ArcSight Logger - Fix for Security Vulnerability

Fix for the following two Vulnerabilities, that was found on ArcSight Logger 6.71, is now available. Please contact Customer Support to obtain Logger 6.7.1 HotFix 6.7.1.8262.0. These fixes will also be part of the upcoming release of Logger.

1. CVE-2019-11655: unrestricted file upload

  • Affected versions: Logger 6.7.0 and later​
  • Severity: Critical ​
  • CVSS 3.0 Rating: 9.9 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) ​
  • CWE Reference: 434 - Unrestricted Upload of File with Dangerous Typ​e

2. CVE-2019-11656: stored XSS​

  • ​​Affected versions: versions prior to Logger 6.7.1 HotFix 6.7.1.8262.0​
  • Severity: Medium ​
  • CVSS 3.0 Rating: 5.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) ​
  • CWE Reference: 79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')​

Problem description:
"External Task is undefined" and "Syntax error" errors appear on browser console after a Logger report query object is being created (new/modify) using IE browser.

Reports with lengthy names (> 60 characters) emailed via SMTP server are attached with an incorrect filename and extension.

Resolution:
Micro Focus recommends to apply this HotFix. HotFix 6.7.1.8262.0 on ArcSight Logger 6.7.1, either in software or appliance form factor. These fixes will also be part of the upcoming release of Logger.

Researcher Credit - For CVE-2019-11655, and CVE-2019-11656 we would like to give a special thanks to Michael Vieth, an Application Security Engineer at CME Group, for responsibly disclosing these vulnerabilities.


Thank you.