Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2018.0730
Critical vulnerabilities patched in Hewless-Packard XP
Command View software
13 March 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: HPE XP Command View
Publisher: Hewlett-Packard
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2017-8988 CVE-2017-7679 CVE-2017-7668
CVE-2017-5641
Original Bulletin:
https://support.hpe.com/hpsc/doc/public/display?docId=hpesbhf03821en_us
https://support.hpe.com/hpsc/doc/public/display?docId=hpesbhf03822en_us
https://support.hpe.com/hpsc/doc/public/display?docId=hpesbhf03823en_us
Comment: This bulletin contains three (3) Hewlett-Packard security
advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: hpesbhf03822en_us
Version: 1
HPESBHF03822 rev.1 - HPE XP Command View AE Suite (XPCVAE), Remote Bypass of
Security Restrictions
NOTICE: The information in this Security Bulletin should be acted upon as soon
as possible.
Release Date: 2018-03-03
Last Updated: 2018-03-03
Potential Security Impact: Remote: Bypass Security Restrictions
Source: Hewlett Packard Enterprise, HPE Product Security Response Team
VULNERABILITY SUMMARY
The HPE XP Command View AE Suite (XPCVAE) products (excluding server
components) contain an XML eXternal Entity vulnerability.
* DevMgr Earlier than 8.5.3-00(for Windows, Linux) (Note 1)
* RepMgr Earlier than 8.5.3-00(for Windows, Linux) (Note 2)
* HDLM Earlier than 8.5.3-00(for Windows, Linux, Solaris, AIX)
References: CVE-2017-8988
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP XP Command View Advanced Edition Software Earlier than 8.5.3-00
BACKGROUND
CVSS Version 3.0 and Version 2.0 Base Metrics
V3 V2
Reference V3 Vector Base V2 Vector Base
Score Score
CVSS:3.0/AV:N/AC:L/ (AV:N/AC:L/
CVE-2017-8988 PR:N/UI:N/S:U/C:L/I:L 7.3 Au:N/C:P/I:P/ 7.5
/A:L A:P)
Information on CVSS is documented in HPE Customer Notice: HPSN-2008-002
RESOLUTION
HPE XP Command View AE Suite (XPCVAE) products (excluding server components)
has resolved this issue with the following update versions:
* DevMgr 8.5.3-00, Note: Apply Device Manager agent 8.5.0-06 that is bundled
with this fixed version.
* RepMgr 8.5.3-00, Note: Apply Application Agent 8.5.3-00 (for Windows) that
is bundled with this fixed version.
* HDLM 8.5.3-00
HISTORY
Version:1 (rev.1) - 2 March 2018 Initial release
- --------------------------------------------------------------------------------
HPESBHF03821 rev.1 - HPE XP Command View AE Suite (XPCVAE), Remote Denial of
Service
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: hpesbhf03821en_us
Version: 1
HPESBHF03821 rev.1 - HPE XP Command View AE Suite (XPCVAE), Remote Denial of
Service
NOTICE: The information in this Security Bulletin should be acted upon as soon
as possible.
Release Date: 2018-03-03
Last Updated: 2018-03-03
Potential Security Impact: Local: Denial of Service (DoS); Remote: Denial of
Service (DoS)
Source: Hewlett Packard Enterprise, HPE Product Security Response Team
VULNERABILITY SUMMARY
Certain HPE XP Command View AE Suite (XPCVAE) components contain a
vulnerability that makes them susceptible to denial of service (DoS) attacks.
* Device Manager (DevMgr)
* Replication Manager (RepMgr)
* Tiered Storage Manager (TSMgr)
* Automation Director (AutoDir)
* Configuration Manager (CM)
References:
* CVE-2017-7668 - Apache httpd
* CVE-2017-7679 - httpd mod_mime
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP XP Command View Advanced Edition Software earlier than 8.5.3-00
BACKGROUND
CVSS Version 3.0 and Version 2.0 Base Metrics
V3 V2
Reference V3 Vector Base V2 Vector Base
Score Score
CVSS:3.0/AV:N/AC:L/ (AV:N/AC:L/
CVE-2017-7668 PR:N/UI:N/S:U/C:L/I:L 7.3 Au:N/C:P/I:P/ 7.5
/A:L A:P)
CVSS:3.0/AV:N/AC:L/ (AV:N/AC:L/
CVE-2017-7679 PR:N/UI:N/S:U/C:L/I:L 7.3 Au:N/C:P/I:P/ 7.5
/A:L A:P)
Information on CVSS is documented in HPE Customer Notice: HPSN-2008-002
RESOLUTION
HPE has provided XP Command View AE Suite (XPCVAE) product updates to resolve
the vulnerabilities. Upgrade to the versions:
* DevMgr 8.5.3-00
* RepDgr 8.5.3-00
* TSMgr 8.5.3-00
* AutoDir 8.5.3-00
* CM 8.5.4-00
HISTORY
Version:1 (rev.1) - 2 March 2018 Initial release
- --------------------------------------------------------------------------------
HPESBHF03823 rev.1 - HPE XP Command View Advanced Edition Software (CVAE),
Remote Arbitrary Code Execution
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: hpesbhf03823en_us
Version: 1
HPESBHF03823 rev.1 - HPE XP Command View Advanced Edition Software (CVAE),
Remote Arbitrary Code Execution
NOTICE: The information in this Security Bulletin should be acted upon as soon
as possible.
Release Date: 2018-03-03
Last Updated: 2018-03-03
Potential Security Impact: Remote: Arbitrary Code Execution
Source: Hewlett Packard Enterprise, HPE Product Security Response Team
VULNERABILITY SUMMARY
A vulnerability in HPE XP Command View Advanced Edition Software (CVAE) was
found. The vulnerability allows for remote execution of arbitrary code.
References: CVE-2017-5641 - Apache Flex BlazeDS
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP XP Command View Advanced Edition Software earlier than 8.5.3-00
BACKGROUND
CVSS Version 3.0 and Version 2.0 Base Metrics
V3 V2
Reference V3 Vector Base V2 Vector Base
Score Score
CVSS:3.0/AV:N/AC:L/ (AV:N/AC:L/
CVE-2017-5641 PR:N/UI:N/S:U/C:H/I:H 9.8 Au:N/C:P/I:P/ 7.5
/A:H A:P)
Information on CVSS is documented in HPE Customer Notice: HPSN-2008-002
RESOLUTION
HPE has provided an resolution for the vulnerability in HPE XP Command View
Advanced Edition Software (CVAE). Apply the following updates:
* DevMgr 8.5.3-00 (Vulnerabilities in RepMgr, and TSMgr, will be resolved
when DevMgr is upgraded)
* AutoDir 8.5.3-00
HISTORY
Version:1 (rev.1) - 2 March 2018 Initial release
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HPE Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hpe.com.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWqc3D4x+lLeg9Ub1AQipZg/5AZAOd+Auux5rBNn/fVclZaeFB95SGZvZ
q5OgjZ5Y2Fc2rUp+kUZXSqlqbbNRIjbE3PSI9nMGfbPb0hr87Dq3HimSpTb3M6EL
0SYCZEUbbhsGOAXc2ldOyNMmNMha3UkpWRIdCGC3J14bAOXwDWF51keY4xxkp3nX
UuZlZyVppHKkOhGNFSk300E6h2puQ816QJL9DXbyrPewzGfRTCAJiJUke791B4ss
LODcXl/REp7DWa5P0YaqIsm/zqHRSxPwksdGAyMUHwv9smcIXfH/RpMx7yNI3Rdj
NWJN303fjtfH0o/DU474Cfh1k2kCj+PIMqWqwBHj2NVPdUUmjpfWiDEMYAgKG5e6
kAHUCTd3cyAD8zkJBehhEruYCi5IEZu2/TsCIPIpYv9uCSVHWx9fxd1YmKMfNkat
NahfG4vLSioqpJuFio3jHuUSOTYMLvNKGDBaBF+Q59ijoDwEp8RHv0bmi/Tk1KxE
YQBE35N0/2gBL7MJVtX2Pc8Cgw1UucI07Ef9EeZas3mdxBdUG+jEBb/F2uX5lCnI
hQhl/2zOk3YSB6OSv+5/I3hflb2iWqLluyGeZNig8lcNfzCNBQLK2CuEFA+ncm7u
YKdmREq6FOexfNJMHNuVWIn7KUGlUhbaoplN3K3y+tQlYkGNrW1zU0jZIgvm4f60
WsJ0GoWYMjs=
=VvlZ
-----END PGP SIGNATURE-----