
====================================================================

                                  CERT-Renater

                       Note d'Information No. 2016/VULN121
_____________________________________________________________________

DATE                : 18/03/2016

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running ArcSight ESM versions 5.x, 6.5.x
                         prior to 5.6, 6.5C SP1 Patch 2, 6.8c P1, 6.9.1,
                        ArcSight ESM Express versions prior to 6.9.1.

======================================================================
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n
a-c05048452
_____________________________________________________________________


Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n
a-c05048452

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c05048452
Version: 1

HPSBGN03556 rev.1 - ArcSight ESM and ESM Express, Remote Arbitrary File
Download, Local Arbitrary Command Execution

NOTICE: The information in this Security Bulletin should be acted upon
as soon as possible.

Release Date: 2016-03-14
Last Updated: 2016-03-14

Potential Security Impact: Remote arbitrary file download, local
arbitrary command execution

Source: Hewlett Packard Enterprise, Product Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with ArcSight
ESM and ESM Express. The vulnerabilities could be exploited remotely to
trick an unsuspecting user into downloading arbitrary files, or running
arbitrary commands on the local system.

References:

CVE-2016-1990
CVE-2016-1991
PSRT102039

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

HP ArcSight ESM Express all versions
HP ArcSight ESM 5.x versions prior to 5.6, 6.0, 6.5.x prior to 6.5C SP1
Patch 2, 6.8c

BACKGROUND

CVSS 2.0 Base Metrics
===========================================================
    Reference              Base Vector             Base Score
CVE-2016-1990    (AV:L/AC:L/Au:S/C:P/I:P/A:P)       4.3
CVE-2016-1991    (AV:N/AC:L/Au:S/C:P/I:P/A:P)       6.5
===========================================================
               Information on CVSS is documented
              in HP Customer Notice: HPSN-2008-002

The Hewlett-Packard Enterprise Company thanks Clive Reeves of Telestra
for reporting these vulnerabilities to security-alert@hpe.com.

RESOLUTION

HPE has made the following software updates available to resolve the
vulnerabilities. The updates may be downloaded from:
https://softwaresupport.hp.com/

HP ArcSight Enterprise Security Manager versions v5.6, v6.5C SP1 Patch
2, v6.8c P1, and v6.9.1
HP ArcSight ESM Express version v6.9.1

HISTORY
Version:1 (rev.1) - 14 March 2016 Initial release

Third Party Security Patches: Third party security patches that are to
be installed on systems running Hewlett Packard Enterprise (HPE)
software products should be applied in accordance with the customer's
patch management policy.

Support: For issues about implementing the recommendations of this
Security Bulletin, contact normal HPE Services support channel. For
other issues about the content of this Security Bulletin, send e-mail
to security-alert@hpe.com.

Report: To report a potential security vulnerability with any HPE
supported product, send Email to: security-alert@hpe.com

Subscribe: To initiate a subscription to receive future HPE Security
Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice

Security Bulletin Archive: A list of recently released Security
Bulletins is available here:
http://www.hpe.com/support/Security_Bulletin_Archive

Software Product Category: The Software Product Category is represented
in the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HPE General Software
HF = HPE Hardware and Firmware
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PV = ProCurve
ST = Storage Software
UX = HP-UX

Copyright 2016 Hewlett Packard Enterprise

Hewlett Packard Enterprise shall not be liable for technical or
editorial errors or omissions contained herein. The information
provided is provided "as is" without warranty of any kind. To the
extent permitted by law, neither HP or its affiliates, subcontractors
or suppliers will be liable for incidental,special or consequential
damages including downtime cost; lost profits; damages relating to the
procurement of substitute products or services; or damages for loss of
data, or software restoration. The information in this document is
subject to change without notice. Hewlett Packard Enterprise and the
names of Hewlett Packard Enterprise products referenced herein are
trademarks of Hewlett Packard Enterprise in the United States and other
countries. Other product and company names mentioned herein
may be trademarks of their respective owners.

==========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================