Home Unlabelled Bugtraq: [security bulletin] HPSBGN03618 rev.1 - HPE Service Manager remote Denial of Service (DoS), Disclosure of Information, Unauthorized Read Access to Files, Server Side Request Forgery

Bugtraq: [security bulletin] HPSBGN03618 rev.1 - HPE Service Manager remote Denial of Service (DoS), Disclosure of Information, Unauthorized Read Access to Files, Server Side Request Forgery

By
Wednesday, June 08, 2016
Read
Add Comment

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

Note: the current version of the following document is available here:

http://ift.tt/1Uac92b

emr_n

a-c05167176

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c05167176

Version: 1

HPSBGN03618 rev.1 - HPE Service Manager remote Denial of Service (DoS),

Disclosure of Information, Unauthorized Read Access to Files, Server Side

Request Forgery

NOTICE: The information in this Security Bulletin should be acted upon as

soon as possible.

Release Date: 2016-06-08

Last Updated: 2016-06-08

Potential Security Impact: Remote Denial of Service (DoS), Disclosure of

Sensitive Information, Unauthorized Read Access to Files, Server-Side Request

Forgery (SSRF)

Source: Hewlett Packard Enterprise, Product Security Response Team

VULNERABILITY SUMMARY

Potential vulnerabilities have been identified in HPE Service Manager. These

vulnerabilities could be remotely exploited to allow disclosure of

information, unauthorized read access to files and server side request

forgery.

References:

CVE-2016-4371

PSRT110006

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

HP Service Manager Software 9.30, 9.31, 9.32, 9.33, 9.34, 9.35, 9.40, 9.41

Server, Web Client, Windows Client, Service Request Catalog, Mobility

BACKGROUND

CVSS 2.0 Base Metrics

===========================================================

Reference Base Vector Base Score

CVE-2016-4371 (AV:N/AC:M/Au:S/C:P/I:P/A:N) 4.9

===========================================================

Information on CVSS is documented

in HP Customer Notice: HPSN-2008-002

Acknowledgement: The Hewlett-Packard Company thanks Markus Wulftange of Code

White GmbH for reporting this vulnerability to security-alert (at) hpe (dot) com. [email concealed]

RESOLUTION

HPE has made the following mitigation information available to resolve the

vulnerability for the impacted versions of HPE Service Manager:

For versions 9.30, 9.31, 9.32, 9.33, 9.34: Upgrade to SM 9.35.P4

(recommended) or SM 9.34.P5

SM9.35 P4 package,

SM 9.35 Mobility 9.35.4000 p4:

http://ift.tt/1UfHjW6

SM 9.35 ServiceRequestCatalog 9.35.0015 p4:

http://ift.tt/1PhFFxA

SM 9.35 AIX Server 9.35.4001 p4:

http://ift.tt/1UfHmkP

SM 9.35 HP Itanium Server 9.35.4001 p4:

http://ift.tt/1PhG8Qn

SM 9.35 HP Itanium Server for Oracle 12c 9.35.4001 p4:

http://ift.tt/1UfHmB8

SM 9.35 Linux Server 9.35.4001 p4:

http://ift.tt/1PhGma8

SM 9.35 Solaris Server 9.35.4001 p4:

http://ift.tt/1UfHcKj

SM 9.35 Windows Server 9.35.4001 p4:

http://ift.tt/1PhGdnh

SM 9.35 Webtier 9.35.4001 p4:

http://ift.tt/1UfHuR7

SM 9.35 Windows Client 9.35.4001 p4:

http://ift.tt/1PhG5E1

SM 9.34.P5 package, AIX Server 9.34.5003 p5:

http://ift.tt/1UfHn8i

HP Itanium Server 9.34.5003 p5:

http://ift.tt/1PhFRgb

Linux Server 9.34.5003 p5:

http://ift.tt/1UfHmRQ

Solaris Server 9.34.5003 p5:

http://ift.tt/1PhFEtr

Windows Server 9.34.5003 p5:

http://ift.tt/1UfHtg1

Webtier 9.34.5003 p5:

http://ift.tt/1PhG7vN

Windows Client 9.34.5003 p5:

http://ift.tt/1UfH3Xg

ServiceRequestCatalog 9.34.0011 p5:

http://ift.tt/1PhFOkG

Mobility 9.34.5001 p5:

http://ift.tt/1UfHIru

For version 9.35: Upgrade to SM 9.35.P4

SM9.35 P4 package,

SM 9.35 Mobility 9.35.4000 p4:

http://ift.tt/1UfHjW6

SM 9.35 ServiceRequestCatalog 9.35.0015 p4:

http://ift.tt/1PhFFxA

SM 9.35 AIX Server 9.35.4001 p4:

http://ift.tt/1UfHmkP

SM 9.35 HP Itanium Server 9.35.4001 p4:

http://ift.tt/1PhG8Qn

SM 9.35 HP Itanium Server for Oracle 12c 9.35.4001 p4:

http://ift.tt/1UfHmB8

SM 9.35 Linux Server 9.35.4001 p4:

http://ift.tt/1PhGma8

SM 9.35 Solaris Server 9.35.4001 p4:

http://ift.tt/1UfHcKj

SM 9.35 Windows Server 9.35.4001 p4:

< http://ift.tt/1PhGdnh

SM 9.35 Webtier 9.35.4001 p4:

< http://ift.tt/1UfHuR7

SM 9.35 Windows Client 9.35.4001 p4:

<

http://ift.tt/1PhG5E1

For versions 9.40, 9.41: Upgrade to SM 9.41.P3

SM9.41.P3 package,

Service Manager 9.41.3016 p3 - Server for AIX:

http://ift.tt/1PhFzpF

Service Manager 9.41.3016 p3 - Server for HP-UX/IA:

http://ift.tt/1UfHAs7

Service Manager 9.41.3016 p3 - Server for Linux:

http://ift.tt/1PhGc2H

Service Manager 9.41.3016 p3 - Server for Solaris:

http://ift.tt/1UfHnVQ

Service Manager 9.41.3016 p3 - Server for Windows:

http://ift.tt/1PhGIgQ

Service Manager 9.41.3016 p3 - Web Tier:

http://ift.tt/1UfH4dM

Service Manager 9.41.0039 p3 ServiceRequestCatalog:

http://ift.tt/1PhFTEQ

Service Manager 9.41.3016 p3 - Windows Client:

http://ift.tt/1UfHfFZ

Service Manager 9.41.3000 p3 Mobility:

http://ift.tt/1PhG2YW

HISTORY

Version:1 (rev.1) - 8 June 2016 Initial release

Third Party Security Patches: Third party security patches that are to be

installed on systems running Hewlett Packard Enterprise (HPE) software

products should be applied in accordance with the customer's patch management

policy.

Support: For issues about implementing the recommendations of this Security

Bulletin, contact normal HPE Services support channel. For other issues about

the content of this Security Bulletin, send e-mail to security-alert (at) hpe (dot) com. [email concealed]

Report: To report a potential security vulnerability with any HPE supported

product, send Email to: security-alert (at) hpe (dot) com [email concealed]

Subscribe: To initiate a subscription to receive future HPE Security Bulletin

alerts via Email: http://ift.tt/1UOEP1B

Security Bulletin Archive: A list of recently released Security Bulletins is

available here: http://ift.tt/1UOER9M

Software Product Category: The Software Product Category is represented in

the title by the two characters following HPSB.

3C = 3COM

3P = 3rd Party Software

GN = HPE General Software

HF = HPE Hardware and Firmware

MU = Multi-Platform Software

NS = NonStop Servers

OV = OpenVMS

PV = ProCurve

ST = Storage Software

UX = HP-UX

Copyright 2016 Hewlett Packard Enterprise

Hewlett Packard Enterprise shall not be liable for technical or editorial

errors or omissions contained herein. The information provided is provided

"as is" without warranty of any kind. To the extent permitted by law, neither

HP or its affiliates, subcontractors or suppliers will be liable for

incidental,special or consequential damages including downtime cost; lost

profits; damages relating to the procurement of substitute products or

services; or damages for loss of data, or software restoration. The

information in this document is subject to change without notice. Hewlett

Packard Enterprise and the names of Hewlett Packard Enterprise products

referenced herein are trademarks of Hewlett Packard Enterprise in the United

States and other countries. Other product and company names mentioned herein

may be trademarks of their respective owners.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

iQEcBAEBAgAGBQJXWFRMAAoJEGIGBBYqRO9/nIsH/jQ7GBEho4E371qmhQpwoNLq

e5e4CMOrL3946Y4IgA95t/naA34vX591HOYt2Jke22IN25Hhxf5dvO3+z4l98DiP

f/GNdSbVUmyZbPjymZwk5zm9HSMJTKgCE/17RxBo3ggImzUNfWKKp1MxjR89iI78

1p7MBooea6HQPD5yK5+uTp3HWas+riUgGk7c6G+WHtG0PcS251VVWbcaPHDGx0Hl

bUOJdNLEvO29zO923Fo/8Zb5ClmGDqhh0bCoBJgmEiwVbMpH2qwSWqjp8xklVMRe

4WadlStftIZX9szwCioZYFZG8stfurE/Vhu7I0o7IqhjbR5fuJYMR4umZrn8cRw=

=t/vL

-----END PGP SIGNATURE-----

[ reply ]


from SecurityFocus Vulnerabilities http://ift.tt/1VMImha
Tags :

Created By Nexus · Powered by Blogger
© All Rights Reserved

Terms Of Service · Privacy Policy · Disclaimer · Contact Us · About Us