site scripting (XSS). Description The supplied facility for importing host data from a file (System Admin Tab | Network | Hosts | Import from Local File) to the HP Arcsight Connector or HP Arcsight Logger appliances fail to sanitize input for cross-site scripting attacks. An attacker with write access to the file that will be imported can add javascript code into the file. This code will be run in the security context of the appliance administrative web GUI when the file is imported. Impact A remote attacker may, by luring a user into importing a malicious host file, be able to disclose sensitive information, steal user cookies, or escalate privileges. Solution We are currently unaware of a practical solution to this problem. Do not import host file from untrusted sources Attackers must deliver a malicious host file to, or modify an existing file on, a vulnerable system in order to take advantage of this vulnerability. By only accessing host files, which cannot be modified by unprivileged users, from known and trusted sources the chances of exploitation are reduced. Vendor Information (Learn More) Vendor Status Date Notified Date Updated Hewlett-Packard Company Affected 02 May 2012 12 Jun 2012 If you are a vendor and your product is affected, let us know. CVSS Metrics (Learn More) Group Score Vector Base 1.7 AV:L/AC:L/Au:S/C:N/I:P/A:N Temporal 1.3 E:U/RL:U/RC:UC Environmental 0.5 CDP:L/TD:L/CR:ND/IR:ND/AR:ND References http://www.arcsight.com/products/products-logger/ http://www.arcsight.com/products/products-connectors/ Credit Thanks to Michael Rutkowski of Duer Advanced Technology and Aerospace, Inc (DATA) for reporting this vulnerability. This document was written by Michael Orlando. Other Information CVE IDs: CVE-2012-2960 Date Public: 06 Aug 2012 Date First Published: 06 Aug 2012 Date Last Updated: 06 Aug 2012 Document Revision: 11 Feedback If you have feedback, comments, or additional information about this vulnerability, please send us email. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUCM9ze4yVqjM2NGpAQKSRRAAuU+ZxA/D6cTXYYf/llV/hrLQQ/y6IqLL H+C4CA2L8t/UZsKheCObf+e3BMw4Nh/MaRqM7LNGRMFm3XTICCAfnGJMP73ZdzjI b6kDGR8K/brq9YzTAJtohrQZHWfX1ZM46m8E2JtvR9DPc3zV4TzldCzt7z0/yuBy dOiwTKmt3Oic9Bknw2batwD4L/yqgMrQm2dqikxzK/3q2pDPSc8VoOSo53vdbySl F6HiyQtJabqvuPl4KfgjGvMQO0RPjKJXX9Gg8rTQToV+QNdExvT/M4U8A3ousvAX v2jZNMBuLRhzoM769U1T8kFHMuzfZgeC+0wpJUEAztjDlqDZP2oAswY3Olg2tL18 Cb0OOiK7Fdvz7m/TwNevbq1U/nz4nv6rbkU1KRjZQGQI5edXXbBEmUDLHZstw2Ki o3ficv0pmLCuVws2GpLkxQv5fRF4swX3pLeZfq1wsfuzuFIlfIdDAlyYNU6y+HQh p8YgQzxLa+rTyr6qsuPMi7pMqGcuAzrdyWrLcKIBQ3KjWYInTT6RGQgfvYxTgOj8 kZFzaDhcf9PZbNB2taGlAhx0G4P25ysGeDLgfRm4QghY/CY9m8l++P8tvdfg9O4v AkrDFRDgpvJGP6EzviWWBCLI78opx6DzhApQNQBuzmgeAY3YroNHrvq58RGd8rbz W6N2Vm431Iw= =h/7a -----END PGP SIGNATURE-----