==================================================================== CERT-Renater Note d'Information No. 2012/VULN320 ____________________________________________________________________ DATE : 10/08/2012 HARDWARE PLATFORM(S): HP Arcsight appliance. OPERATING SYSTEM(S) : HP Arcsight appliances software. ====================================================================== http://www.kb.cert.org/vuls/id/960468 ______________________________________________________________________ Vulnerability Note VU#960468 HP Arcsight Logger and Connector appliances cross-site scripting vulnerability Original Release date: 06 Aug 2012 | Last revised: 06 Aug 2012 Overview HP's Arcsight Connector appliance v6.2.0.6244.0 and Arcsight Logger appliance v5.2.0.6288.0 (and possibly other versions) contain a file import facility which is vulnerable to cross-site scripting (XSS). Description The supplied facility for importing host data from a file (System Admin Tab | Network | Hosts | Import from Local File) to the HP Arcsight Connector or HP Arcsight Logger appliances fail to sanitize input for cross-site scripting attacks. An attacker with write access to the file that will be imported can add javascript code into the file. This code will be run in the security context of the appliance administrative web GUI when the file is imported. Impact A remote attacker may, by luring a user into importing a malicious host file, be able to disclose sensitive information, steal user cookies, or escalate privileges. Solution We are currently unaware of a practical solution to this problem. Do not import host file from untrusted sources Attackers must deliver a malicious host file to, or modify an existing file on, a vulnerable system in order to take advantage of this vulnerability. By only accessing host files, which cannot be modified by unprivileged users, from known and trusted sources the chances of exploitation are reduced. Vendor Information (Learn More) Vendor Status Date Notified Date Updated Hewlett-Packard Company Affected 02 May 2012 12 Jun 2012 If you are a vendor and your product is affected, let us know. CVSS Metrics (Learn More) Group Score Vector Base 1.7 AV:L/AC:L/Au:S/C:N/I:P/A:N Temporal 1.3 E:U/RL:U/RC:UC Environmental 0.5 CDP:L/TD:L/CR:ND/IR:ND/AR:ND References http://www.arcsight.com/products/products-logger/ http://www.arcsight.com/products/products-connectors/ Credit Thanks to Michael Rutkowski of Duer Advanced Technology and Aerospace, Inc (DATA) for reporting this vulnerability. This document was written by Michael Orlando. Other Information CVE IDs: CVE-2012-2960 Date Public: 06 Aug 2012 Date First Published: 06 Aug 2012 Date Last Updated: 06 Aug 2012 Document Revision: 11 Feedback If you have feedback, comments, or additional information about this vulnerability, please send us email. ====================================================================== ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================