Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.0730 Critical vulnerabilities patched in Hewless-Packard XP Command View software 13 March 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: HPE XP Command View Publisher: Hewlett-Packard Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2017-8988 CVE-2017-7679 CVE-2017-7668 CVE-2017-5641 Original Bulletin: https://support.hpe.com/hpsc/doc/public/display?docId=hpesbhf03821en_us https://support.hpe.com/hpsc/doc/public/display?docId=hpesbhf03822en_us https://support.hpe.com/hpsc/doc/public/display?docId=hpesbhf03823en_us Comment: This bulletin contains three (3) Hewlett-Packard security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: hpesbhf03822en_us Version: 1 HPESBHF03822 rev.1 - HPE XP Command View AE Suite (XPCVAE), Remote Bypass of Security Restrictions NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2018-03-03 Last Updated: 2018-03-03 Potential Security Impact: Remote: Bypass Security Restrictions Source: Hewlett Packard Enterprise, HPE Product Security Response Team VULNERABILITY SUMMARY The HPE XP Command View AE Suite (XPCVAE) products (excluding server components) contain an XML eXternal Entity vulnerability. * DevMgr Earlier than 8.5.3-00(for Windows, Linux) (Note 1) * RepMgr Earlier than 8.5.3-00(for Windows, Linux) (Note 2) * HDLM Earlier than 8.5.3-00(for Windows, Linux, Solaris, AIX) References: CVE-2017-8988 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP XP Command View Advanced Edition Software Earlier than 8.5.3-00 BACKGROUND CVSS Version 3.0 and Version 2.0 Base Metrics V3 V2 Reference V3 Vector Base V2 Vector Base Score Score CVSS:3.0/AV:N/AC:L/ (AV:N/AC:L/ CVE-2017-8988 PR:N/UI:N/S:U/C:L/I:L 7.3 Au:N/C:P/I:P/ 7.5 /A:L A:P) Information on CVSS is documented in HPE Customer Notice: HPSN-2008-002 RESOLUTION HPE XP Command View AE Suite (XPCVAE) products (excluding server components) has resolved this issue with the following update versions: * DevMgr 8.5.3-00, Note: Apply Device Manager agent 8.5.0-06 that is bundled with this fixed version. * RepMgr 8.5.3-00, Note: Apply Application Agent 8.5.3-00 (for Windows) that is bundled with this fixed version. * HDLM 8.5.3-00 HISTORY Version:1 (rev.1) - 2 March 2018 Initial release - -------------------------------------------------------------------------------- HPESBHF03821 rev.1 - HPE XP Command View AE Suite (XPCVAE), Remote Denial of Service SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: hpesbhf03821en_us Version: 1 HPESBHF03821 rev.1 - HPE XP Command View AE Suite (XPCVAE), Remote Denial of Service NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2018-03-03 Last Updated: 2018-03-03 Potential Security Impact: Local: Denial of Service (DoS); Remote: Denial of Service (DoS) Source: Hewlett Packard Enterprise, HPE Product Security Response Team VULNERABILITY SUMMARY Certain HPE XP Command View AE Suite (XPCVAE) components contain a vulnerability that makes them susceptible to denial of service (DoS) attacks. * Device Manager (DevMgr) * Replication Manager (RepMgr) * Tiered Storage Manager (TSMgr) * Automation Director (AutoDir) * Configuration Manager (CM) References: * CVE-2017-7668 - Apache httpd * CVE-2017-7679 - httpd mod_mime SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP XP Command View Advanced Edition Software earlier than 8.5.3-00 BACKGROUND CVSS Version 3.0 and Version 2.0 Base Metrics V3 V2 Reference V3 Vector Base V2 Vector Base Score Score CVSS:3.0/AV:N/AC:L/ (AV:N/AC:L/ CVE-2017-7668 PR:N/UI:N/S:U/C:L/I:L 7.3 Au:N/C:P/I:P/ 7.5 /A:L A:P) CVSS:3.0/AV:N/AC:L/ (AV:N/AC:L/ CVE-2017-7679 PR:N/UI:N/S:U/C:L/I:L 7.3 Au:N/C:P/I:P/ 7.5 /A:L A:P) Information on CVSS is documented in HPE Customer Notice: HPSN-2008-002 RESOLUTION HPE has provided XP Command View AE Suite (XPCVAE) product updates to resolve the vulnerabilities. Upgrade to the versions: * DevMgr 8.5.3-00 * RepDgr 8.5.3-00 * TSMgr 8.5.3-00 * AutoDir 8.5.3-00 * CM 8.5.4-00 HISTORY Version:1 (rev.1) - 2 March 2018 Initial release - -------------------------------------------------------------------------------- HPESBHF03823 rev.1 - HPE XP Command View Advanced Edition Software (CVAE), Remote Arbitrary Code Execution SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: hpesbhf03823en_us Version: 1 HPESBHF03823 rev.1 - HPE XP Command View Advanced Edition Software (CVAE), Remote Arbitrary Code Execution NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2018-03-03 Last Updated: 2018-03-03 Potential Security Impact: Remote: Arbitrary Code Execution Source: Hewlett Packard Enterprise, HPE Product Security Response Team VULNERABILITY SUMMARY A vulnerability in HPE XP Command View Advanced Edition Software (CVAE) was found. The vulnerability allows for remote execution of arbitrary code. References: CVE-2017-5641 - Apache Flex BlazeDS SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP XP Command View Advanced Edition Software earlier than 8.5.3-00 BACKGROUND CVSS Version 3.0 and Version 2.0 Base Metrics V3 V2 Reference V3 Vector Base V2 Vector Base Score Score CVSS:3.0/AV:N/AC:L/ (AV:N/AC:L/ CVE-2017-5641 PR:N/UI:N/S:U/C:H/I:H 9.8 Au:N/C:P/I:P/ 7.5 /A:H A:P) Information on CVSS is documented in HPE Customer Notice: HPSN-2008-002 RESOLUTION HPE has provided an resolution for the vulnerability in HPE XP Command View Advanced Edition Software (CVAE). Apply the following updates: * DevMgr 8.5.3-00 (Vulnerabilities in RepMgr, and TSMgr, will be resolved when DevMgr is upgraded) * AutoDir 8.5.3-00 HISTORY Version:1 (rev.1) - 2 March 2018 Initial release Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWqc3D4x+lLeg9Ub1AQipZg/5AZAOd+Auux5rBNn/fVclZaeFB95SGZvZ q5OgjZ5Y2Fc2rUp+kUZXSqlqbbNRIjbE3PSI9nMGfbPb0hr87Dq3HimSpTb3M6EL 0SYCZEUbbhsGOAXc2ldOyNMmNMha3UkpWRIdCGC3J14bAOXwDWF51keY4xxkp3nX UuZlZyVppHKkOhGNFSk300E6h2puQ816QJL9DXbyrPewzGfRTCAJiJUke791B4ss LODcXl/REp7DWa5P0YaqIsm/zqHRSxPwksdGAyMUHwv9smcIXfH/RpMx7yNI3Rdj NWJN303fjtfH0o/DU474Cfh1k2kCj+PIMqWqwBHj2NVPdUUmjpfWiDEMYAgKG5e6 kAHUCTd3cyAD8zkJBehhEruYCi5IEZu2/TsCIPIpYv9uCSVHWx9fxd1YmKMfNkat NahfG4vLSioqpJuFio3jHuUSOTYMLvNKGDBaBF+Q59ijoDwEp8RHv0bmi/Tk1KxE YQBE35N0/2gBL7MJVtX2Pc8Cgw1UucI07Ef9EeZas3mdxBdUG+jEBb/F2uX5lCnI hQhl/2zOk3YSB6OSv+5/I3hflb2iWqLluyGeZNig8lcNfzCNBQLK2CuEFA+ncm7u YKdmREq6FOexfNJMHNuVWIn7KUGlUhbaoplN3K3y+tQlYkGNrW1zU0jZIgvm4f60 WsJ0GoWYMjs= =VvlZ -----END PGP SIGNATURE-----