Uočen je sigurnosni nedostatak vezan uz HP Business Availability Center (BAC) and Business Service Management (BSM). HP BAC omogućuje optimizaciju dostupnosti, učinkovitosti i djelotvornosti poslovnih usluga i aplikacija, dok je HP BSM skup programskih alata za nadzor i upravljanje podatkovnim centrom. Uzroci pojave problema još nisu poznati, no ustanovljeno je da udaljeni napadač može iskoristiti ranjivost za izvođenje XSS (eng. Cross Site Scripting) napada. Budući da je dostupna odgovarajuća nadogradnja, svi se korisnici ranjivih paketa potiču na njenu primjenu u svrhu zaštite.

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c02678501

Version: 1
HPSBMA02622 SSRT100342 rev.1 - HP Business Availability Center (BAC) and Business Service Management (BSM), Remote Cross Site Scripting (XSS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2011-01-10

Last Updated: 2011-01-19

Potential Security Impact: Remote Cross Site Scripting (XSS)

Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY

A potential security vulnerability has been identified with HP Business Availability Center (BAC) and Business Service Management (BSM) . The vulnerability could be remotely exploited to allow Cross Site Scripting (XSS).

References: CVE-2011-0274
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

Business Availability Center (BAC) v7.55 and earlier on Windows and Solaris
Business Availability Center (BAC) v8.05 and earlier on Windows and Solaris
Business Service Management (BSM) v9.01 and earlier on Windows
BACKGROUND

For a PGP signed version of this security bulletin please write to: Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
CVSS 2.0 Base Metrics
Reference
	
Base vector
	
Base score
CVE-2011-0274
	
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
	
4.3

Information on CVSS is documented in HP Customer Notice: HPSN-2008-002

The Hewlett-Packard Company thanks Daniel Frye for reporting this vulnerability to Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite..
RESOLUTION

HP has made patches available to resolve the vulnerability. The patches are available here: http://support.openview.hp.com/support.jsp .

For BAC earlier than v7.55, update to v7.55 and install the appropriate patch listed below.

For BSM earlier than v9.01, update to v9.01 and install the appropriate patch listed below.

BAC v8.06 resolves the vulnerability. The BAC v8.06 patches listed below update BAC to v8.06.
Product
	
Patch
BAC v7.55 for Windows
	
BAC_00694
BAC v7.55 for Solaris
	
BAC_00695
BAC v8.06 for Windows
	
BAC_00696
BAC v8.06 for Solaris
	
BAC_00697
BSM v9.01 for Windows
	
BAC_00698

Note: The BAC v8.06 Service Pack will also resolve the vulnerability.

HISTORY
Version:1 (rev.1) 19 January 20011 Initial release

Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
  To: Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
  Subject: get key

Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
    -check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
    -verify your operating system selections are checked and save.

To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.

To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do