Otkriveni su propusti paketa HP Business Availability Center. Spomenuti propusti mogu se iskoristiti za izvršavanje XSS napada, lažiranje web sjedišta i krađu web sjednice.
Paket:
HP Business Availability Center 8.x
Operacijski sustavi:
Microsoft Windows XP, Microsoft Windows Server 2003, Microsoft Windows Vista, Microsoft Windows Server 2008, Microsoft Windows 7, Oracle Solaris 11 Express, Sun Solaris 7, Sun Solaris 8, Sun Solaris 9, Sun Solaris 10, Sun Solaris 11
Problem:
CSRF, XSS
Iskorištavanje:
lokalno/udaljeno
Posljedica:
otkrivanje osjetljivih informacija, umetanje proizvoljnih podataka u zaštićenu sjednicu
Rješenje:
programska zakrpa proizvođača
CVE:
CVE-2012-3255, CVE-2012-3256, CVE-2012-3257
Izvorni ID preporuke:
HPSBMU02811
Izvor:
Hewlett Packard
Problem:
Detalji o pogreškama koje su uzrokovale propuste nisu objavljene.
Posljedica:
Napadači mogu iskoristiti propuste za izvršavanje XSS napada, lažiranje web sjedišta i umetanje proizvoljnih podataka u zaštićene web sjednice.
Rješenje:
Svim se korisnicima savjetuje instalacija nadogradnji.
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c03475750
Version: 1
HPSBMU02811 SSRT100937 rev.1 - HP Business Availability Center (BAC) Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and Web Session Hijacking
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2012-09-06
Last Updated: 2012-09-06
Potential Security Impact: Cross site scripting (XSS), cross site request forgery (CSRF), and web session hijacking
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP Business Availability Center (BAC). The vulnerabilities could be remotely exploited to allow cross site scripting (XSS), cross site request forgery (CSRF), and web session hijacking.
References: CVE-2012-3255, CVE-2012-3256, CVE-2012-3257
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Business Availability Center v8.07 running on Windows and Solaris
BACKGROUND
For a PGP signed version of this security bulletin please write to: Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
CVSS 2.0 Base Metrics
Reference
Base Vector
Base Score
CVE-2012-3255
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
4.3
CVE-2012-3256
AV:N/AC:M/Au:N/C:P/I:P/A:P)
6.4
CVE-2012-3257
(AV:N/AC:H/Au:S/C:P/I:P/A:P)
6.4
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has provided patches for HP Business Availability Center (BAC) v8.07 on HP Software Support Online at http://support.openview.hp.com/downloads.jsp
Business Availability Center Version
Patch ID
BAC v8.07 for Windows
BAC_00792
BAC v8.07 for Solaris
BAC_00793
HISTORY
Version:1 (rev.1) - 6 September 2012 Initial release
Posljednje sigurnosne preporuke