Highlighted
Absent Member.
Absent Member.
2515 views

HP ArcSight Enterprise Security Management and Logger, Multiple Remote Vulnerabilities

Revised text: Mar-13-2015: Updated to include Logger 5.5 P2 as having the fix also.

----

DESCRIPTION

Earlier today, HP ArcSight announced that potential security vulnerabilities have been identified with HP ArcSight Enterprise Security Management (ESM) and HP ArcSight Logger. HP's internal investigation also revealed that HP ArcSight Express could also be vulnerable. These vulnerabilities could be exploited remotely, resulting in the ability to upload arbitrary files to the Logger server (does not affect ESM), cross-site request forgery, authorization bypass, cross frame scripting, or XML external entity injection.

This impacts the following software

  • HP ArcSight Enterprise Security Management (ESM) prior to v6.5c SP1 P1
  • HP ArcSight Express prior to v4.0 P1
  • HP ArcSight Logger prior to v5.52 and HP ArcSight Logger v6.00

CVSS 2.0 base metrics

Reference

Base Vector

Base Score

CVE-2014-7884

(AV:N/AC:M/Au:S/C:P/I:P/A:P)

6.0

CVE-2014-7885

(AV:N/AC:H/Au:N/C:P/I:P/A:P)

5.1

Information on CVSS is documented in HP Customer Notice: HPSN-2008-002

The Hewlett-Packard Company thanks Julian Horoszkiewicz for reporting these issues to security-alert@hp.com

RESOLUTION

HP has made the following software updates available to resolve the vulnerabilities. The updates may be downloaded from: https://softwaresupport.hp.com/

  • Logger 6.01 (or) Logger 5.52
  • ESM 6.8c (or) E

Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com

Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive

Labels (1)
21 Replies
Highlighted
Trusted Contributor.
Trusted Contributor.

Any impact on Logger 5.5 ?

HAKAN
0 Likes
Highlighted
Honored Contributor.
Honored Contributor.

Where is Express 4.0 P1?

I only saw a notification for 6.5 SP1 patch 1

Please advise

0 Likes
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

0 Likes
Highlighted
New Member.

The notification is here:

0 Likes
Highlighted
Honored Contributor.
Honored Contributor.

No official email notification that a patch is released?

0 Likes
Highlighted
Absent Member.
Absent Member.

There is supposed to be a patch for Logger 5.5 according to the article, but I cannot find it anywhere on https://softwaresupport.hp.com

0 Likes
Highlighted
New Member.

Logger 5.5 P2 is already available from the same place where you can download Logger 5.5 and Logger 6.0. Select Logger 5.5 and the files available for download include the 5.5 P2 patches.

0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

I think you need to suscribe to the relevant SKUs on "my updates". In any case, I know it is easy to miss updates from HP (sent to the wrong person, requires pre-registration to a certain SKU etc) and therefore strongly suggest to subscribe to this message is posted on.

0 Likes
Highlighted
Absent Member.
Absent Member.

That shows "You don't have permission"

I have enough active SAID's(also Gold partner) with valid licenses connected to my account .

0 Likes
Highlighted
Super Contributor.. Super Contributor..
Super Contributor..

Does anybody installed the new patch 1 on his managed ArcSight Express v4.0 ? if yes, thanks to share your experiernce and let us know if it has any impact (good/bad) on your production environment

Best Regards,

Hatem

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.