Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.0755
HPE Command View Advanced Edition (CVAE) Multiple Vulnerabilities
2 March 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: HPE Command View
Publisher: Hewlett-Packard
Operating System: Windows
Linux variants
Virtualisation
Impact/Access: Modify Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-2999 CVE-2019-2992 CVE-2019-2989
CVE-2019-2988 CVE-2019-2987 CVE-2019-2983
CVE-2019-2981 CVE-2019-2978 CVE-2019-2977
CVE-2019-2975 CVE-2019-2973 CVE-2019-2964
CVE-2019-2962 CVE-2019-2958 CVE-2019-2949
CVE-2019-2945 CVE-2019-2933 CVE-2019-2894
Reference: ASB-2019.0294
ESB-2020.0531
ESB-2020.0513
ESB-2020.0345
ESB-2020.0097
ESB-2019.4564
ESB-2019.4076
ESB-2019.3909
ESB-2019.3870
Original Bulletin:
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbst03983en_us
- --------------------------BEGIN INCLUDED TEXT--------------------
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: hpesbst03983en_us
Version: 1
HPESBST03983 rev.1 - HPE Command View Advanced Edition (CVAE) Multiple
Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as soon as
possible.
Release Date: 2020-02-26
Last Updated: 2020-02-25
Potential Security Impact: Local: Multiple Vulnerabilities; Remote: Multiple
Vulnerabilities
Source: Hewlett Packard Enterprise, HPE Product Security Response Team
VULNERABILITY SUMMARY
HPE has identified HPE Command View Advanced Edition (CVAE) multiple vulnerabilities.
A security problem might occur if a malicious user attacks the system by taking
advantage of these vulnerabilities.
The following CVAE have vulnerabilities: Device Manager (DevMgr) Tiered Storage
Manager (TSMgr) Replication Manager (RepMgr)Hitachi Dynamic Link Manager (HDLM)
Hitachi Global Link Manager (HGLM) HPE XP Automation Director (AutoDir) HPE XP
Configuration Manager (CM)
Reference URL:
https://www.oracle.com/security-alerts/cpuoct2019.html#AppendixJAVA
Software and Version
HDLM (Linux) Earlier than 8.7.1-00
HDLM (Windows) Earlier than 8.7.0-01
HDLM (VMware) Earlier than 8.7.0-01
HGLM Earlier than 8.7.0-01
CM Earlier than 10.0.1-00
AutoDir Earlier than 10.0.1-00
Frequency of problem: Low
Severity of problem: Medium
References: CVE-2019-2894 CVE-2019-2933
CVE-2019-2945 CVE-2019-2949 CVE-2019-2958 CVE-2019-2962 CVE-2019-2964
CVE-2019-2973 CVE-2019-2975 CVE-2019-2977 CVE-2019-2978 CVE-2019-2981
CVE-2019-2983 CVE-2019-2987 CVE-2019-2988 CVE-2019-2989 CVE-2019-2992
CVE-2019-2999
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP XP7 CVAE Earlier than 8.7.1-00
HPE XP7 Command View Advanced Edition Suite Earlier than 8.7.1-00
RESOLUTION
HPE has provided the following updates to resolve the vulnerabilities. Upgrade to
the fixed version below or later.
DevMgr 8.7.1-00or later (See Note 1)(See note 2)TSMgr 8.7.1-00 or later
RepMgr 8.7.1-00 or laterHDLM for Linux 8.7.1-00 or later (See note 3) HDLM for
Windows 8.7.0-01 or laterHDLM for VMware 8.7.0-01 or laterHGLM 8.7.0-01 or laterHPE
XP Automation Director 10.0.1-00 or later (See note 4)HPE XP Configuration Manager
10.0.1-00 or later (See note 5)
Notes:
1. The vulnerabilities of Device Manager agent that runs on the following operating
systems can only be corrected by upgrading the JDK used by the Device Manager agent to
Oracle JDK version 8u231 or later:
Red Hat Enterprise Linux 5.x
Red Hat Enterprise Linux 6.x
SUSE Linux Enterprise Server 11
Oracle Unbreakable Enterprise Kernel 6.x
2. If Host Data Collector is installed in a different server to which installed DevMgr,
the Host Data Collector must also be upgraded.
3. The vulnerabilities of HDLM that runs on the following operating systems can
only be corrected by upgrading the Java used by the Hitachi Command Suite Common
Agent to Oracle JDK/JRE version 8u231 or later:
Red Hat Enterprise Linux 5.x
Red Hat Enterprise Linux 6.x
SUSE Linux Enterprise Server 11
Oracle Linux 5.x
Oracle Linux 6.x
Oracle Unbreakable Enterprise Kernel 5.x
Oracle Unbreakable Enterprise Kernel 6.x
4. This product corresponds to the fixed version of AutoDir.
5. This product corresponds to the fixed version of CM.
HISTORY
Version:1 (rev.1) - 25 February 2020 Initial release
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXlyPvGaOgq3Tt24GAQiavg/9FSXtXR2q91x8gZrnM7sfg7qj0HF7wuSM
YE90r+iwzJ3mAC48LOR8hR6jXwn4NWMtI/CaT8ePp5GZZoPUQ/rBindIekMik/hZ
e8hxAg5X4pSna13dR0qaxSmnAJ1vvB+oEZhHw33yr9qquxggvH++Bft19jGgjMeW
RbjMD5vtAQrMbLwEbeNW9xyEF0XXZeZvIDEcJIsF8FEnDvMm7lRr180O4cfHw/IK
nu3SacI6rvE0nhf86zeuWS3KBIPax70aEqiftFBw/KdgvTJkZ5lBbcCo3hOecqq2
/qQCM9ZlzN4XRhzucn1NhvbKcrn9TvC7GqN5zlxWoFY4xaCSZG8buHgy34bSFLe5
HsWGyeRAgZyLScjVoA9qtp8UUxzviejSJv1M+B3zwbe9qa2JmWWdF46mw+3TEXzt
UtRJO3A3k508drD4dMkBc3us7o7m/HwgTU739DZtvm4fxe28NmhV+mc0HHmJNrOp
rB0E0PeH3YL1cREDBInNqb/FvWeoQIYZAy8sZbQIDqo6n1cheFqknPeAtJV0MJA/
PYK3jZTeVQtTlO6pfAkW1UtXxWSeVqkV3g/Mu++EeGDF+PkKEH2uBL5h9bhbXouM
NlDww5xrAgpbye6g1c/5NOqcn+cuW2ZZILok70ZvChLSNHK+LRWwUIF86xIy8TBt
0IHnUBIQwHk=
=7XyV
-----END PGP SIGNATURE-----