-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2014.0250.2
  HPSBST02955 rev.1 - HP XP P9000 Performance Advisor Software, 3rd party
           Software Security - Apache Tomcat and Oracle Updates
                               5 March 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          HP XP P9000 Performance Advisor
Publisher:        Hewlett-Packard
Operating System: HP-UX
                  AIX
                  Windows Server 2003
                  Windows Server 2008
                  Windows Server 2008 R2
                  Windows Vista
                  Windows XP
                  SUSE
                  Solaris
                  Red Hat Enterprise Linux AS/ES/WS 3
                  Red Hat Enterprise Linux AS/ES/WS 4
                  Red Hat Enterprise Linux Server 5
                  Red Hat Enterprise Linux Server 6
Impact/Access:    Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                  Access Privileged Data          -- Remote/Unauthenticated      
                  Modify Arbitrary Files          -- Remote/Unauthenticated      
                  Delete Arbitrary Files          -- Remote/Unauthenticated      
                  Cross-site Scripting            -- Remote/Unauthenticated      
                  Denial of Service               -- Remote/Unauthenticated      
                  Read-only Data Access           -- Remote/Unauthenticated      
                  Access Confidential Data        -- Remote/Unauthenticated      
                  Unauthorised Access             -- Remote/Unauthenticated      
                  Reduced Security                -- Existing Account            
                  Increased Privileges            -- Existing Account            
                  Cross-site Request Forgery      -- Remote with User Interaction
Resolution:       Patch/Upgrade
CVE Names:        CVE-2013-0397 CVE-2013-0381 CVE-2013-0372
                  CVE-2013-0366 CVE-2013-0364 CVE-2013-0363
                  CVE-2013-0361 CVE-2013-0354 CVE-2013-0352
                  CVE-2012-4534 CVE-2012-4431 CVE-2012-3546
                  CVE-2012-3219 CVE-2012-3190 CVE-2012-2733
                  CVE-2011-5064 CVE-2011-5063 CVE-2011-5062
                  CVE-2011-5035 CVE-2011-3190 CVE-2011-2729
                  CVE-2011-2526 CVE-2011-2481 CVE-2011-2204
                  CVE-2011-1184 CVE-2011-0534 CVE-2011-0013
                  CVE-2010-4172 CVE-2010-3718 CVE-2010-2227
                  CVE-2010-1157 CVE-2009-3548 CVE-2009-2902
                  CVE-2009-2901 CVE-2009-2693 CVE-2008-2370
                  CVE-2008-1947 CVE-2008-1232 CVE-2008-0002
                  CVE-2007-6286 CVE-2007-5461 CVE-2007-5342
                  CVE-2007-5333  

Reference:        ASB-2013.0007
                  ASB-2012.0060
                  ASB-2012.0009
                  ASB-2012.0008
                  ASB-2010.0030
                  ASB-2012.0024.2
                  ASB-2012.0023.2
                  ASB-2011.0064.2

Revision History: March     5 2014: Updated Potential Security Impact section
                  February 26 2014: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04047415

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04047415
Version: 2

HPSBST02955 rev.2 - HP XP P9000 Performance Advisor Software, 3rd party
Software Security - Apache Tomcat and Oracle Updates, Multiple
Vulnerabilities Affecting Confidentiality, Availability And Integrity

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2014-02-24
Last Updated: 2014-03-04

Potential Security Impact: Multiple vulnerabilities affecting
confidentiality, availability, and integrity

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified in 3rd party software
used in HP XP P9000 Performance Advisor running Oracle and Apache Tomcat
Software. HP has updated the Apache Tomcat and Oracle database software to
address vulnerabilities affecting confidentiality, availability, and
integrity.

References: CVE-2013-0361 CVE-2013-0354 CVE-2013-0397 CVE-2012-3190
CVE-2013-0352 CVE-2012-3219 CVE-2013-0363 CVE-2013-0381 CVE-2011-5035
CVE-2013-0364 CVE-2013-0372 CVE-2013-0366 CVE-2009-2902 CVE-2009-2901
CVE-2009-2693 CVE-2009-3548 CVE-2010-2227 CVE-2010-1157 CVE-2010-3718
CVE-2011-0013 CVE-2010-4172 CVE-2011-3190 CVE-2011-1184 CVE-2011-5064
CVE-2011-5063 CVE-2011-5062 CVE-2007-5342 CVE-2007-6286 CVE-2007-5333
CVE-2008-0002 CVE-2007-5461 CVE-2011-2729 CVE-2011-2526 CVE-2011-2481
CVE-2011-2204 CVE-2012-2733 CVE-2012-4534 CVE-2012-4431 CVE-2012-3546
CVE-2011-0534 CVE-2008-2370 CVE-2008-1947 CVE-2008-1232, CPU-JAN-2013,
SSRT101157

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP XP P9000 Performance Advisor Software v5.4.1 and earlier

BACKGROUND

CVSS 2.0 Base Metrics
===========================================================
  Reference              Base Vector             Base Score
CVE-2007-5333    (AV:N/AC:L/Au:N/C:P/I:N/A:N)        5.0
CVE-2007-5342    (AV:N/AC:L/Au:N/C:P/I:P/A:N)        6.4
CVE-2007-5461    (AV:N/AC:M/Au:S/C:P/I:N/A:N)        3.5
CVE-2007-6286    (AV:N/AC:M/Au:N/C:N/I:P/A:N)        4.3
CVE-2008-0002    (AV:N/AC:M/Au:N/C:P/I:P/A:N)        5.8
CVE-2008-1232    (AV:N/AC:M/Au:N/C:N/I:P/A:N)        4.3
CVE-2008-1947    (AV:N/AC:M/Au:N/C:N/I:P/A:N)        4.3
CVE-2008-2370    (AV:N/AC:L/Au:N/C:P/I:N/A:N)        5.0
CVE-2009-2693    (AV:N/AC:M/Au:N/C:N/I:P/A:P)        5.8
CVE-2009-2901    (AV:N/AC:M/Au:N/C:P/I:N/A:N)        4.3
CVE-2009-2902    (AV:N/AC:M/Au:N/C:N/I:P/A:N)        4.3
CVE-2009-3548    (AV:N/AC:L/Au:N/C:P/I:P/A:P)        7.5
CVE-2010-1157    (AV:N/AC:H/Au:N/C:P/I:N/A:N)        2.6
CVE-2010-2227    (AV:N/AC:L/Au:N/C:P/I:N/A:P)        6.4
CVE-2010-3718    (AV:L/AC:H/Au:N/C:N/I:P/A:N)        1.2
CVE-2010-4172    (AV:N/AC:M/Au:N/C:N/I:P/A:N)        4.3
CVE-2011-0013    (AV:N/AC:M/Au:N/C:N/I:P/A:N)        4.3
CVE-2011-0534    (AV:N/AC:L/Au:N/C:N/I:N/A:P)        5.0
CVE-2011-1184    (AV:N/AC:L/Au:N/C:P/I:N/A:N)        5.0
CVE-2011-2204    (AV:L/AC:M/Au:N/C:P/I:N/A:N)        1.9
CVE-2011-2481    (AV:L/AC:L/Au:N/C:P/I:P/A:P)        4.6
CVE-2011-2526    (AV:L/AC:M/Au:N/C:P/I:P/A:P)        4.4
CVE-2011-2729    (AV:N/AC:L/Au:N/C:P/I:N/A:N)        5.0
CVE-2011-3190    (AV:N/AC:L/Au:N/C:P/I:P/A:P)        7.5
CVE-2011-5035    (AV:N/AC:L/Au:N/C:N/I:N/A:P)        5.0
CVE-2011-5062    (AV:N/AC:L/Au:N/C:P/I:N/A:N)        5.0
CVE-2011-5063    (AV:N/AC:M/Au:N/C:P/I:N/A:N)        4.3
CVE-2011-5064    (AV:N/AC:M/Au:N/C:P/I:N/A:N)        4.3
CVE-2012-2733    (AV:N/AC:L/Au:N/C:N/I:N/A:P)        5.0
CVE-2012-3190    (AV:N/AC:L/Au:N/C:P/I:P/A:N)        6.4
CVE-2012-3219    (AV:N/AC:M/Au:N/C:N/I:P/A:N)        4.3
CVE-2012-3546    (AV:N/AC:M/Au:N/C:N/I:P/A:N)        4.3
CVE-2012-4431    (AV:N/AC:M/Au:N/C:N/I:P/A:N)        4.3
CVE-2012-4534    (AV:N/AC:H/Au:N/C:N/I:N/A:P)        2.6
CVE-2013-0352    (AV:N/AC:M/Au:N/C:N/I:P/A:N)        4.3
CVE-2013-0354    (AV:N/AC:M/Au:N/C:N/I:P/A:N)        4.3
CVE-2013-0361    (AV:N/AC:L/Au:N/C:C/I:C/A:C)       10.0
CVE-2013-0363    (AV:N/AC:L/Au:N/C:C/I:N/A:N)        7.8
CVE-2013-0364    (AV:N/AC:L/Au:N/C:C/I:N/A:N)        7.8
CVE-2013-0366    (AV:N/AC:L/Au:N/C:C/I:C/A:C)       10.0
CVE-2013-0372    (AV:N/AC:M/Au:N/C:N/I:P/A:N)        4.3
CVE-2013-0381    (AV:N/AC:L/Au:N/C:P/I:P/A:N)        6.4
CVE-2013-0397    (AV:N/AC:L/Au:N/C:P/I:P/A:N)        6.4
===========================================================
             Information on CVSS is documented
            in HP Customer Notice: HPSN-2008-002

RESOLUTION

HP has provided a software update, HP XP P9000 Performance Advisor Software
v5.5.1 to resolve this issue. To obtain the update, go to http://www.hp.com :

Select "Support"
Select "Download Drivers"
Search "find by product" for "HP P9000 Performance Advisor Software"
Select "HP P9000 Performance Advisor Software" and then choose the operating
system
Download "HP StorageWorks P9000 Performance Advisor Software" v5.5.1

HISTORY
Version:1 (rev.1) - 24 February 2014 Initial release
Version:2 (rev.2) - 4 March 2014 Updated Potential Security Impact section

Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel.  For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.

Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com

Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX

Copyright 2014 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iEYEARECAAYFAlMWfosACgkQ4B86/C0qfVlQYwCg+33qqk4HmG+M6Qy6ZdzRgj+N
khsAniulkPqWqBAaRNJfCoV9lFXyswNq
=EtSR
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUxbDIhLndAQH1ShLAQI6LA//Xk8lWKd2velHUXiLTXZWhd1JvOKAnOyP
HFrTGCWowscF55+24NuOmsehEuJHqKpek1lVxcc3avfFBNnWsQkN6X37lZhZLw73
RVPMNLSZxqFN600NNC6al3ybSJwQ8ilUqR4Yoa+L5iE0/YrCwvnhQNBqWq6OXUBC
x0PpFyzbVGbJKcdDwZwGYxd1obvawR4wJIlcw0fxTW5tJgb136CfD+9RPIvckNEZ
NsSBJ7PR7zwzZUJG9ZjEVa648cc+8sE0z3vnIkm17RgQu2AZ5LEQdGYJBOUkSHYZ
aAftTHK2cS+fEm1zhCRA7wlEytsEA+8HSiZOKrFB55NcYMc6lirMv8aarvYKDko5
xgO4gp5o0H38Zqn9IRmjJjWYYBaZHjTYtoue3CS1dJ/AKqp/25IFPLw2pFQDqvWc
ay9rZmy77AjxHxHA7pdhzSzNOL0gaQWDEwTHXnSCdN5KOMvqga9qHRK7vztdX8mx
TGTXZFc3gdkN7yWGcp+hsXTqtHxE5YfJ0+jnu4IM365OcqeDa3Ckc3lWMRkoPDWx
Xl53HC85/6rHL1EG+Ynam5EK4zsSHYBNlNpn6AOhXUBlr/IgdJryZ9oHGPiNcqjn
QTQdMXS4a4CTV98vdUValTlOELHZQBgb0gc3JxFjHC7MwrtJYI/ViMSo4mUGwgW5
7ErmR5jNKYk=
=FoEO
-----END PGP SIGNATURE-----