Enterprise Server security fixes, July 2017

 
0 Likes

 

CVE-2017-5187: A Cross-Site Request Forgery (CSRF) vulnerabilty, leading to Remote Code Execution (RCE), was found in MFDS.  Additional anti-CSRF security measures have been added to the Enterprise Server Administration HTML GUI.

CVE-2017-7420: An Authentication Bypass vulnerability was found in ESMAC. A problem with ESMAC display fields that enabled Authorization Bypass and caused XSS-related issues has been fixed.

CVE-2017-7421 A Cross-Site Scripting (XSS) vulnerability was found in ESMAC and MFDS. Additional anti-stored-XSS security measures have been added to the Enterprise Server Administration HTML GUI.

CVE-2017-7422 An XSS vulnerability was found in esfadmingui. This has been corrected.

CVE-2017-7423 A CSRF vulnerability was found in esfadmingui. This has been corrected.

CVE-2017-7424 Path Traversal vulnerability in esfadmingui: A path-traversal vulnerability has been fixed in the mfcs-esfadmin optional component of Enterprise Server. This vulnerability could allow a user with network access to a suitably-configured Enterprise Server region to download unauthorized files from the target system.

Notes:

MFDS and ESMAC issues apply to Micro Focus Enterprise Developer and Micro Focus Enterprise Server versions 2.3 and earlier (including older products), 2.3 Update 1 before Hotfix 8, and 2.3 Update 2 before Hotfix 9.

‘esfadmingui’ issues apply to Micro Focus Enterprise Developer and Micro Focus Enterprise Server version 2.3, 2.3 Update 1 before Hotfix 8, and 2.3 Update 2 before Hotfix 9. Note that esfadmingui is an optional component that is not enabled by default.

Update to 2.3 Update 1 Hotfix 8 (or later), 2.3 Update 2 Hotfix 9 (or later), or 3.0 for these fixes.

Attribution:

Micro Focus would like to thank Tim Thurlings and Meiyer Goren of Comsec Global for notifying us of these issues and working with us to investigate them, under a responsible-disclosure policy.

Labels:

Enterprise
Server
Enterprise Server
Comment List
Related
Recommended