U radu programskih paketa HP BAC (Business Availability Center) i HP BSM (Business Service Management) uočeni su nedostaci koje udaljeni napadač može iskoristiti za pregled osjetljivih podataka.

UPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c03127140

Version: 1
HPSBMU02736 SSRT100699 rev.1 - HP Business Availability Center (BAC) and Business Service Management (BSM), Remote Unauthorized Access to Sensitive Information
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2011-12-18

Last Updated: 2012-01-18

Potential Security Impact: Remote unauthorized access to sensitive information

Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY

Potential security vulnerabilities have been identified with HP Business Availability Center (BAC) and Business Service Management (BSM) . The vulnerabilities could be remotely exploited to allow unauthorized access to sensitive information.

References: CVE-2010-1428, CVE-2010-1429, CVE-2008-3273
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

Business Availability Center (BAC) v8.07 and earlier on Windows and Solaris
Business Service Management (BSM) v9.12 and earlier on Windows
BACKGROUND

For a PGP signed version of this security bulletin please write to: Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
CVSS 2.0 Base Metrics
Reference
	
Base vector
	
Base score
CVE-2010-1428
	
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
	
5.0
CVE-2010-1429
	
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
	
5.0
CVE-2008-3273
	
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
	
5.0

Information on CVSS is documented in HP Customer Notice: HPSN-2008-002
RESOLUTION

HP has made the following procedures available to resolve the vulnerabilities.

For Windows

Disable JBoss WebConsole

Rename:
\HPBAC\EJBContainer\server\mercury\deploy\jmx-console.war
\HPBAC\EJBContainer\server\mercury\deploy\management\console-mgr.sar\web-console.war

To:
\HPBAC\EJBContainer\server\mercury\deploy\jmx-console.war.disable
\HPBAC\EJBContainer\server\mercury\deploy\management\console-mgr.sar\web-console.war.disable

Note: The JBoss WebConsole is disabled in BSM v9.10 and subsequent. The changes above are only needed for versions prior to v9.10.

Disable Status Servlet

Edit this file
BAC 8.7: \HPBAC\EJBContainer\server\mercury\deploy\jbossweb-tomcat55.sar\ROOT.war\WEB-INF\web.xml
BSM 9.x: \HPBSM\EJBContainer\server\mercury\deploy\jboss-web.deployer\ROOT.war\WEB-INF\web.xml
to add <!- and -> as follows:

<!--

<servlet>
<servlet-name>Status Servlet</servlet-name>
<servlet-class>org.jboss.web.tomcat.tc5.StatusServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Status Servlet</servlet-name>
<url-pattern>/status</url-pattern>
</servlet-mapping>

-->

For Solaris

For Solaris the procedure is the same as for Windows.

The Solaris files are:

/opt/HPBAC/EJBContainer/server/mercury/deploy/mx-console.war
/opt/HPBAC/EJBContainer\server/mercury/deploy/management/console-mgr.sar/web-console.war
BAC 8.7: /opt/HPBAC/EJBContainer/server/mercury/deploy/jbossweb-tomcat55.sar/ROOT.war/WEB-INF/web.xml
BSM 9.x: /opt/HPBSM/EJBContainer/server/mercury/deploy/jboss-web.deployer/ROOT.war/WEB-INF/web.xml

HISTORY
Version:1 (rev.1) 18 January 2012 Initial release