Otklonjena su dva sigurnosna nedostatka kod programskog paketa HP SNMP Agents. Udaljeni je napadač spomenute propuste mogao iskoristiti za proizvoljno pokretanje HTML i skriptnog koda, te preusmjeravanje URL adresa.
Paket:
HP SNMP Agents 8.x
Operacijski sustavi:
Red Hat Enterprise Linux 6, SUSE Linux Enterprise Server (SLES) 10
Kritičnost:
8.3
Problem:
neodgovarajuće rukovanje datotekama, XSS
Iskorištavanje:
udaljeno
Posljedica:
umetanje HTML i skriptnog koda
Rješenje:
programska zakrpa proizvođača
CVE:
CVE-2012-2001, CVE-2012-2002
Izvorni ID preporuke:
HPSBMU02771
Izvor:
Hewlett Packard
Problem:
Sigurnosne ranjivosti su posljedica XSS (eng. Cross-site scripting) ranjivosti te pogrešnog rukovanja datotekama.
Posljedica:
Udaljeni napadač navedene ranjivosti može iskoristiti za preusmjeravanje URL adresa te umetanje HTML i skriptnog koda.
Rješenje:
Rješenje problema sigurnosti je nadogradnja paketa na novije inačice.
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c03301854
Version: 1
HPSBMU02771 SSRT100558 rev.1 - HP SNMP Agents for Linux, Remote Cross Site Scripting (XSS), URL Redirection
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2012-05-01
Last Updated: 2012-05-01
Potential Security Impact: Remote Cross Site Scripting (XSS), URL Redirection
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP SNMP Agents for Linux. The vulnerabilities could be exploited remotely resulting in cross site scripting (XSS) and URL redirection.
References: CVE-2012-2001 (XSS), CVE-2012-2002 (URL redirection), SSRT100559
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP SNMP Agents for Linux before v9.0.0
BACKGROUND
For a PGP signed version of this security bulletin please write to: Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
CVSS 2.0 Base Metrics
Reference
Base Vector
Base Score
CVE-2012-2001
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
4.3
CVE-2012-2002
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
8.3
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
RESOLUTION
HP has provided the following updates to resolve the vulnerabilities.
HP SNMP Agents for Red Hat Enterprise Linux 6 (x86) v9.0.0 or subsequent
hp-snmp-agents-9.0.0.48-49.rhel6.i386.rpm
HP SNMP Agents for Red Hat Enterprise Linux 6 (AMD64/EM64T) v9.0.0 or subsequent
hp-snmp-agents-9.0.0.48-49.rhel6.x86_64.rpm
HP SNMP Agents for SUSE LINUX Enterprise Server 10 v9.0.0 or subsequent
hp-snmp-agents-9.0.0.48-47.sles10.i386.rpm
HP SNMP Agents for SUSE LINUX Enterprise Server 10 (AMD64/EM64T) v9.0.0 or subsequent
hp-snmp-agents-9.0.0.48-47.sles10.x86_64.rpm
The updates are part of the HP ProLiant Support Pack (PSP) v9.0, available here:
http://h20000.www2.hp.com/bizsupport/TechSupport/DriverDownload.jsp?lang=en&cc=us&prodNameId=3716247&taskId=135&prodTypeId=18964&prodSeriesId=3716246&lang=en&cc=us
HISTORY:
Version:1 (rev.1) 1 May 2012 Initial release
Posljednje sigurnosne preporuke