-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.0755
     HPE Command View Advanced Edition (CVAE) Multiple Vulnerabilities
                               2 March 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           HPE Command View
Publisher:         Hewlett-Packard
Operating System:  Windows
                   Linux variants
                   Virtualisation
Impact/Access:     Modify Arbitrary Files   -- Remote/Unauthenticated
                   Denial of Service        -- Remote/Unauthenticated
                   Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-2999 CVE-2019-2992 CVE-2019-2989
                   CVE-2019-2988 CVE-2019-2987 CVE-2019-2983
                   CVE-2019-2981 CVE-2019-2978 CVE-2019-2977
                   CVE-2019-2975 CVE-2019-2973 CVE-2019-2964
                   CVE-2019-2962 CVE-2019-2958 CVE-2019-2949
                   CVE-2019-2945 CVE-2019-2933 CVE-2019-2894

Reference:         ASB-2019.0294
                   ESB-2020.0531
                   ESB-2020.0513
                   ESB-2020.0345
                   ESB-2020.0097
                   ESB-2019.4564
                   ESB-2019.4076
                   ESB-2019.3909
                   ESB-2019.3870

Original Bulletin: 
   https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbst03983en_us

- --------------------------BEGIN INCLUDED TEXT--------------------

SUPPORT COMMUNICATION - SECURITY BULLETIN 

Document ID: hpesbst03983en_us
Version: 1 

HPESBST03983 rev.1 - HPE Command View Advanced Edition (CVAE) Multiple 
Vulnerabilities 

NOTICE: The information in this Security Bulletin should be acted upon as soon as 
possible. 
Release Date: 2020-02-26
Last Updated: 2020-02-25 

Potential Security Impact: Local: Multiple Vulnerabilities; Remote: Multiple 
Vulnerabilities 
Source: Hewlett Packard Enterprise, HPE Product Security Response Team 

VULNERABILITY SUMMARY 

HPE has identified HPE Command View Advanced Edition (CVAE) multiple vulnerabilities. 
A security problem might occur if a malicious user attacks the system by taking 
advantage of these vulnerabilities. 

The following CVAE have vulnerabilities: Device Manager (DevMgr) Tiered Storage 
Manager (TSMgr) Replication Manager (RepMgr)Hitachi Dynamic Link Manager (HDLM) 
Hitachi Global Link Manager (HGLM) HPE XP Automation Director (AutoDir) HPE XP 
Configuration Manager (CM) 

Reference URL:
https://www.oracle.com/security-alerts/cpuoct2019.html#AppendixJAVA  

Software and Version 
HDLM (Linux) Earlier than 8.7.1-00 
HDLM (Windows) Earlier than 8.7.0-01 
HDLM (VMware) Earlier than 8.7.0-01 
HGLM Earlier than 8.7.0-01 
CM Earlier than 10.0.1-00 
AutoDir Earlier than 10.0.1-00 

Frequency of problem: Low 
Severity of problem: Medium 

References: CVE-2019-2894 CVE-2019-2933
CVE-2019-2945 CVE-2019-2949 CVE-2019-2958 CVE-2019-2962 CVE-2019-2964
CVE-2019-2973 CVE-2019-2975 CVE-2019-2977 CVE-2019-2978 CVE-2019-2981
CVE-2019-2983 CVE-2019-2987 CVE-2019-2988 CVE-2019-2989 CVE-2019-2992
CVE-2019-2999 

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP XP7 CVAE Earlier than 8.7.1-00 
HPE XP7 Command View Advanced Edition Suite Earlier than 8.7.1-00 

RESOLUTION 

HPE has provided the following updates to resolve the vulnerabilities. Upgrade to 
the fixed version below or later. 

DevMgr 8.7.1-00or later (See Note 1)(See note 2)TSMgr 8.7.1-00 or later
RepMgr 8.7.1-00 or laterHDLM for Linux 8.7.1-00 or later (See note 3) HDLM for 
Windows 8.7.0-01 or laterHDLM for VMware 8.7.0-01 or laterHGLM 8.7.0-01 or laterHPE
XP Automation Director 10.0.1-00 or later (See note 4)HPE XP Configuration Manager 
10.0.1-00 or later (See note 5) 

Notes: 

1. The vulnerabilities of Device Manager agent that runs on the following operating 
systems can only be corrected by upgrading the JDK used by the Device Manager agent to 
Oracle JDK version 8u231 or later: 
Red Hat Enterprise Linux 5.x 
Red Hat Enterprise Linux 6.x 
SUSE Linux Enterprise Server 11 
Oracle Unbreakable Enterprise Kernel 6.x 

2. If Host Data Collector is installed in a different server to which installed DevMgr, 
the Host Data Collector must also be upgraded. 

3. The vulnerabilities of HDLM that runs on the following operating systems can 
only be corrected by upgrading the Java used by the Hitachi Command Suite Common
 Agent to Oracle JDK/JRE version 8u231 or later: 
Red Hat Enterprise Linux 5.x 
Red Hat Enterprise Linux 6.x 
SUSE Linux Enterprise Server 11 
Oracle Linux 5.x 
Oracle Linux 6.x 
Oracle Unbreakable Enterprise Kernel 5.x 
Oracle Unbreakable Enterprise Kernel 6.x 

4. This product corresponds to the fixed version of AutoDir. 

5. This product corresponds to the fixed version of CM. 

HISTORY 

Version:1 (rev.1) - 25 February 2020 Initial release

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXlyPvGaOgq3Tt24GAQiavg/9FSXtXR2q91x8gZrnM7sfg7qj0HF7wuSM
YE90r+iwzJ3mAC48LOR8hR6jXwn4NWMtI/CaT8ePp5GZZoPUQ/rBindIekMik/hZ
e8hxAg5X4pSna13dR0qaxSmnAJ1vvB+oEZhHw33yr9qquxggvH++Bft19jGgjMeW
RbjMD5vtAQrMbLwEbeNW9xyEF0XXZeZvIDEcJIsF8FEnDvMm7lRr180O4cfHw/IK
nu3SacI6rvE0nhf86zeuWS3KBIPax70aEqiftFBw/KdgvTJkZ5lBbcCo3hOecqq2
/qQCM9ZlzN4XRhzucn1NhvbKcrn9TvC7GqN5zlxWoFY4xaCSZG8buHgy34bSFLe5
HsWGyeRAgZyLScjVoA9qtp8UUxzviejSJv1M+B3zwbe9qa2JmWWdF46mw+3TEXzt
UtRJO3A3k508drD4dMkBc3us7o7m/HwgTU739DZtvm4fxe28NmhV+mc0HHmJNrOp
rB0E0PeH3YL1cREDBInNqb/FvWeoQIYZAy8sZbQIDqo6n1cheFqknPeAtJV0MJA/
PYK3jZTeVQtTlO6pfAkW1UtXxWSeVqkV3g/Mu++EeGDF+PkKEH2uBL5h9bhbXouM
NlDww5xrAgpbye6g1c/5NOqcn+cuW2ZZILok70ZvChLSNHK+LRWwUIF86xIy8TBt
0IHnUBIQwHk=
=7XyV
-----END PGP SIGNATURE-----