Fix for the following two Vulnerabilities, that was found on ArcSight Logger 6.71, is now available. Please contact Customer Support to obtain Logger 6.7.1 HotFix 220.127.116.1162.0. These fixes will also be part of the upcoming release of Logger.
1. CVE-2019-11655: unrestricted file upload
- Affected versions: Logger 6.7.0 and later
- Severity: Critical
- CVSS 3.0 Rating: 9.9 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
- CWE Reference: 434 - Unrestricted Upload of File with Dangerous Type
2. CVE-2019-11656: stored XSS
- Affected versions: versions prior to Logger 6.7.1 HotFix 18.104.22.16862.0
- Severity: Medium
- CVSS 3.0 Rating: 5.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
- CWE Reference: 79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
"External Task is undefined" and "Syntax error" errors appear on browser console after a Logger report query object is being created (new/modify) using IE browser.
Reports with lengthy names (> 60 characters) emailed via SMTP server are attached with an incorrect filename and extension.
Micro Focus recommends to apply this HotFix. HotFix 22.214.171.12462.0 on ArcSight Logger 6.7.1, either in software or appliance form factor. These fixes will also be part of the upcoming release of Logger.
Researcher Credit - For CVE-2019-11655, and CVE-2019-11656 we would like to give a special thanks to Michael Vieth, an Application Security Engineer at CME Group, for responsibly disclosing these vulnerabilities.