Revised text: Mar-13-2015: Updated to include Logger 5.5 P2 as having the fix also.
----
DESCRIPTION
Earlier today, HP ArcSight announced that potential security vulnerabilities have been identified with HP ArcSight Enterprise Security Management (ESM) and HP ArcSight Logger. HP's internal investigation also revealed that HP ArcSight Express could also be vulnerable. These vulnerabilities could be exploited remotely, resulting in the ability to upload arbitrary files to the Logger server (does not affect ESM), cross-site request forgery, authorization bypass, cross frame scripting, or XML external entity injection.
This impacts the following software
- HP ArcSight Enterprise Security Management (ESM) prior to v6.5c SP1 P1
- HP ArcSight Express prior to v4.0 P1
- HP ArcSight Logger prior to v5.52 and HP ArcSight Logger v6.00
CVSS 2.0 base metrics
Reference | Base Vector | Base Score |
CVE-2014-7884 | (AV:N/AC:M/Au:S/C:P/I:P/A:P) | 6.0 |
CVE-2014-7885 | (AV:N/AC:H/Au:N/C:P/I:P/A:P) | 5.1 |
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002
The Hewlett-Packard Company thanks Julian Horoszkiewicz for reporting these issues to security-alert@hp.com
RESOLUTION
HP has made the following software updates available to resolve the vulnerabilities. The updates may be downloaded from: https://softwaresupport.hp.com/
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive