HPESBGN03770 rev.1 - HPE BSM Platform Application Performance Management System Health, Multiple Vulnerability

  • Document ID:KM02942065
  • Creation Date:06-Sep-2017
  • Modified Date:07-Sep-2017
    • Micro Focus Products:
      application performance management (bac) 9.30

Summary

Potential security vulnerabilities has been identified in HPE BSM Platform Application Performance Management System Health product. These vulnerabilities could be remotely exploited to allow authentication bypass, directory traversal, arbitrary file deletion, unrestricted file upload and information disclosure.

Reference

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: km02942065

Version: 1

HPESBGN03770 rev.1 - HPE BSM Platform Application Performance Management System Health, Multiple Vulnerability
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2017-09-07

Last Updated: 2017-09-07

 

 

Potential Security Impact: Remote: Arbitrary File Deletion, Authentication Bypass, Directory Traversal, Disclosure of Information

Source: Hewlett Packard Enterprise, HPE Product Security Response Team

VULNERABILITY SUMMARY

Potential security vulnerabilities has been identified in HPE BSM Platform Application Performance Management System Health product. These vulnerabilities could be remotely exploited to allow authentication bypass, directory traversal, arbitrary file deletion, unrestricted file upload and information disclosure.

References:

  • CVE-2017-13982 - ZDI-CAN-4455
  • CVE-2017-13983 - ZDI-CAN-4466
  • CVE-2017-13984 - ZDI-CAN-4457
  • CVE-2017-13985 - ZDI-CAN-4456

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  • HPE BSM Platform - v9.26, v9.30 and v9.40

BACKGROUND

CVSS Version 3.0 and Version 2.0 Base Metrics

Reference

V3 Vector

V3 Base Score

V2 Vector

V2 Base Score

CVE-2017-13982

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

7.5

(AV:N/AC:L/Au:S/C:N/I:C/A:N)

6.8

CVE-2017-13983

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.5

(AV:N/AC:L/Au:S/C:C/I:N/A:N)

6.8

CVE-2017-13984

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.5

(AV:N/AC:L/Au:S/C:N/I:N/A:C)

6.8

CVE-2017-13985

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.5

(AV:N/AC:L/Au:S/C:C/I:N/A:N)

6.8

Hewlett Packard Enterprise thanks rgod working with Trend Micro's Zero Day Initiative (ZDI) for reporting these vulnerabilities to security-alert@hpe.com

RESOLUTION

HPE has made the following software updates and mitigation information to resolve these vulnerabilities in HPE BSM Platform Application Performance Management System Health:

https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facetsearch/document/KM02912533?lang=en&cc=us&hpappid=202392_SSO_PRO_HPE

HISTORY
Version:1 (rev.1) - 7 September 2017 Initial release

Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security Bulletin or content of this Security Bulletin, send e-mail to security@microfocus.com.

Report: To report a potential security vulnerability for any HPE supported product:

Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive

Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PV = ProCurve
ST = Storage Software
UX = HP-UX