-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2013.1323.3
   HPSBGN02925 rev.2 - HP IceWall SSO, IceWall File Manager and IceWall
   Federation Agent, Multiple Remote Unauthorized Access Vulnerabilities
                              19 January 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          HP IceWall SSO
                  HP IceWall File Manager
                  HP IceWall Federation Agent
Publisher:        Hewlett-Packard
Operating System: HP-UX
                  Red Hat
                  Windows
Impact/Access:    Unauthorised Access -- Remote/Unauthenticated
Resolution:       Patch/Upgrade
CVE Names:        CVE-2013-4820 CVE-2013-4819 CVE-2013-4818
                  CVE-2013-4817  

Revision History: January   19 2018: Updated URL for download in Resolution Section
                  November  30 2015: Updates available for IceWall SSO 10.0 Smart Device, IceWall SSO 10.0 DFW, IceWall SSO 10.0 Agent Option, IceWall Federation Agent, IceWall SSO 8.0 R1 CERTD, and IceWall SSO 10.0 JAVA Agent Library. Corrected update product name for IceWall SSO 8.0 Agent Option 2007 Update Release 2 Patch Release 5 IIS edition.
                  September 20 2013: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

HPSBGN02925 rev.3 - HP IceWall SSO, IceWall File Manager and IceWall Federation
Agent, Multiple Remote Unauthorized Access Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as soon
as possible.

Release Date: 2018-01-12

Last Updated: 2018-01-12



Potential Security Impact: Remote: Unauthorized Access

Source: Hewlett Packard Enterprise, HPE Product Security Response Team

VULNERABILITY SUMMARY

Potential security vulnerabilities have been identified with HP IceWall SSO,
IceWall File Manager and IceWall Federation Agent. The vulnerabilities could be
exploited remotely resulting in unauthorized access.

References:

  o CVE-2013-4817
  o CVE-2013-4818
  o CVE-2013-4819
  o CVE-2013-4820

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  o IceWall Federation Agent 3.0
  o IceWall File Manager 3.0
  o IceWall SSO Agent Option 8.0, 8.0(2007), and 10.0 - Included JAVA Agent
    Library and SAML2 Agent Option
  o IceWall SSO certd 8.0, 8.0.1 (8.0 R1), 8.0 R2, 8.0 R3 and 10.0
  o IceWall SSO Dfw 8.0, 8.0.1 (8.0 R1), 8.0 R2, 8.0 R3 and 10.0
  o IceWall SSO Smart Device Option 10.0

BACKGROUND

CVSS Version 3.0 and Version 2.0 Base Metrics

  Reference            V3 Vector           V3 Base      V2 Vector      V2 Base
                                            Score                       Score

CVE-2013-4817  CVSS:3.0/AV:N/AC:L/PR:N/    5.3       (AV:N/AC:L/Au:N/  5.0
               UI:N/S:U/C:L/I:N/A:N                  C:P/I:N/A:N)

CVE-2013-4818  CVSS:3.0/AV:N/AC:L/PR:N/    5.3       (AV:N/AC:M/Au:N/  4.3
               UI:N/S:U/C:L/I:N/A:N                  C:P/I:N/A:N)

CVE-2013-4819  CVSS:3.0/AV:N/AC:L/PR:N/    4.3       (AV:N/AC:M/Au:S/  3.5
               UI:R/S:U/C:L/I:N/A:N                  C:P/I:N/A:N)

CVE-2013-4820  CVSS:3.0/AV:N/AC:H/PR:N/    3.1       (AV:N/AC:H/Au:S/  2.1
               UI:R/S:U/C:L/I:N/A:N                  C:P/I:N/A:N)

Information on CVSS is documented in HPE Customer Notice: HPSN-2008-002

RESOLUTION

HPE has made the following software updates available to resolve the
vulnerabilities:

  o IceWall SSO 10.0 DFW for Windows Patch Release 1

  o IceWall SSO 8.0 R2 CERTD Patch Release 7

  o IceWall SSO 8.0 R3 CERTD Patch Release 4

  o IceWall SSO 10.0 CERTD Patch Release 5

  o IceWall SSO 10.0 CERTD for Windows Patch Release 1

  o IceWall SSO 10.0 Agent Option Patch Release 2 Servlet edition

  o IceWall SSO 8.0 Agent Option 2007 Update Release 2 Patch Release 5 IIS
    edition

  o IceWall SSO 10.0 Agent Option Patch Release 1 IIS edition

  o IceWall SSO 10.0 Smart Device Option Patch Release 1

  o IceWall SSO 10.0 DFW Patch Release 7

  o IceWall SSO 10.0 Agent Option Patch Release 3 Apache edition

  o IceWall Federation Agent 3.0 Patch Release 2

  o IceWall SSO 8.0 R1 CERTD Patch Release 2

  o IceWall SSO 8.0 CERTD Patch Release 1

  o IceWall SSO 10.0 JAVA Agent Library Patch Release 1

  o IceWall SSO 8.0 JAVA Agent Library 2007 Update Release 2 Patch Release 1

HPE has provided a mitigation workaround for the vulnerabilities for the
following products:

  o HP IceWall SSO Version 8.0

  o HP IceWall SSO Version 8.0 Enterprise Edition R1

  o HP IceWall SSO Version 8.0.1 Standard Edition

  o HP IceWall SSO Version 8.0 R2 Enterprise Edition

  o HP IceWall SSO Version 8.0 R2 Standard Edition

  o HP IceWall SSO Version 8.0 R3 Enterprise Edition

  o HP IceWall SSO Version 8.0 R3 Standard Edition

  o HP IceWall SSO Version 10.0 Enterprise Edition

  o HP IceWall SSO Version 10.0 Standard Edition

  o HP IceWall SSO Version 8.0 Agent Option

  o HP IceWall SSO Version 8.0 Agent Option 2007

  o HP IceWall SSO Version 10.0 Agent Option

  o HP IceWall SSO Version 10.0 Agent Option Update Release 1

  o HP IceWall File Manager Version 3.0

  o HP IceWall File Manager Version 3.0 SP1

  o HP IceWall File Manager Version 3.0 SP2

  o HP IceWall File Manager Version 3.0 SP3

  o HP IceWall File Manager Version 3.0 SP4

  o HP IceWall SSO 8.0 SAML2 Agent Option

  o HP IceWall Federation Agent 3.0

  o HP IceWall SSO 8.0 JAVA Agent Library

  o HP IceWall SSO 8.0 JAVA Agent Library 2007

  o HP IceWall SSO 10.0 JAVA Agent Library

  o HP IceWall SSO 10.0 Smart Device Option

HPE IceWall customers can download the software updates and mitigation
workaround information by following the instructions at the following location:

http://www.hpe.com/jp/icewall_patchaccess

Please note that the HPE IceWall product is only available in Japan.

HISTORY

  o Version:1 (rev.1) - 19 September 2013 Initial release
  o Version:2 (rev.2) - 27 November 2015 Updates available for IceWall SSO 10.0
    Smart Device, IceWall SSO 10.0 DFW, IceWall SSO 10.0 Agent Option, IceWall
    Federation Agent, IceWall SSO 8.0 R1 CERTD, and IceWall SSO 10.0 JAVA Agent
    Library. Corrected update product name for IceWall SSO 8.0 Agent Option
    2007 Update Release 2 Patch Release 5 IIS edition.
  o Version:3 (rev.3) - 12 January 2018 Updated URL for download in Resolution
    Section

Third Party Security Patches: Third party security patches that are to be
installed on systems running Hewlett Packard Enterprise (HPE) software products
should be applied in accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HPE Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hpe.com.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWmFKvIx+lLeg9Ub1AQh3Ug/+KQdM3UlnwHL6pse+WTBUlOFR8G4uA2Td
QU9wem3Sc5C7A9tqOKVtHr+xbM0AAUVHD8DLHJzR24DDgTrrToJiiqvpyDTvarqe
qGHYKaoTNpTXUZnI+zGe1LM1TD+8Iedc0GeadBP/ZZ3B2aZEyh5Xq2KIJR9Bya3T
l47a7jENaKZKX1SVJ39RgS8qcdXB5DwoYpXKkANak7xVnwK587RU8G9yRs9xhd3O
9L4jQ9LDvxe719KqwLq+rgUS9R5QXB+FRLzdHDP0k8TS5XJtjIBRBfQGZNTaP6Cb
PhfcDJ9kt8fy55YeY8OyCJyRYkKrLQK6UXQXnqoMn0GhQi/o39FRcmliSByZe6yW
1JfCKLqLjmQF4lGHaoPOM7hPGdu3T8li5fTLSMeKqUyIsXuxKirP2yFUlJw0DQDV
sZ1IAA1uJ//33HBL+B1WYqijRu96LrxfWnef3RE0pyH7jxR8MV3A3JBBFp4z3RcQ
MLyGR33VkBxZYcrlHMvsGIQV6oCPc7dO7wpBISYXV/nhzPnWFmwqO8Hjp7Ta8wLp
/weiIB7eh3kJWkMeIFgve3AlqU0Pb/z7qhOQgnbj9HfgTa8uDf8ldE1igmuZxmpL
enrBvFEHa+nDDlO1BUOejCTaa1CeVQVeW6fpViv856xdYqNLlRNfe1AzrfNLMDKK
W8zsb2Ih2ls=
=85tQ
-----END PGP SIGNATURE-----