Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor
1764 views

ArcSight Logger - Fix for Security Vulnerability

Fix for the following two Vulnerabilities, that was found on ArcSight Logger 6.71, is now available. Please contact Customer Support to obtain Logger 6.7.1 HotFix 6.7.1.8262.0. These fixes will also be part of the upcoming release of Logger.

1. CVE-2019-11655: unrestricted file upload

  • Affected versions: Logger 6.7.0 and later​
  • Severity: Critical ​
  • CVSS 3.0 Rating: 9.9 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) ​
  • CWE Reference: 434 - Unrestricted Upload of File with Dangerous Typ​e

2. CVE-2019-11656: stored XSS​

  • ​​Affected versions: versions prior to Logger 6.7.1 HotFix 6.7.1.8262.0​
  • Severity: Medium ​
  • CVSS 3.0 Rating: 5.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) ​
  • CWE Reference: 79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')​

Problem description:
"External Task is undefined" and "Syntax error" errors appear on browser console after a Logger report query object is being created (new/modify) using IE browser.

Reports with lengthy names (> 60 characters) emailed via SMTP server are attached with an incorrect filename and extension.

Resolution:
Micro Focus recommends to apply this HotFix. HotFix 6.7.1.8262.0 on ArcSight Logger 6.7.1, either in software or appliance form factor. These fixes will also be part of the upcoming release of Logger.

Researcher Credit - For CVE-2019-11655, and CVE-2019-11656 we would like to give a special thanks to Michael Vieth, an Application Security Engineer at CME Group, for responsibly disclosing these vulnerabilities.


Thank you.

 

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.