Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.0250.2
HPSBST02955 rev.1 - HP XP P9000 Performance Advisor Software, 3rd party
Software Security - Apache Tomcat and Oracle Updates
5 March 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: HP XP P9000 Performance Advisor
Publisher: Hewlett-Packard
Operating System: HP-UX
AIX
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Vista
Windows XP
SUSE
Solaris
Red Hat Enterprise Linux AS/ES/WS 3
Red Hat Enterprise Linux AS/ES/WS 4
Red Hat Enterprise Linux Server 5
Red Hat Enterprise Linux Server 6
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Privileged Data -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Delete Arbitrary Files -- Remote/Unauthenticated
Cross-site Scripting -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Read-only Data Access -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Reduced Security -- Existing Account
Increased Privileges -- Existing Account
Cross-site Request Forgery -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2013-0397 CVE-2013-0381 CVE-2013-0372
CVE-2013-0366 CVE-2013-0364 CVE-2013-0363
CVE-2013-0361 CVE-2013-0354 CVE-2013-0352
CVE-2012-4534 CVE-2012-4431 CVE-2012-3546
CVE-2012-3219 CVE-2012-3190 CVE-2012-2733
CVE-2011-5064 CVE-2011-5063 CVE-2011-5062
CVE-2011-5035 CVE-2011-3190 CVE-2011-2729
CVE-2011-2526 CVE-2011-2481 CVE-2011-2204
CVE-2011-1184 CVE-2011-0534 CVE-2011-0013
CVE-2010-4172 CVE-2010-3718 CVE-2010-2227
CVE-2010-1157 CVE-2009-3548 CVE-2009-2902
CVE-2009-2901 CVE-2009-2693 CVE-2008-2370
CVE-2008-1947 CVE-2008-1232 CVE-2008-0002
CVE-2007-6286 CVE-2007-5461 CVE-2007-5342
CVE-2007-5333
Reference: ASB-2013.0007
ASB-2012.0060
ASB-2012.0009
ASB-2012.0008
ASB-2010.0030
ASB-2012.0024.2
ASB-2012.0023.2
ASB-2011.0064.2
Revision History: March 5 2014: Updated Potential Security Impact section
February 26 2014: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04047415
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c04047415
Version: 2
HPSBST02955 rev.2 - HP XP P9000 Performance Advisor Software, 3rd party
Software Security - Apache Tomcat and Oracle Updates, Multiple
Vulnerabilities Affecting Confidentiality, Availability And Integrity
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2014-02-24
Last Updated: 2014-03-04
Potential Security Impact: Multiple vulnerabilities affecting
confidentiality, availability, and integrity
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified in 3rd party software
used in HP XP P9000 Performance Advisor running Oracle and Apache Tomcat
Software. HP has updated the Apache Tomcat and Oracle database software to
address vulnerabilities affecting confidentiality, availability, and
integrity.
References: CVE-2013-0361 CVE-2013-0354 CVE-2013-0397 CVE-2012-3190
CVE-2013-0352 CVE-2012-3219 CVE-2013-0363 CVE-2013-0381 CVE-2011-5035
CVE-2013-0364 CVE-2013-0372 CVE-2013-0366 CVE-2009-2902 CVE-2009-2901
CVE-2009-2693 CVE-2009-3548 CVE-2010-2227 CVE-2010-1157 CVE-2010-3718
CVE-2011-0013 CVE-2010-4172 CVE-2011-3190 CVE-2011-1184 CVE-2011-5064
CVE-2011-5063 CVE-2011-5062 CVE-2007-5342 CVE-2007-6286 CVE-2007-5333
CVE-2008-0002 CVE-2007-5461 CVE-2011-2729 CVE-2011-2526 CVE-2011-2481
CVE-2011-2204 CVE-2012-2733 CVE-2012-4534 CVE-2012-4431 CVE-2012-3546
CVE-2011-0534 CVE-2008-2370 CVE-2008-1947 CVE-2008-1232, CPU-JAN-2013,
SSRT101157
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP XP P9000 Performance Advisor Software v5.4.1 and earlier
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2007-5333 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2007-5342 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4
CVE-2007-5461 (AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5
CVE-2007-6286 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2008-0002 (AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8
CVE-2008-1232 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2008-1947 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2008-2370 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2009-2693 (AV:N/AC:M/Au:N/C:N/I:P/A:P) 5.8
CVE-2009-2901 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
CVE-2009-2902 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2009-3548 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2010-1157 (AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6
CVE-2010-2227 (AV:N/AC:L/Au:N/C:P/I:N/A:P) 6.4
CVE-2010-3718 (AV:L/AC:H/Au:N/C:N/I:P/A:N) 1.2
CVE-2010-4172 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2011-0013 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2011-0534 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2011-1184 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2011-2204 (AV:L/AC:M/Au:N/C:P/I:N/A:N) 1.9
CVE-2011-2481 (AV:L/AC:L/Au:N/C:P/I:P/A:P) 4.6
CVE-2011-2526 (AV:L/AC:M/Au:N/C:P/I:P/A:P) 4.4
CVE-2011-2729 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2011-3190 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2011-5035 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2011-5062 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2011-5063 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
CVE-2011-5064 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
CVE-2012-2733 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2012-3190 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4
CVE-2012-3219 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2012-3546 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2012-4431 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2012-4534 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 2.6
CVE-2013-0352 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2013-0354 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2013-0361 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0363 (AV:N/AC:L/Au:N/C:C/I:N/A:N) 7.8
CVE-2013-0364 (AV:N/AC:L/Au:N/C:C/I:N/A:N) 7.8
CVE-2013-0366 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0372 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2013-0381 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4
CVE-2013-0397 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has provided a software update, HP XP P9000 Performance Advisor Software
v5.5.1 to resolve this issue. To obtain the update, go to http://www.hp.com :
Select "Support"
Select "Download Drivers"
Search "find by product" for "HP P9000 Performance Advisor Software"
Select "HP P9000 Performance Advisor Software" and then choose the operating
system
Download "HP StorageWorks P9000 Performance Advisor Software" v5.5.1
HISTORY
Version:1 (rev.1) - 24 February 2014 Initial release
Version:2 (rev.2) - 4 March 2014 Updated Potential Security Impact section
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2014 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
iEYEARECAAYFAlMWfosACgkQ4B86/C0qfVlQYwCg+33qqk4HmG+M6Qy6ZdzRgj+N
khsAniulkPqWqBAaRNJfCoV9lFXyswNq
=EtSR
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUxbDIhLndAQH1ShLAQI6LA//Xk8lWKd2velHUXiLTXZWhd1JvOKAnOyP
HFrTGCWowscF55+24NuOmsehEuJHqKpek1lVxcc3avfFBNnWsQkN6X37lZhZLw73
RVPMNLSZxqFN600NNC6al3ybSJwQ8ilUqR4Yoa+L5iE0/YrCwvnhQNBqWq6OXUBC
x0PpFyzbVGbJKcdDwZwGYxd1obvawR4wJIlcw0fxTW5tJgb136CfD+9RPIvckNEZ
NsSBJ7PR7zwzZUJG9ZjEVa648cc+8sE0z3vnIkm17RgQu2AZ5LEQdGYJBOUkSHYZ
aAftTHK2cS+fEm1zhCRA7wlEytsEA+8HSiZOKrFB55NcYMc6lirMv8aarvYKDko5
xgO4gp5o0H38Zqn9IRmjJjWYYBaZHjTYtoue3CS1dJ/AKqp/25IFPLw2pFQDqvWc
ay9rZmy77AjxHxHA7pdhzSzNOL0gaQWDEwTHXnSCdN5KOMvqga9qHRK7vztdX8mx
TGTXZFc3gdkN7yWGcp+hsXTqtHxE5YfJ0+jnu4IM365OcqeDa3Ckc3lWMRkoPDWx
Xl53HC85/6rHL1EG+Ynam5EK4zsSHYBNlNpn6AOhXUBlr/IgdJryZ9oHGPiNcqjn
QTQdMXS4a4CTV98vdUValTlOELHZQBgb0gc3JxFjHC7MwrtJYI/ViMSo4mUGwgW5
7ErmR5jNKYk=
=FoEO
-----END PGP SIGNATURE-----