Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.1323.3 HPSBGN02925 rev.2 - HP IceWall SSO, IceWall File Manager and IceWall Federation Agent, Multiple Remote Unauthorized Access Vulnerabilities 19 January 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: HP IceWall SSO HP IceWall File Manager HP IceWall Federation Agent Publisher: Hewlett-Packard Operating System: HP-UX Red Hat Windows Impact/Access: Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2013-4820 CVE-2013-4819 CVE-2013-4818 CVE-2013-4817 Revision History: January 19 2018: Updated URL for download in Resolution Section November 30 2015: Updates available for IceWall SSO 10.0 Smart Device, IceWall SSO 10.0 DFW, IceWall SSO 10.0 Agent Option, IceWall Federation Agent, IceWall SSO 8.0 R1 CERTD, and IceWall SSO 10.0 JAVA Agent Library. Corrected update product name for IceWall SSO 8.0 Agent Option 2007 Update Release 2 Patch Release 5 IIS edition. September 20 2013: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- HPSBGN02925 rev.3 - HP IceWall SSO, IceWall File Manager and IceWall Federation Agent, Multiple Remote Unauthorized Access Vulnerabilities NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2018-01-12 Last Updated: 2018-01-12 Potential Security Impact: Remote: Unauthorized Access Source: Hewlett Packard Enterprise, HPE Product Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP IceWall SSO, IceWall File Manager and IceWall Federation Agent. The vulnerabilities could be exploited remotely resulting in unauthorized access. References: o CVE-2013-4817 o CVE-2013-4818 o CVE-2013-4819 o CVE-2013-4820 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. o IceWall Federation Agent 3.0 o IceWall File Manager 3.0 o IceWall SSO Agent Option 8.0, 8.0(2007), and 10.0 - Included JAVA Agent Library and SAML2 Agent Option o IceWall SSO certd 8.0, 8.0.1 (8.0 R1), 8.0 R2, 8.0 R3 and 10.0 o IceWall SSO Dfw 8.0, 8.0.1 (8.0 R1), 8.0 R2, 8.0 R3 and 10.0 o IceWall SSO Smart Device Option 10.0 BACKGROUND CVSS Version 3.0 and Version 2.0 Base Metrics Reference V3 Vector V3 Base V2 Vector V2 Base Score Score CVE-2013-4817 CVSS:3.0/AV:N/AC:L/PR:N/ 5.3 (AV:N/AC:L/Au:N/ 5.0 UI:N/S:U/C:L/I:N/A:N C:P/I:N/A:N) CVE-2013-4818 CVSS:3.0/AV:N/AC:L/PR:N/ 5.3 (AV:N/AC:M/Au:N/ 4.3 UI:N/S:U/C:L/I:N/A:N C:P/I:N/A:N) CVE-2013-4819 CVSS:3.0/AV:N/AC:L/PR:N/ 4.3 (AV:N/AC:M/Au:S/ 3.5 UI:R/S:U/C:L/I:N/A:N C:P/I:N/A:N) CVE-2013-4820 CVSS:3.0/AV:N/AC:H/PR:N/ 3.1 (AV:N/AC:H/Au:S/ 2.1 UI:R/S:U/C:L/I:N/A:N C:P/I:N/A:N) Information on CVSS is documented in HPE Customer Notice: HPSN-2008-002 RESOLUTION HPE has made the following software updates available to resolve the vulnerabilities: o IceWall SSO 10.0 DFW for Windows Patch Release 1 o IceWall SSO 8.0 R2 CERTD Patch Release 7 o IceWall SSO 8.0 R3 CERTD Patch Release 4 o IceWall SSO 10.0 CERTD Patch Release 5 o IceWall SSO 10.0 CERTD for Windows Patch Release 1 o IceWall SSO 10.0 Agent Option Patch Release 2 Servlet edition o IceWall SSO 8.0 Agent Option 2007 Update Release 2 Patch Release 5 IIS edition o IceWall SSO 10.0 Agent Option Patch Release 1 IIS edition o IceWall SSO 10.0 Smart Device Option Patch Release 1 o IceWall SSO 10.0 DFW Patch Release 7 o IceWall SSO 10.0 Agent Option Patch Release 3 Apache edition o IceWall Federation Agent 3.0 Patch Release 2 o IceWall SSO 8.0 R1 CERTD Patch Release 2 o IceWall SSO 8.0 CERTD Patch Release 1 o IceWall SSO 10.0 JAVA Agent Library Patch Release 1 o IceWall SSO 8.0 JAVA Agent Library 2007 Update Release 2 Patch Release 1 HPE has provided a mitigation workaround for the vulnerabilities for the following products: o HP IceWall SSO Version 8.0 o HP IceWall SSO Version 8.0 Enterprise Edition R1 o HP IceWall SSO Version 8.0.1 Standard Edition o HP IceWall SSO Version 8.0 R2 Enterprise Edition o HP IceWall SSO Version 8.0 R2 Standard Edition o HP IceWall SSO Version 8.0 R3 Enterprise Edition o HP IceWall SSO Version 8.0 R3 Standard Edition o HP IceWall SSO Version 10.0 Enterprise Edition o HP IceWall SSO Version 10.0 Standard Edition o HP IceWall SSO Version 8.0 Agent Option o HP IceWall SSO Version 8.0 Agent Option 2007 o HP IceWall SSO Version 10.0 Agent Option o HP IceWall SSO Version 10.0 Agent Option Update Release 1 o HP IceWall File Manager Version 3.0 o HP IceWall File Manager Version 3.0 SP1 o HP IceWall File Manager Version 3.0 SP2 o HP IceWall File Manager Version 3.0 SP3 o HP IceWall File Manager Version 3.0 SP4 o HP IceWall SSO 8.0 SAML2 Agent Option o HP IceWall Federation Agent 3.0 o HP IceWall SSO 8.0 JAVA Agent Library o HP IceWall SSO 8.0 JAVA Agent Library 2007 o HP IceWall SSO 10.0 JAVA Agent Library o HP IceWall SSO 10.0 Smart Device Option HPE IceWall customers can download the software updates and mitigation workaround information by following the instructions at the following location: http://www.hpe.com/jp/icewall_patchaccess Please note that the HPE IceWall product is only available in Japan. HISTORY o Version:1 (rev.1) - 19 September 2013 Initial release o Version:2 (rev.2) - 27 November 2015 Updates available for IceWall SSO 10.0 Smart Device, IceWall SSO 10.0 DFW, IceWall SSO 10.0 Agent Option, IceWall Federation Agent, IceWall SSO 8.0 R1 CERTD, and IceWall SSO 10.0 JAVA Agent Library. Corrected update product name for IceWall SSO 8.0 Agent Option 2007 Update Release 2 Patch Release 5 IIS edition. o Version:3 (rev.3) - 12 January 2018 Updated URL for download in Resolution Section Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWmFKvIx+lLeg9Ub1AQh3Ug/+KQdM3UlnwHL6pse+WTBUlOFR8G4uA2Td QU9wem3Sc5C7A9tqOKVtHr+xbM0AAUVHD8DLHJzR24DDgTrrToJiiqvpyDTvarqe qGHYKaoTNpTXUZnI+zGe1LM1TD+8Iedc0GeadBP/ZZ3B2aZEyh5Xq2KIJR9Bya3T l47a7jENaKZKX1SVJ39RgS8qcdXB5DwoYpXKkANak7xVnwK587RU8G9yRs9xhd3O 9L4jQ9LDvxe719KqwLq+rgUS9R5QXB+FRLzdHDP0k8TS5XJtjIBRBfQGZNTaP6Cb PhfcDJ9kt8fy55YeY8OyCJyRYkKrLQK6UXQXnqoMn0GhQi/o39FRcmliSByZe6yW 1JfCKLqLjmQF4lGHaoPOM7hPGdu3T8li5fTLSMeKqUyIsXuxKirP2yFUlJw0DQDV sZ1IAA1uJ//33HBL+B1WYqijRu96LrxfWnef3RE0pyH7jxR8MV3A3JBBFp4z3RcQ MLyGR33VkBxZYcrlHMvsGIQV6oCPc7dO7wpBISYXV/nhzPnWFmwqO8Hjp7Ta8wLp /weiIB7eh3kJWkMeIFgve3AlqU0Pb/z7qhOQgnbj9HfgTa8uDf8ldE1igmuZxmpL enrBvFEHa+nDDlO1BUOejCTaa1CeVQVeW6fpViv856xdYqNLlRNfe1AzrfNLMDKK W8zsb2Ih2ls= =85tQ -----END PGP SIGNATURE-----