Highlighted
Absent Member.. Absent Member..
Absent Member..
157 views

UCMDB Support Tip: UCMDB Security Vulnerability Identified with AXIS2 Web Service

In the event of completing a targeted security test on HP uCMDB application servers.  When testing was initiated in response to the discovery of one of servers being vulnerable to a potentially serious security attack. 

Having determined that a subset of the uCMDB servers were in fact vulnerable to an attacker remotely uploading and activating a malicious AXIS2 web service which would result in the complete compromise of the servers themselves and any sensitive data contained. 

In order to assess the risk you may have uploaded and activated a test web service on one of the uCMDB non-production servers.  As a result, one was able to assume complete control of the server and retrieve sensitive data. 

By leveraging this sensitive data, one was ultimately able to retrieve user credentials that would enable an attacker to remotely log in to a large UNIX servers and to remotely access certain Windows servers.

As a result the AXIS2 web service administrative interface was configured with the default administrator account and password. Having reconfigured the AXIS2 web service to eliminate any potential risk.

 

If such scenario is encountered please note this is a known issue, as a workaround one will need to change the Axis2 password. 

The password could be changed without any problem for UCMDB but other products using UCMDB WebServices should have options to change user/pass used.

This is resolved in 10.10 CUP2, reference https://support.openview.hp.com/selfsolve/document/KM00770975

"HP Support
If you find this or any post resolves your issue, please be sure to mark it as an accepted solution."

Click the KUDOS star on the left to say 'Thanks'
Labels (1)
Tags (1)
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.