[security bulletin] MFSBGN03806 rev.1 - HP Network Automation Software, Network Operations Management (NOM) Suite, Multiple Vulnerabilities

2018-05-09 Thread cyber-psrt 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://softwaresupport.hpe.com/document/-/facetsearch/document/KM03158014

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM03158014
Version: 1

MFSBGN03806 rev.1 - HP Network Automation Software, Network Operations
Management (NOM) Suite, Multiple Vulnerabilities

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2018-05-09
Last Updated: 2018-05-09

Potential Security Impact: Remote: Cross-Site Scripting (XSS), SQL Injection

Source: Micro Focus, Product Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified in Micro Focus Network
Automation and Network Operations Management (NOM) Suite. The vulnerabilities
could be remotely exploited to allow SQL injection, persist cross-site
scripting, and non-persistent HTML Injection.

References:

  - CVE-2018-6492 - Remote Cross-Site Scripting (XSS)
  - CVE-2018-6493 - Remote SQL Injection

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - HP Network Automation Software - v10.0x, v10.1x, v10.2x, v10.3x, v10.4x,
v10.5x
  - Network Operations Management (NOM) Suite - v2017.06 - Classic Suite,
v2017.11 - Classic Suite, v2017.11 - Containerized Suite,  v2018.02 - Classic
Suite, v2018.02 - Containerized Suite

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector


Micro Focus would like to thank Tilman Bender, Dennis Herrmann and Bastian
Kanbach of Context Information Security GmbH for reporting this issue to
cyber-p...@microfocus.com.

RESOLUTION

MicroFocus has made the following software updates and mitigation information
to resolve the vulnerability in Micro Focus Network Automation (NA) and
Network Operations Management (NOM) Suite:

For the KM please go to the link:


Patch number 10.00.023, for NA Version 10.0x: 


Patch number 10.11.06, for NA version 10.1x: 


Patch number 10.21.05, for NA version 10.2x: 


Patch number 10.30.03, for NA version 10.3x: 


Patch number 10.40.01, for NA version 10.4x:


Patch number 10.50.01 - for NA version 10.5x:


Patch number 10.30.P3 - for NOM version 2017.06 - Classic Suite: 


Patch number 10.40.P1, for NOM version 2017.11 - Classic Suite: 


Patch number 2017.11.P1, for NOM version 2017.11 - Containerized Suite:


Patch number 10.50.01, for NOM version 2018.02 - Classic Suite:


Patch number 2018.02.P1, for NOM version 2018.02 - Containerized Suite:


HISTORY
Version:1 (rev.1) - 10 May 2018 Initial release

Third Party Security Patches: Third party security patches that are to be 
installed on 
systems running Micro Focus products should be applied in accordance with the 
customer's 
patch management policy.

Support: For issues about implementing the recommendations of this Security 
Bulletin, contact normal Micro Focus services support channel. 
For other issues about the content of this Security Bulletin, send e-mail to  
cyber-p...@microfocus.com.

Report: To report a potential security vulnerability for any supported product:
  Web form: https://www.microfocus.com/support-and-services/report-security
  Email: secur...@microfocus.com

Subscribe:
 To initiate receiving subscriptions for future Micro Focus Security Bulletin 
alerts via Email,  please subscribe here - 
https://softwaresupport.hpe.com/group/softwaresupport/email-notification/-/subscriptions/registerdocumentnotification
 Once you are logged in to the portal, please choose security bulletins under 
product and document types.
 Please note that you will need to sign in using a Passport account. If you do 
not have a Passport account yet, you

[security bulletin] MFSBGN03804 - HP Service Manager Software, Remote Disclosure of Information

2018-05-09 Thread cyber-psrt 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://softwaresupport.hpe.com/document/-/facetsearch/document/KM03158061

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM03158061
Version: 1

MFSBGN03804 - HP Service Manager Software, Remote Disclosure of Information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2018-05-09
Last Updated: 2018-05-09

Potential Security Impact: Remote: Disclosure of Information

Source: Micro Focus, Product Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with Service Manager.
These vulnerabilities have been identified in the OpenSSL open source library
component and may be exploited to cause disruption of service and
unauthorized disclosure of information.

References:

  - CVE-2017-3731
  - CVE-2017-3732

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - HP Service Manager Software - v9.30, v9.31, v9.32, v9.33, v9.34, v9.35,
v9.40, v9.41, v9.50, v9.51

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector


RESOLUTION

MicroFocus has made the following mitigation information available to resolve
the vulnerability for the impacted versions of Service Manager:

For versions 9.30, 9.31, 9.32, 9.33, 9.34.9.35 please upgrade to SM 9.35.P6:

SM9.35 P6 packages,
SM 9.35 AIX Server 9.35.6007 p6


SM 9.35 HP Itanium Server  9.35.6007 p6


SM 9.35 HP Itanium Server for Oracle 12c 9.35.6007 p6


SM 9.35 Linux Server 9.35.6007 p6


SM 9.35 Solaris Server 9.35.6007 p6


SM 9.35 Windows Server 9.35.6007 p6



For version 9.40, 9.41 please upgrade to SM 9.41.P6:

SM9.41.P6 packages,
Service Manager 9.41.6000 p6 - Server for AIX


Service Manager 9.41.6000 p6 - Server for HP-UX/IA


Service Manager 9.41.6000 p6 - Server for Linux


Service Manager 9.41.6000 p6 - Server for Solaris


Service Manager 9.41.6000 p6 - Server for Windows



For version 9.50, 9.51 Server and KM components please upgrade to SM 9.52.P2:

SM9.52.P2 packages,
Service Manager 9.52.2021 p2 - Server for Windows


Service Manager 9.52.2021 p2 - Server for Linux


HISTORY
Version:1 (rev.1) - 9 May 2018 Initial release

Third Party Security Patches: Third party security patches that are to be 
installed on 
systems running Micro Focus products should be applied in accordance with the 
customer's 
patch management policy.

Support: For issues about implementing the recommendations of this Security 
Bulletin, contact normal Micro Focus services support channel. 
For other issues about the content of this Security Bulletin, send e-mail to  
cyber-p...@microfocus.com.

Report: To report a potential security vulnerability for any supported product:
  Web form: https://www.microfocus.com/support-and-services/report-security
  Email: secur...@microfocus.com

Subscribe:
 To initiate receiving subscriptions for future Micro Focus Security Bulletin 
alerts via Email,  please subscribe here - 
https://softwaresupport.hpe.com/group/softwaresupport/email-notification/-/subscriptions/registerdocumentnotification
 Once you are logged in to the portal, please choose security bulletins under 
product and document types.
 Please note that you will need to sign in using a Passport account. If you do 
not have a Passport account yet, you can create one- its free and easy

[security bulletin] MFSBGN03807 rev.1 - HP Service Manager Software, SQL Injection

2018-05-10 Thread cyber-psrt 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://softwaresupport.hpe.com/document/-/facetsearch/document/KM03158656

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM03158656
Version: 1

MFSBGN03807 rev.1 - HP Service Manager Software, SQL Injection

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2018-05-10
Last Updated: 2018-05-10

Potential Security Impact: Remote: SQL Injection

Source: Micro Focus, Product Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with Service Manager.
The vulnerability could be exploited to perform SQL Injection against the
Service Manager Web Tier which may lead to unauthorized disclosure of data.

References:

  - CVE-2018-6494 - Remote SQL Injection

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - HP Service Manager Software - v9.30, v9.31, v9.32, v9.33, v9.34, v9.35,
v9.40, v9.41, v9.50, v9.51

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector


RESOLUTION

MicroFocus has made the following resolution information available to resolve
the vulnerability for the impacted versions of Service Manager: 

For versions 9.30, 9.31, 9.32, 9.33, 9.34, 9.35 please upgrade to SM 9.35.P6 

SM9.35 P6 package, SM 9.35 Webtier 9.35.6007 p6


   
For version 9.40, 9.41 please upgrade to SM 9.41.P6

SM9.41.P6 package, Service Manager 9.41.6000 p6 - Web Tier



For version 9.50, 9.51 please upgrade to SM 9.52.P2

SM9.52.P2 package, Service Manager 9.52.2021 p2 - Web Tier



HISTORY
Version:1 (rev.1) - 10 May 2018 Initial release

Third Party Security Patches: Third party security patches that are to be 
installed on 
systems running Micro Focus products should be applied in accordance with the 
customer's 
patch management policy.

Support: For issues about implementing the recommendations of this Security 
Bulletin, contact normal Micro Focus services support channel. 
For other issues about the content of this Security Bulletin, send e-mail to  
cyber-p...@microfocus.com.

Report: To report a potential security vulnerability for any supported product:
  Web form: https://www.microfocus.com/support-and-services/report-security
  Email: secur...@microfocus.com

Subscribe:
 To initiate receiving subscriptions for future Micro Focus Security Bulletin 
alerts via Email,  please subscribe here - 
https://softwaresupport.hpe.com/group/softwaresupport/email-notification/-/subscriptions/registerdocumentnotification
 Once you are logged in to the portal, please choose security bulletins under 
product and document types.
 Please note that you will need to sign in using a Passport account. If you do 
not have a Passport account yet, you can create one- its free and easy 
https://cf.passport.softwaregrp.com/hppcf/createuser.do 

Security Bulletin Archive:
 A list of recently released Security Bulletins is available here: 
https://softwaresupport.hpe.com/security-vulnerability
 
Software Product Category: The Software Product Category is represented in
the title by the two characters following Micro Focus Security Bulletin.

3P = 3rd Party Software
GN = Micro Focus General Software
MU = Multi-Platform Software

System management and security procedures must be reviewed frequently to 
maintain system integrity. 
Micro Focus is continually reviewing and enhancing the security features of 
software products to provide 
customers with current secure solutions. 

"Micro Focus is broadly distributing this Security Bulletin in order to bring 
to the attention of users of the 
affected Micro Focus products the important security information contained in 
this Bulletin. Micro Focus recommends 
that all users determine the applicability of this information to their 
individual situations and take appropriate action. 
Micro Focus does not warrant that this information is necessarily accurate or 
complete for all user situations and, consequently, 
Micro Focus will not be responsible for any damages resulting from user's use 
or disregard of the information provided in 
this Security Bulletin. To the extent permitted by law, Micro Focus  disclaims  
all warranties, either express or 
implied, including the warranties of merchantability and fitness for a 
particular purpose, title and non-infringement." 


Copyright 2017 EntIT Software LLC

Micro Focus shall not be liable for technical or editorial errors or omissions 
contained herein. 
The information provided is provided "as is" without

[security bulletin] MFSBGN03802 - Virtualization Performance Viewer (vPV) / Cloud Optimizer, Local Disclosure of Information

2018-05-10 Thread cyber-psrt 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://softwaresupport.hpe.com/document/-/facetsearch/document/KM03158629

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM03158629
Version: 2

MFSBGN03802 - Virtualization Performance Viewer (vPV) / Cloud Optimizer,
Local Disclosure of Information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2018-05-11
Last Updated: 2018-05-10

Potential Security Impact: Local: Disclosure of Information

Source: Micro Focus, Product Security Response Team

VULNERABILITY SUMMARY
A potential vulnerability has been identified in 3rd party component used by
Micro Focus Virtualization Performance Viewer (vPV) / Cloud Optimizer Virtual
Appliance. The vulnerability could be exploited to Local Disclosure of
Information.

References:

  - CVE-2017-5753
  - CVE-2017-5715
  - CVE-2017-5754

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - HP Virtualization Performance Viewer Software - v2.20, v3.0, v3.01,
v3.02, v3.03
  - HPE Cloud Optimizer - v2.20, v3.0, v3.01, v3.02, v3.03

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector


RESOLUTION

Micro Focus is actively working with its vendors to address any systems-level
Spectre and Meltdown impacts.However, if you have immediate concerns or
questions regarding CentOS and its approach to Spectre or Meltdown, please
contact them directly.

HISTORY

Version:1 (rev.1) - 12 April 2018 Initial release

Version:2 (rev.2) - 10 May 2018 Vulnerability Summary


Third Party Security Patches: Third party security patches that are to be 
installed on 
systems running Micro Focus products should be applied in accordance with the 
customer's 
patch management policy.

Support: For issues about implementing the recommendations of this Security 
Bulletin, contact normal Micro Focus services support channel. 
For other issues about the content of this Security Bulletin, send e-mail to  
cyber-p...@microfocus.com.

Report: To report a potential security vulnerability for any supported product:
  Web form: https://www.microfocus.com/support-and-services/report-security
  Email: secur...@microfocus.com

Subscribe:
 To initiate receiving subscriptions for future Micro Focus Security Bulletin 
alerts via Email,  please subscribe here - 
https://softwaresupport.hpe.com/group/softwaresupport/email-notification/-/subscriptions/registerdocumentnotification
 Once you are logged in to the portal, please choose security bulletins under 
product and document types.
 Please note that you will need to sign in using a Passport account. If you do 
not have a Passport account yet, you can create one- its free and easy 
https://cf.passport.softwaregrp.com/hppcf/createuser.do 

Security Bulletin Archive:
 A list of recently released Security Bulletins is available here: 
https://softwaresupport.hpe.com/security-vulnerability
 
Software Product Category: The Software Product Category is represented in
the title by the two characters following Micro Focus Security Bulletin.

3P = 3rd Party Software
GN = Micro Focus General Software
MU = Multi-Platform Software

System management and security procedures must be reviewed frequently to 
maintain system integrity. 
Micro Focus is continually reviewing and enhancing the security features of 
software products to provide 
customers with current secure solutions. 

"Micro Focus is broadly distributing this Security Bulletin in order to bring 
to the attention of users of the 
affected Micro Focus products the important security information contained in 
this Bulletin. Micro Focus recommends 
that all users determine the applicability of this information to their 
individual situations and take appropriate action. 
Micro Focus does not warrant that this information is necessarily accurate or 
complete for all user situations and, consequently, 
Micro Focus will not be responsible for any damages resulting from user's use 
or disregard of the information provided in 
this Security Bulletin. To the extent permitted by law, Micro Focus  disclaims  
all warranties, either express or 
implied, including the warranties of merchantability and fitness for a 
particular purpose, title and non-infringement." 


Copyright 2017 EntIT Software LLC

Micro Focus shall not be liable for technical or editorial errors or omissions 
contained herein. 
The information provided is provided "as is" without warranty of any kind. To 
the extent permitted by law, 
neither Micro Focus nor its affiliates, subcontractors or suppliers will be 
liable for incidental, special 
or consequential damages including downtime cost; lost profits; damages 
relating to the procurement of 
substitute products or services; or damages for loss of data, or software 
restoration. 
The information in this document is subject to change without notice. Micro

[security bulletin] MFSBGN03805 - HP Service Manager, Remote Disclosure of Information

2018-05-10 Thread cyber-psrt 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://softwaresupport.hpe.com/document/-/facetsearch/document/KM03158613

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM03158613
Version: 1

MFSBGN03805 - HP Service Manager, Remote Disclosure of Information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2018-05-10
Last Updated: 2018-05-10

Potential Security Impact: Remote: Disclosure of Information

Source: Micro Focus, Product Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified in Service Manager.
This vulnerability may allow an exploit against a long-duration encrypted
session known as the Sweet32 attack, and which may be exploited remotely.

References:

  - CVE-2016-2183
  - CVE-2016-6329

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - HP Service Manager Software - v9.30, v9.31, v9.32, v9.33, v9.34, v9.35,
v9.40, v9.41, v9.50, v9.51

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector


RESOLUTION

MicroFocus has made the following information available to resolve the
vulnerability for the impacted versions of Service Manager:

For versions 9.30, 9.31, 9.32, 9.33, 9.34, 9.35 please upgrade to SM 9.35.P6:

SM9.35 P6 packages,
SM 9.35 AIX Server 9.35.6007 p6


SM 9.35 HP Itanium Server  9.35.6007 p6


SM 9.35 HP Itanium Server for Oracle 12c 9.35.6007 p6


SM 9.35 Linux Server 9.35.6007 p6


SM 9.35 Solaris Server 9.35.6007 p6


SM 9.35 Windows Server 9.35.6007 p6




For version 9.40, 9.41 please upgrade to SM 9.41.P6:

SM9.41.P6 packages,
Service Manager 9.41.6000 p6 - Server for AIX


Service Manager 9.41.6000 p6 - Server for HP-UX/IA


Service Manager 9.41.6000 p6 - Server for Linux


Service Manager 9.41.6000 p6 - Server for Solaris


Service Manager 9.41.6000 p6 - Server for Windows


For version 9.50, 9.51 Server and KM components please upgrade to SM 9.52.P2:

SM9.52.P2 packages,
Service Manager 9.52.2021 p2 - Server for Windows


Service Manager 9.52.2021 p2 - Server for Linux


For version 9.50, 9.51 SMSP and SMC components please upgrade to SM 9.52:

SM9.52 packages,
Service Manager 9.52 as a minor.minor full (MMF) release (due to the new SP
aggregation SKU for Propel customers) is released on the following sites
instead of SSO.


HISTORY
Version:1 (rev.1) - 10 May 2018 Initial release

Third Party Security Patches: Third party security patches that are to be 
installed on 
systems running Micro Focus products should be applied in accordance with the 
customer's 
patch management policy.

Support: For issues about implementing the recommendations of this Security 
Bulletin, contact normal Micro Focus services support channel. 
For other issues about the content of this Security Bulletin, send e-mail to  
cyber-p...@microfocus.com.

Report: To report a potential security vulnerability for any supported product:
  Web form: https://www.microfocus.com/support-and-services/report-security
  Email: secur...@microfocus.com

Subscribe:
 To initiate receiving subscriptions for future Micro Focus Security Bulletin 
alerts via Email,  please subscribe here - 
https://softwaresupport.hpe.com/group/softwaresupport/email-notification/-/subscriptions/registerdocumentnotification
 Once you are logged in to the portal, please choose security

[security bulletin] MFSBGN03808 rev.1 - Micro Focus UCMDB, Cross-Site Scripting

2018-05-23 Thread cyber-psrt 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://softwaresupport.hpe.com/document/-/facetsearch/document/KM03164778

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM03164778
Version: 1

MFSBGN03808 rev.1 - Micro Focus UCMDB, Cross-Site Scripting

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2018-05-23
Last Updated: 2018-05-23

Potential Security Impact: Remote: Cross-Site Scripting (XSS)

Source: Micro Focus, Product Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified in Micro Focus
Universal CMDB/CMS and Micro Focus UCMDB Browser. The vulnerability could be
remotely exploited to allow Cross-Site Scripting (XSS).

References:

  - CVE-2018-6495 - Corss-Site Scripting (XSS)

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - HP Universal CMDB Foundation Software - V10.20, v10.21, v10.22, v10.30,
v10.31, v10.32, v10.33, v11.0, CMS Server 2018.05, v4.10, v4.11, v4.12,
v4.13, v4.14, v4.15.1
  - UCMDB Browser - V4.10, v4.11, v4.12, v4.13, v4.14, v4.15.1

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector


Micro Focus would like to thank Bharath Kumar Pyaneni for reporting this
issue to cyber-p...@microfocus.com.

RESOLUTION

Micro Focus has made the following software updates and mitigation
information to resolve the vulnerability in the supported versions of Micro
Focus Universal CMDB/CMS and Micro Focus UCMDB Browser.

For Universal CMDB/CMS, please go to the link:



For UCMDB Browser, please go to the link:



HISTORY
Version:1 (rev.1) - 23 May 2018 Initial release

Third Party Security Patches: Third party security patches that are to be 
installed on 
systems running Micro Focus products should be applied in accordance with the 
customer's 
patch management policy.

Support: For issues about implementing the recommendations of this Security 
Bulletin, contact normal Micro Focus services support channel. 
For other issues about the content of this Security Bulletin, send e-mail to  
cyber-p...@microfocus.com.

Report: To report a potential security vulnerability for any supported product:
  Web form: https://www.microfocus.com/support-and-services/report-security
  Email: secur...@microfocus.com

Subscribe:
 To initiate receiving subscriptions for future Micro Focus Security Bulletin 
alerts via Email,  please subscribe here - 
https://softwaresupport.hpe.com/group/softwaresupport/email-notification/-/subscriptions/registerdocumentnotification
 Once you are logged in to the portal, please choose security bulletins under 
product and document types.
 Please note that you will need to sign in using a Passport account. If you do 
not have a Passport account yet, you can create one- its free and easy 
https://cf.passport.softwaregrp.com/hppcf/createuser.do 

Security Bulletin Archive:
 A list of recently released Security Bulletins is available here: 
https://softwaresupport.hpe.com/security-vulnerability
 
Software Product Category: The Software Product Category is represented in
the title by the two characters following Micro Focus Security Bulletin.

3P = 3rd Party Software
GN = Micro Focus General Software
MU = Multi-Platform Software

System management and security procedures must be reviewed frequently to 
maintain system integrity. 
Micro Focus is continually reviewing and enhancing the security features of 
software products to provide 
customers with current secure solutions. 

"Micro Focus is broadly distributing this Security Bulletin in order to bring 
to the attention of users of the 
affected Micro Focus products the important security information contained in 
this Bulletin. Micro Focus recommends 
that all users determine the applicability of this information to their 
individual situations and take appropriate action. 
Micro Focus does not warrant that this information is necessarily accurate or 
complete for all user situations and, consequently, 
Micro Focus will not be responsible for any damages resulting from user's use 
or disregard of the information provided in 
this Security Bulletin. To the extent permitted by law, Micro Focus  disclaims  
all warranties, either express or 
implied, including the warranties of merchantability and fitness for a 
particular purpose, title and non-infringement." 


Copyright 2017 EntIT Software LLC

Micro Focus shall not be liable for technical or editorial errors or omissions 
contained herein. 
The information provided is provided "as is" without warranty of any kind. To 
the extent permitted by law, 
neither Micro Focus nor its affiliates, subcontractors or suppliers will be 
liable for incidental, special 
or

[security bulletin] MFSBGN03809 rev.1 - Universal CMDB, Deserialization Java Objects and CSRF

2018-06-17 Thread cyber-psrt 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://softwaresupport.hpe.com/document/-/facetsearch/document/KM03180066

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM03180066
Version: 1

MFSBGN03809 rev.1 - Universal CMDB, Deserialization Java Objects and CSRF

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2018-06-15
Last Updated: 2018-06-15

Potential Security Impact: Remote: Cross-Site Request Forgery (CSRF)

Source: Micro Focus, Product Security Response Team

VULNERABILITY SUMMARY
A potential vulnerability has been identified in UCMDB Browser. This
vulnerability could be exploited to Deserialization & Cross-site Request
forgery (CSRF).

References:

  - CVE-2018-6496

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - UCMDB Browser V -4.10, -4.11, -4.12, -4.13, -4.14, -4.15, -4.15.1

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector


Micro Focus would like to thank Mateusz Garncarek for reporting this issue to
cyber-p...@microfocus.com.

RESOLUTION

Micro Focus has made the following mitigation information available to
resolve the vulnerability for the impacted versions of UCMDB Browser:



HISTORY
Version:1 (rev.1) - 15 June 2018 Initial release

Third Party Security Patches: Third party security patches that are to be 
installed on 
systems running Micro Focus products should be applied in accordance with the 
customer's 
patch management policy.

Support: For issues about implementing the recommendations of this Security 
Bulletin, contact normal Micro Focus services support channel. 
For other issues about the content of this Security Bulletin, send e-mail to  
cyber-p...@microfocus.com.

Report: To report a potential security vulnerability for any supported product:
  Web form: https://www.microfocus.com/support-and-services/report-security
  Email: secur...@microfocus.com

Subscribe:
 To initiate receiving subscriptions for future Micro Focus Security Bulletin 
alerts via Email,  please subscribe here - 
https://softwaresupport.hpe.com/group/softwaresupport/email-notification/-/subscriptions/registerdocumentnotification
 Once you are logged in to the portal, please choose security bulletins under 
product and document types.
 Please note that you will need to sign in using a Passport account. If you do 
not have a Passport account yet, you can create one- its free and easy 
https://cf.passport.softwaregrp.com/hppcf/createuser.do 

Security Bulletin Archive:
 A list of recently released Security Bulletins is available here: 
https://softwaresupport.hpe.com/security-vulnerability
 
Software Product Category: The Software Product Category is represented in
the title by the two characters following Micro Focus Security Bulletin.

3P = 3rd Party Software
GN = Micro Focus General Software
MU = Multi-Platform Software

System management and security procedures must be reviewed frequently to 
maintain system integrity. 
Micro Focus is continually reviewing and enhancing the security features of 
software products to provide 
customers with current secure solutions. 

"Micro Focus is broadly distributing this Security Bulletin in order to bring 
to the attention of users of the 
affected Micro Focus products the important security information contained in 
this Bulletin. Micro Focus recommends 
that all users determine the applicability of this information to their 
individual situations and take appropriate action. 
Micro Focus does not warrant that this information is necessarily accurate or 
complete for all user situations and, consequently, 
Micro Focus will not be responsible for any damages resulting from user's use 
or disregard of the information provided in 
this Security Bulletin. To the extent permitted by law, Micro Focus  disclaims  
all warranties, either express or 
implied, including the warranties of merchantability and fitness for a 
particular purpose, title and non-infringement." 


Copyright 2017 EntIT Software LLC

Micro Focus shall not be liable for technical or editorial errors or omissions 
contained herein. 
The information provided is provided "as is" without warranty of any kind. To 
the extent permitted by law, 
neither Micro Focus nor its affiliates, subcontractors or suppliers will be 
liable for incidental, special 
or consequential damages including downtime cost; lost profits; damages 
relating to the procurement of 
substitute products or services; or damages for loss of data, or software 
restoration. 
The information in this document is subject to change without notice. Micro 
Focus and the names of 
Micro Focus products referenced herein are trademarks of Micro Focus in the 
United States and other countries. 
Other product and company names mentioned herein may

[security bulletin] MFSBGN03810 rev.1 - Universal CMDB, Deserialization Java Objects and CSRF

2018-06-17 Thread cyber-psrt 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://softwaresupport.hpe.com/document/-/facetsearch/document/KM03180069

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM03180069
Version: 1

MFSBGN03810 rev.1 - Universal CMDB, Deserialization Java Objects and CSRF

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2018-06-15
Last Updated: 2018-06-15

Potential Security Impact: Remote: Cross-Site Request Forgery (CSRF)

Source: Micro Focus, Product Security Response Team

VULNERABILITY SUMMARY
A potential vulnerability has been identified in UCMDB Server. This
vulnerability could be exploited to Deserialization & Cross-site Request
forgery (CSRF).

References:

  - CVE-2018-6497

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - Universal CMDB Server; DDM Content Pack V -10.20, -10.21, -10.22, -10.22
CUP7, -10.30, -10.31, -10.32, -10.33, -10.33 CUP2, -11.0, -CMS Server 2018.05

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector


Micro Focus would like to thank Mateusz Garncarek for reporting this issue to
cyber-p...@microfocus.com.

RESOLUTION

Micro Focus has made the following mitigation information available to
resolve the vulnerability for the impacted versions of UCMDB Server:



HISTORY
Version:1 (rev.1) - 15 June 2018 Initial release

Third Party Security Patches: Third party security patches that are to be 
installed on 
systems running Micro Focus products should be applied in accordance with the 
customer's 
patch management policy.

Support: For issues about implementing the recommendations of this Security 
Bulletin, contact normal Micro Focus services support channel. 
For other issues about the content of this Security Bulletin, send e-mail to  
cyber-p...@microfocus.com.

Report: To report a potential security vulnerability for any supported product:
  Web form: https://www.microfocus.com/support-and-services/report-security
  Email: secur...@microfocus.com

Subscribe:
 To initiate receiving subscriptions for future Micro Focus Security Bulletin 
alerts via Email,  please subscribe here - 
https://softwaresupport.hpe.com/group/softwaresupport/email-notification/-/subscriptions/registerdocumentnotification
 Once you are logged in to the portal, please choose security bulletins under 
product and document types.
 Please note that you will need to sign in using a Passport account. If you do 
not have a Passport account yet, you can create one- its free and easy 
https://cf.passport.softwaregrp.com/hppcf/createuser.do 

Security Bulletin Archive:
 A list of recently released Security Bulletins is available here: 
https://softwaresupport.hpe.com/security-vulnerability
 
Software Product Category: The Software Product Category is represented in
the title by the two characters following Micro Focus Security Bulletin.

3P = 3rd Party Software
GN = Micro Focus General Software
MU = Multi-Platform Software

System management and security procedures must be reviewed frequently to 
maintain system integrity. 
Micro Focus is continually reviewing and enhancing the security features of 
software products to provide 
customers with current secure solutions. 

"Micro Focus is broadly distributing this Security Bulletin in order to bring 
to the attention of users of the 
affected Micro Focus products the important security information contained in 
this Bulletin. Micro Focus recommends 
that all users determine the applicability of this information to their 
individual situations and take appropriate action. 
Micro Focus does not warrant that this information is necessarily accurate or 
complete for all user situations and, consequently, 
Micro Focus will not be responsible for any damages resulting from user's use 
or disregard of the information provided in 
this Security Bulletin. To the extent permitted by law, Micro Focus  disclaims  
all warranties, either express or 
implied, including the warranties of merchantability and fitness for a 
particular purpose, title and non-infringement." 


Copyright 2017 EntIT Software LLC

Micro Focus shall not be liable for technical or editorial errors or omissions 
contained herein. 
The information provided is provided "as is" without warranty of any kind. To 
the extent permitted by law, 
neither Micro Focus nor its affiliates, subcontractors or suppliers will be 
liable for incidental, special 
or consequential damages including downtime cost; lost profits; damages 
relating to the procurement of 
substitute products or services; or damages for loss of data, or software 
restoration. 
The information in this document is subject to change without notice. Micro 
Focus and the names of 
Micro Focus products referenced herein are trademarks of Micro Focus in the 
United

[security bulletin] MFSBGN03797 rev.1 - Micro Focus Fortify Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC), XML External Entity Injection

2018-02-01 Thread cyber-psrt 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://softwaresupport.hpe.com/document/-/facetsearch/document/KM03083653

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM03083653
Version: 1

MFSBGN03797 rev.1 - Micro Focus Fortify Audit Workbench (AWB) and Micro Focus
Fortify Software Security Center (SSC), XML External Entity Injection

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2018-02-01
Last Updated: 2018-02-01

Potential Security Impact: Remote: Unauthorized Data Injection

Source: Micro Focus, Product Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified in Micro Focus Fortify
Audit Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC).
The vulnerability could be exploited to allow XML External Entity (XXE)
injection.

References:

  - CVE-2018-6486 - XML External Entity (XXE)

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - Fortify Audit Workbench (AWB) -v 16.10, 16.20, 17.10
  - Fortify Software Security Center (SSC) -v 16.10, 16.20, 17.10

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector


Micro Focus would like to thank Jakub Palaczynski for reporting this issue to
security-al...@hpe.com

RESOLUTION

Micro Focus has made the following software updates and mitigation
information to resolve the vulnerability in Micro Focus Fortify Audit
Workbench (AWB) and Micro Focus Fortify Software Security Center (SSC).

* Upgrade to Fortify 17.20 or later by visiting the Software Support Online
and log into your SSO account using the following link:


HISTORY
Version:1 (rev.1) - 1 February 2018 Initial release

Third Party Security Patches: Third party security patches that are to be 
installed on 
systems running Micro Focus products should be applied in accordance with the 
customer's 
patch management policy.

Support: For issues about implementing the recommendations of this Security 
Bulletin, contact normal Micro Focus services support channel. 
For other issues about the content of this Security Bulletin, send e-mail to  
cyber-p...@microfocus.com.

Report: To report a potential security vulnerability for any supported product:
  Web form: https://www.microfocus.com/support-and-services/report-security
  Email: secur...@microfocus.com

Subscribe:
 To initiate receiving subscriptions for future Micro Focus Security Bulletin 
alerts via Email,  please subscribe here - 
https://softwaresupport.hpe.com/group/softwaresupport/email-notification/-/subscriptions/registerdocumentnotification
 Once you are logged in to the portal, please choose security bulletins under 
product and document types.
 Please note that you will need to sign in using a Passport account. If you do 
not have a Passport account yet, you can create one- its free and easy 
https://cf.passport.softwaregrp.com/hppcf/createuser.do 

Security Bulletin Archive:
 A list of recently released Security Bulletins is available here: 
https://softwaresupport.hpe.com/security-vulnerability
 
Software Product Category: The Software Product Category is represented in
the title by the two characters following Micro Focus Security Bulletin.

3P = 3rd Party Software
GN = Micro Focus General Software
MU = Multi-Platform Software

System management and security procedures must be reviewed frequently to 
maintain system integrity. 
Micro Focus is continually reviewing and enhancing the security features of 
software products to provide 
customers with current secure solutions. 

"Micro Focus is broadly distributing this Security Bulletin in order to bring 
to the attention of users of the 
affected Micro Focus products the important security information contained in 
this Bulletin. Micro Focus recommends 
that all users determine the applicability of this information to their 
individual situations and take appropriate action. 
Micro Focus does not warrant that this information is necessarily accurate or 
complete for all user situations and, consequently, 
Micro Focus will not be responsible for any damages resulting from user's use 
or disregard of the information provided in 
this Security Bulletin. To the extent permitted by law, Micro Focus  disclaims  
all warranties, either express or 
implied, including the warranties of merchantability and fitness for a 
particular purpose, title and non-infringement." 


Copyright 2017 EntIT Software LLC

Micro Focus shall not be liable for technical or editorial errors or omissions 
contained herein. 
The information provided is provided "as is" without warranty of any kind. To 
the extent permitted by law, 
neither Micro Focus nor its affiliates, subcontractors or suppliers will be 
liable for incidental, special 
or consequential damages including downtime cost; lost profits; damages

[security bulletin] MFSBGN03800 rev.1 - Micro Focus Performance Center, Remote Arbitrary Code Execution or Remote Arbitrary File Modification

2018-02-14 Thread cyber-psrt 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://softwaresupport.hpe.com/document/-/facetsearch/document/KM03091103

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM03091103
Version: 1

MFSBGN03800 rev.1 - Micro Focus Performance Center, Remote Arbitrary Code
Execution or Remote Arbitrary File Modification

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2018-02-13
Last Updated: 2018-02-13

Potential Security Impact: Remote: Arbitrary Code Execution, Arbitrary File
Modification

Source: Micro Focus, Product Security Response Team

VULNERABILITY SUMMARY
A potential vulnerability has been identified in Micro Focus Performance
Center. The vulnerability could be exploited to Remote Arbitrary File
Modification or Remote Arbitrary Code Execution.

References:

  - CVE-2017-11357

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - HPE Performance Center -v 12.55 and older

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector


RESOLUTION

Micro Focus has made the following mitigation information available to
resolve the vulnerability for the impacted versions of Micro Focus
Performance Center:

* The fix is applied to PC versions 12.53 and 12.55. More details can be
found here:


* If you are using older versions of the software please upgrade them to
appropriate versions before getting the fix.

HISTORY
Version:1 (rev.1) - 13 February 2018 Initial release

Third Party Security Patches: Third party security patches that are to be 
installed on 
systems running Micro Focus products should be applied in accordance with the 
customer's 
patch management policy.

Support: For issues about implementing the recommendations of this Security 
Bulletin, contact normal Micro Focus services support channel. 
For other issues about the content of this Security Bulletin, send e-mail to  
cyber-p...@microfocus.com.

Report: To report a potential security vulnerability for any supported product:
  Web form: https://www.microfocus.com/support-and-services/report-security
  Email: secur...@microfocus.com

Subscribe:
 To initiate receiving subscriptions for future Micro Focus Security Bulletin 
alerts via Email,  please subscribe here - 
https://softwaresupport.hpe.com/group/softwaresupport/email-notification/-/subscriptions/registerdocumentnotification
 Once you are logged in to the portal, please choose security bulletins under 
product and document types.
 Please note that you will need to sign in using a Passport account. If you do 
not have a Passport account yet, you can create one- its free and easy 
https://cf.passport.softwaregrp.com/hppcf/createuser.do 

Security Bulletin Archive:
 A list of recently released Security Bulletins is available here: 
https://softwaresupport.hpe.com/security-vulnerability
 
Software Product Category: The Software Product Category is represented in
the title by the two characters following Micro Focus Security Bulletin.

3P = 3rd Party Software
GN = Micro Focus General Software
MU = Multi-Platform Software

System management and security procedures must be reviewed frequently to 
maintain system integrity. 
Micro Focus is continually reviewing and enhancing the security features of 
software products to provide 
customers with current secure solutions. 

"Micro Focus is broadly distributing this Security Bulletin in order to bring 
to the attention of users of the 
affected Micro Focus products the important security information contained in 
this Bulletin. Micro Focus recommends 
that all users determine the applicability of this information to their 
individual situations and take appropriate action. 
Micro Focus does not warrant that this information is necessarily accurate or 
complete for all user situations and, consequently, 
Micro Focus will not be responsible for any damages resulting from user's use 
or disregard of the information provided in 
this Security Bulletin. To the extent permitted by law, Micro Focus  disclaims  
all warranties, either express or 
implied, including the warranties of merchantability and fitness for a 
particular purpose, title and non-infringement." 


Copyright 2017 EntIT Software LLC

Micro Focus shall not be liable for technical or editorial errors or omissions 
contained herein. 
The information provided is provided "as is" without warranty of any kind. To 
the extent permitted by law, 
neither Micro Focus nor its affiliates, subcontractors or suppliers will be 
liable for incidental, special 
or consequential damages including downtime cost; lost profits; damages 
relating to the procurement of 
substitute products or services; or damages for loss of data, or software 
restoration. 
The information in this document is

[security bulletin] MFSBGN03798 rev.1 - Micro Focus Universal CMDB, Apache Struts Instance

2018-02-22 Thread cyber-psrt 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://softwaresupport.hpe.com/document/-/facetsearch/document/KM03086019

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM03086019
Version: 1

MFSBGN03798 rev.1 - Micro Focus Universal CMDB, Apache Struts Instance

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2018-02-22
Last Updated: 2018-02-22

Potential Security Impact: Remote: Arbitrary Code Execution

Source: Micro Focus, Product Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified in Micro Focus
Universal CMDB. The vulnerability could be remotely exploited to allow
Arbitrary Code Execution.

References:

  - CVE-2018-6488 - Arbitrary Code Execution

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - HP UCMDB Configuration Manager Software -v 4.10, 4.11, 4.12

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector


Micro Focus would like to thank Chethan K and Sharp Rodney for reporting this
issue to cyber-p...@microfocus.com

RESOLUTION

Micro Focus has made the following software updates and mitigation
information to resolve the vulnerability in Micro Focus Universal CMDB.

* For more information please use the following link: 


HISTORY
Version:1 (rev.1) - 21 February 2018 Initial release

Third Party Security Patches: Third party security patches that are to be 
installed on 
systems running Micro Focus products should be applied in accordance with the 
customer's 
patch management policy.

Support: For issues about implementing the recommendations of this Security 
Bulletin, contact normal Micro Focus services support channel. 
For other issues about the content of this Security Bulletin, send e-mail to  
cyber-p...@microfocus.com.

Report: To report a potential security vulnerability for any supported product:
  Web form: https://www.microfocus.com/support-and-services/report-security
  Email: secur...@microfocus.com

Subscribe:
 To initiate receiving subscriptions for future Micro Focus Security Bulletin 
alerts via Email,  please subscribe here - 
https://softwaresupport.hpe.com/group/softwaresupport/email-notification/-/subscriptions/registerdocumentnotification
 Once you are logged in to the portal, please choose security bulletins under 
product and document types.
 Please note that you will need to sign in using a Passport account. If you do 
not have a Passport account yet, you can create one- its free and easy 
https://cf.passport.softwaregrp.com/hppcf/createuser.do 

Security Bulletin Archive:
 A list of recently released Security Bulletins is available here: 
https://softwaresupport.hpe.com/security-vulnerability
 
Software Product Category: The Software Product Category is represented in
the title by the two characters following Micro Focus Security Bulletin.

3P = 3rd Party Software
GN = Micro Focus General Software
MU = Multi-Platform Software

System management and security procedures must be reviewed frequently to 
maintain system integrity. 
Micro Focus is continually reviewing and enhancing the security features of 
software products to provide 
customers with current secure solutions. 

"Micro Focus is broadly distributing this Security Bulletin in order to bring 
to the attention of users of the 
affected Micro Focus products the important security information contained in 
this Bulletin. Micro Focus recommends 
that all users determine the applicability of this information to their 
individual situations and take appropriate action. 
Micro Focus does not warrant that this information is necessarily accurate or 
complete for all user situations and, consequently, 
Micro Focus will not be responsible for any damages resulting from user's use 
or disregard of the information provided in 
this Security Bulletin. To the extent permitted by law, Micro Focus  disclaims  
all warranties, either express or 
implied, including the warranties of merchantability and fitness for a 
particular purpose, title and non-infringement." 


Copyright 2017 EntIT Software LLC

Micro Focus shall not be liable for technical or editorial errors or omissions 
contained herein. 
The information provided is provided "as is" without warranty of any kind. To 
the extent permitted by law, 
neither Micro Focus nor its affiliates, subcontractors or suppliers will be 
liable for incidental, special 
or consequential damages including downtime cost; lost profits; damages 
relating to the procurement of 
substitute products or services; or damages for loss of data, or software 
restoration. 
The information in this document is subject to change without notice. Micro 
Focus and the names of 
Micro Focus products referenced herein are trademarks

[security bulletin] MFSBGN03793 rev.2 - Project and Portfolio Management Center, Multiple vulnerabilities

2018-01-03 Thread cyber-psrt 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://softwaresupport.hpe.com/document/-/facetsearch/document/KM03014426

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM03014426
Version: 2

MFSBGN03793 rev.2 - Project and Portfolio Management Center, Multiple
vulnerabilities

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2017-12-12
Last Updated: 2018-01-03

Potential Security Impact: Remote: Cross-Site Request Forgery (CSRF)

Source: Micro Focus, Product Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified in Micro Focus Project
and Portfolio Management Center. This vulnerability could be remotely
exploited to execute a Man-in-the-Middle (MitM) attack and Cross-site Request
Forgery (CSRF).

References:

  - CVE-2017-14361 - MitM
  - CVE-2017-14362 - CSRF

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - HPE Project and Portfolio Management Center -v 9.32

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector


Micro Focus would like to thank the Research Team at Rhino Security Labs
www.rhinosecuritylabs.com for reporting this issue to security-al...@hpe.com.

RESOLUTION

Micro Focus has made the following software updates and mitigation
information to resolve the vulnerability in Micro Focus Project and Portfolio
Management Center.

* For Session fixation on webapp login - Upgrade to 9.32.0004, by using the
following link:


For XXE  upgrade to 9.32.0005 if youre on 9.3x by using the following link:


* For JSESSIONID cookie does not have SECURE flag -Upgrade to 9.32.0005 if
you are on 9.3x, by using the following link:


* Upgrade to 9.41 if you are on 9.4x, by using the following link:


* For Workbench thick client vulnerable to MiTM attack - Contact Customer
Support for hotfix download.

* For No CSRF protection in the web application - Contact Customer Support
for hotfix download.

HISTORY

Version:1 (rev.1) - 18 November 2017 Initial release

Version:2 (rev.2) - 12 December 2017 Adding new link


Third Party Security Patches: Third party security patches that are to be 
installed on 
systems running Micro Focus products should be applied in accordance with the 
customer's 
patch management policy.

Support: For issues about implementing the recommendations of this Security 
Bulletin, contact normal Micro Focus services support channel. 
For other issues about the content of this Security Bulletin, send e-mail to  
cyber-p...@microfocus.com.

Report: To report a potential security vulnerability for any supported product:
  Web form: https://www.microfocus.com/support-and-services/report-security
  Email: secur...@microfocus.com

Subscribe:
 To initiate receiving subscriptions for future Micro Focus Security Bulletin 
alerts via Email,  please subscribe here - 
https://softwaresupport.hpe.com/group/softwaresupport/email-notification/-/subscriptions/registerdocumentnotification
 Once you are logged in to the portal, please choose security bulletins under 
product and document types.
 Please note that you will need to sign in using a Passport account. If you do 
not have a Passport account yet, you can create one- its free and easy 
https://cf.passport.hpe.com/hppcf/createuser.do 

Security Bulletin Archive:
 A list of recently released Security Bulletins is available here: 
https://softwaresupport.hpe.com/security-vulnerability
 
Software Product Category: The Software Product Category is represented in
the title by the two characters following Micro Focus Security Bulletin.

3P = 3rd Party Software
GN = Micro Focus General Software
MU = Multi-Platform Software

System management and security procedures must be reviewed frequently to 
maintain system integrity. 
Micro Focus is continually reviewing and enhancing the security features of 
software products to provide 
customers with current secure solutions. 

"Micro Focus is broadly distributing this Security Bulletin in order to bring 
to the attention of users of the 
affected Micro Focus products the important security information contained in 
this Bulletin. Micro Focus recommends 
that all users determine the applicability of this information to their 
individual situations and take appropriate action. 
Micro Focus does not warrant that this information is necessarily accurate or 
complete for all user situations and, consequently, 
Micro Focus will not be responsible for any damages resulting from user's use 
or disregard of the information provided in 
this Security Bulletin. To the extent permitted by law, Micro Focus  disclaims  
all

[security bulletin] MFSBGN03817 rev.1 - Operations Bridge containerized suite, Remote Code Execution

2018-08-30 Thread cyber-psrt 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://softwaresupport.hpe.com/document/-/facetsearch/document/KM03236648

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM03236648
Version: 1

MFSBGN03817 rev.1 - Operations Bridge containerized suite, Remote Code
Execution

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2018-08-30
Last Updated: 2018-08-30

Potential Security Impact: Remote: Code Execution

Source: Micro Focus, Product Security Response Team

VULNERABILITY SUMMARY
A potential vulnerability has been identified in Micro Focus Autopass License
Server (APLS) available as part of Micro Focus Operations Bridge
containerized suite. The vulnerabilities could be exploited to Remote Code
Execution.

References:

  - PSRT110623
  - CVE-2018-6499

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - Micro Focus Operations Bridge containerized suite 2018.05:Component:
Autopass License server 10.6.0 and below

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector


Micro Focus would like to thank Lukasz Mikula for reporting the AutoPass
License Server issue to cyber-p...@microfocus.com.

RESOLUTION

Micro Focus has made the following mitigation information available to
resolve the vulnerability for the impacted versions of Autopass License
server: The defect is fixed in OpsBridge Suite 2018.05.001 patch
(OPSB_1):


HISTORY
Version:1 (rev.1) - 30 August 2018 Initial release

Third Party Security Patches: Third party security patches that are to be 
installed on
systems running Micro Focus products should be applied in accordance with the 
customer's
patch management policy.

Support: For issues about implementing the recommendations of this Security 
Bulletin, contact normal Micro Focus services support channel.
For other issues about the content of this Security Bulletin, send e-mail to  
cyber-p...@microfocus.com.

Report: To report a potential security vulnerability for any supported product:
  Web form: https://www.microfocus.com/support-and-services/report-security
  Email: secur...@microfocus.com

Subscribe:
 To initiate receiving subscriptions for future Micro Focus Security Bulletin 
alerts via Email,  please subscribe here - 
https://softwaresupport.hpe.com/group/softwaresupport/email-notification/-/subscriptions/registerdocumentnotification
 Once you are logged in to the portal, please choose security bulletins under 
product and document types.
 Please note that you will need to sign in using a Passport account. If you do 
not have a Passport account yet, you can create one- its free and easy 
https://cf.passport.softwaregrp.com/hppcf/createuser.do

Security Bulletin Archive:
 A list of recently released Security Bulletins is available here: 
https://softwaresupport.hpe.com/security-vulnerability
 
Software Product Category: The Software Product Category is represented in
the title by the two characters following Micro Focus Security Bulletin.

3P = 3rd Party Software
GN = Micro Focus General Software
MU = Multi-Platform Software

System management and security procedures must be reviewed frequently to 
maintain system integrity.
Micro Focus is continually reviewing and enhancing the security features of 
software products to provide
customers with current secure solutions.

"Micro Focus is broadly distributing this Security Bulletin in order to bring 
to the attention of users of the
affected Micro Focus products the important security information contained in 
this Bulletin. Micro Focus recommends
that all users determine the applicability of this information to their 
individual situations and take appropriate action.
Micro Focus does not warrant that this information is necessarily accurate or 
complete for all user situations and, consequently,
Micro Focus will not be responsible for any damages resulting from user's use 
or disregard of the information provided in
this Security Bulletin. To the extent permitted by law, Micro Focus  disclaims  
all warranties, either express or
implied, including the warranties of merchantability and fitness for a 
particular purpose, title and non-infringement."


Copyright 2017 EntIT Software LLC

Micro Focus shall not be liable for technical or editorial errors or omissions 
contained herein.
The information provided is provided "as is" without warranty of any kind. To 
the extent permitted by law,
neither Micro Focus nor its affiliates, subcontractors or suppliers will be 
liable for incidental, special
or consequential damages including downtime cost; lost profits; damages 
relating to the procurement of
substitute products or services; or damages for loss of data, or software 
restoration.
The information in this document

[security bulletin] MFSBGN03815 rev.1 - Data Center Automation Containerized (DCA) suite, remote code execution

2018-08-30 Thread cyber-psrt 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://softwaresupport.hpe.com/document/-/facetsearch/document/KM03236669

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM03236669
Version: 1

MFSBGN03815 rev.1 - Data Center Automation Containerized (DCA) suite, remote
code execution

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2018-08-30
Last Updated: 2018-08-30

Potential Security Impact: Remote: Code Execution

Source: Micro Focus, Product Security Response Team

VULNERABILITY SUMMARY
A potential vulnerabilities has been identified in Micro Focus Autopass
License Server (APLS) and Container Deployment Foundation (CDF) available as
part of Micro Focus Data Center Automation Containerized (DCA) suite.
The vulnerabilities could be exploited to remote code execution.

References:

  - PSRT110625
  - CVE-2018-6498
  - CVE-2018-6499

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - Micro Focus Data Center Automation Containerized (DCA) suite From 2017.01
until 2018.05 (included)

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector


Micro Focus would like to thank Lukasz Mikula for reporting the AutoPass
License Server issue tocyber-p...@microfocus.com.

RESOLUTION

Micro Focus has made the following mitigation information available to
resolve the vulnerability for the impacted versions of Data Center
Automation:
Update your DCA Containerized product to DCA Containerized 2018.08 or above
and use the link below to get the script for updating your system:


HISTORY
Version:1 (rev.1) - 30 August 2018 Initial release

Third Party Security Patches: Third party security patches that are to be 
installed on
systems running Micro Focus products should be applied in accordance with the 
customer's
patch management policy.

Support: For issues about implementing the recommendations of this Security 
Bulletin, contact normal Micro Focus services support channel.
For other issues about the content of this Security Bulletin, send e-mail to  
cyber-p...@microfocus.com.

Report: To report a potential security vulnerability for any supported product:
  Web form: https://www.microfocus.com/support-and-services/report-security
  Email: secur...@microfocus.com

Subscribe:
 To initiate receiving subscriptions for future Micro Focus Security Bulletin 
alerts via Email,  please subscribe here - 
https://softwaresupport.hpe.com/group/softwaresupport/email-notification/-/subscriptions/registerdocumentnotification
 Once you are logged in to the portal, please choose security bulletins under 
product and document types.
 Please note that you will need to sign in using a Passport account. If you do 
not have a Passport account yet, you can create one- its free and easy 
https://cf.passport.softwaregrp.com/hppcf/createuser.do

Security Bulletin Archive:
 A list of recently released Security Bulletins is available here: 
https://softwaresupport.hpe.com/security-vulnerability
 
Software Product Category: The Software Product Category is represented in
the title by the two characters following Micro Focus Security Bulletin.

3P = 3rd Party Software
GN = Micro Focus General Software
MU = Multi-Platform Software

System management and security procedures must be reviewed frequently to 
maintain system integrity.
Micro Focus is continually reviewing and enhancing the security features of 
software products to provide
customers with current secure solutions.

"Micro Focus is broadly distributing this Security Bulletin in order to bring 
to the attention of users of the
affected Micro Focus products the important security information contained in 
this Bulletin. Micro Focus recommends
that all users determine the applicability of this information to their 
individual situations and take appropriate action.
Micro Focus does not warrant that this information is necessarily accurate or 
complete for all user situations and, consequently,
Micro Focus will not be responsible for any damages resulting from user's use 
or disregard of the information provided in
this Security Bulletin. To the extent permitted by law, Micro Focus  disclaims  
all warranties, either express or
implied, including the warranties of merchantability and fitness for a 
particular purpose, title and non-infringement."


Copyright 2017 EntIT Software LLC

Micro Focus shall not be liable for technical or editorial errors or omissions 
contained herein.
The information provided is provided "as is" without warranty of any kind. To 
the extent permitted by law,
neither Micro Focus nor its affiliates, subcontractors or suppliers will be 
liable for incidental, special
or consequential damages including downtime cost; lost profits; damages 
relating to

[security bulletin] MFSBGN03820 rev.1 - Micro Focus Hybrid Cloud Management (HCM) containerized suites, remote code execution

2018-08-30 Thread cyber-psrt 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://softwaresupport.hpe.com/document/-/facetsearch/document/KM03236722

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM03236722
Version: 1

MFSBGN03820 rev.1 - Micro Focus Hybrid Cloud Management (HCM) containerized
suites, remote code execution

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2018-08-30
Last Updated: 2018-08-30

Potential Security Impact: Remote: Code Execution

Source: Micro Focus, Product Security Response Team

VULNERABILITY SUMMARY
A potential vulnerability has been identified in Micro Focus Autopass License
Server (APLS) available as part of Micro Focus Hybrid Cloud Management (HCM)
containerized suites.
The vulnerability could be exploited to Remote Code Execution.

References:

  - PSRT110627
  - CVE-2018-6499

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - Micro Focus Hybrid Cloud Management containerized suites 2017.08,
2017.11, 2018.02, 2018.05

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector


Micro Focus would like to thank Lukasz Mikula for reporting the AutoPass
License Server issue tocyber-p...@microfocus.com.

RESOLUTION

Micro Focus has made the following mitigation information available to
resolve the vulnerability for the impacted versions of Micro Focus Hybrid
Cloud Management containerized suites:

HCM 2018.08 has the required fix.Customers who are on HCM2017.08 or higher
or required to upgrade HCM 2018.08 using the supported upgrade path.

HISTORY
Version:1 (rev.1) - 30 August 2018 Initial release

Third Party Security Patches: Third party security patches that are to be 
installed on
systems running Micro Focus products should be applied in accordance with the 
customer's
patch management policy.

Support: For issues about implementing the recommendations of this Security 
Bulletin, contact normal Micro Focus services support channel.
For other issues about the content of this Security Bulletin, send e-mail to  
cyber-p...@microfocus.com.

Report: To report a potential security vulnerability for any supported product:
  Web form: https://www.microfocus.com/support-and-services/report-security
  Email: secur...@microfocus.com

Subscribe:
 To initiate receiving subscriptions for future Micro Focus Security Bulletin 
alerts via Email,  please subscribe here - 
https://softwaresupport.hpe.com/group/softwaresupport/email-notification/-/subscriptions/registerdocumentnotification
 Once you are logged in to the portal, please choose security bulletins under 
product and document types.
 Please note that you will need to sign in using a Passport account. If you do 
not have a Passport account yet, you can create one- its free and easy 
https://cf.passport.softwaregrp.com/hppcf/createuser.do

Security Bulletin Archive:
 A list of recently released Security Bulletins is available here: 
https://softwaresupport.hpe.com/security-vulnerability
 
Software Product Category: The Software Product Category is represented in
the title by the two characters following Micro Focus Security Bulletin.

3P = 3rd Party Software
GN = Micro Focus General Software
MU = Multi-Platform Software

System management and security procedures must be reviewed frequently to 
maintain system integrity.
Micro Focus is continually reviewing and enhancing the security features of 
software products to provide
customers with current secure solutions.

"Micro Focus is broadly distributing this Security Bulletin in order to bring 
to the attention of users of the
affected Micro Focus products the important security information contained in 
this Bulletin. Micro Focus recommends
that all users determine the applicability of this information to their 
individual situations and take appropriate action.
Micro Focus does not warrant that this information is necessarily accurate or 
complete for all user situations and, consequently,
Micro Focus will not be responsible for any damages resulting from user's use 
or disregard of the information provided in
this Security Bulletin. To the extent permitted by law, Micro Focus  disclaims  
all warranties, either express or
implied, including the warranties of merchantability and fitness for a 
particular purpose, title and non-infringement."


Copyright 2017 EntIT Software LLC

Micro Focus shall not be liable for technical or editorial errors or omissions 
contained herein.
The information provided is provided "as is" without warranty of any kind. To 
the extent permitted by law,
neither Micro Focus nor its affiliates, subcontractors or suppliers will be 
liable for incidental, special
or consequential damages including downtime cost; lost profits; damages 
relating to the procurement of
substitute products or services; or damages for loss of data, or software 
restoration.
The information in this

[security bulletin] MFSBGN03818 rev.1 - Micro Focus Operations Bridge containerized suite, Remote Code Execution

2018-08-30 Thread cyber-psrt 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://softwaresupport.hpe.com/document/-/facetsearch/document/KM03236678

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM03236678
Version: 1

MFSBGN03818 rev.1 - Micro Focus Operations Bridge containerized suite, Remote
Code Execution

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2018-08-30
Last Updated: 2018-08-30

Potential Security Impact: Remote: Code Execution

Source: Micro Focus, Product Security Response Team

VULNERABILITY SUMMARY
A potential vulnerability has been identified in Micro FocusContainer
Deployment Foundation (CDF) available as part of Micro Focus Operations
Bridge containerized suite.
The vulnerabilities could be exploited to Remote Code Execution.

References:

  - PSRT110626
  - CVE-2018-6498

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - Micro Focus Operations Bridge containerized suite 2017.11, 2018.02,
2018.05

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector


RESOLUTION

Micro Focus has made the following mitigation information available to
resolve the vulnerability:
Please run the script availabe in the link
[https://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/
/facetsearch/document/KM03208993](https://softwaresupport.softwaregrp.com/gro
p/softwaresupport/search-result/-/facetsearch/document/KM03208993)

HISTORY
Version:1 (rev.1) - 30 August 2018 Initial release

Third Party Security Patches: Third party security patches that are to be 
installed on
systems running Micro Focus products should be applied in accordance with the 
customer's
patch management policy.

Support: For issues about implementing the recommendations of this Security 
Bulletin, contact normal Micro Focus services support channel.
For other issues about the content of this Security Bulletin, send e-mail to  
cyber-p...@microfocus.com.

Report: To report a potential security vulnerability for any supported product:
  Web form: https://www.microfocus.com/support-and-services/report-security
  Email: secur...@microfocus.com

Subscribe:
 To initiate receiving subscriptions for future Micro Focus Security Bulletin 
alerts via Email,  please subscribe here - 
https://softwaresupport.hpe.com/group/softwaresupport/email-notification/-/subscriptions/registerdocumentnotification
 Once you are logged in to the portal, please choose security bulletins under 
product and document types.
 Please note that you will need to sign in using a Passport account. If you do 
not have a Passport account yet, you can create one- its free and easy 
https://cf.passport.softwaregrp.com/hppcf/createuser.do

Security Bulletin Archive:
 A list of recently released Security Bulletins is available here: 
https://softwaresupport.hpe.com/security-vulnerability
 
Software Product Category: The Software Product Category is represented in
the title by the two characters following Micro Focus Security Bulletin.

3P = 3rd Party Software
GN = Micro Focus General Software
MU = Multi-Platform Software

System management and security procedures must be reviewed frequently to 
maintain system integrity.
Micro Focus is continually reviewing and enhancing the security features of 
software products to provide
customers with current secure solutions.

"Micro Focus is broadly distributing this Security Bulletin in order to bring 
to the attention of users of the
affected Micro Focus products the important security information contained in 
this Bulletin. Micro Focus recommends
that all users determine the applicability of this information to their 
individual situations and take appropriate action.
Micro Focus does not warrant that this information is necessarily accurate or 
complete for all user situations and, consequently,
Micro Focus will not be responsible for any damages resulting from user's use 
or disregard of the information provided in
this Security Bulletin. To the extent permitted by law, Micro Focus  disclaims  
all warranties, either express or
implied, including the warranties of merchantability and fitness for a 
particular purpose, title and non-infringement."


Copyright 2017 EntIT Software LLC

Micro Focus shall not be liable for technical or editorial errors or omissions 
contained herein.
The information provided is provided "as is" without warranty of any kind. To 
the extent permitted by law,
neither Micro Focus nor its affiliates, subcontractors or suppliers will be 
liable for incidental, special
or consequential damages including downtime cost; lost profits; damages 
relating to the procurement of
substitute products or services; or damages for loss of data, or software 
restoration.
The information in this document is subject to change without notice. Micro 
Focus and the names of
Micro Focus products referenced herein are

[security bulletin] MFSBGN03814 rev.1 - Service Management Automation (SMA) containerized, Remote Code Execution

2018-08-30 Thread cyber-psrt 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://softwaresupport.hpe.com/document/-/facetsearch/document/KM03236667

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM03236667
Version: 1

MFSBGN03814 rev.1 - Service Management Automation (SMA) containerized, Remote
Code Execution

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2018-08-30
Last Updated: 2018-08-30

Potential Security Impact: Remote: Code Execution

Source: Micro Focus, Product Security Response Team

VULNERABILITY SUMMARY
A potential vulnerabilities has been identified in Micro Focus Autopass
License Server (APLS) and Container Deployment Foundation (CDF) available as
part of Micro Focus Service Management Automation (SMA) containerized suites.
The vulnerabilities could be exploited to Remote Code Execution.

References:

  - PSRT110624
  - CVE-2018-6499
  - CVE-2018-6498

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - Micro Focus Service Management Automation (SMA) 2017.11, 2018.02, 2018.05

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector


Micro Focus would like to thank Lukasz Mikula for reporting the AutoPass
License Server issue tocyber-p...@microfocus.com.

RESOLUTION

Micro Focus has made the following mitigation information available to
resolve the vulnerability for the impacted versions of Micro Focus Service
Management Automation (SMA) containerized :

For SMA 2017.11 patch
releases:[KM03210103](https://softwaresupport.softwaregrp.com/km/KM03210103)

For SMA 2018.05 patch
releases:[KM03204500](https://softwaresupport.softwaregrp.com/km/KM03204500?
ang=en=us=206728_SSO_PRO)

For SMA 2018.02 patch
releases:[KM03146621](https://softwaresupport.softwaregrp.com/km/KM03146621?
ang=en=us=206728_SSO_PRO)

HISTORY
Version:1 (rev.1) - 30 August 2018 Initial release

Third Party Security Patches: Third party security patches that are to be 
installed on
systems running Micro Focus products should be applied in accordance with the 
customer's
patch management policy.

Support: For issues about implementing the recommendations of this Security 
Bulletin, contact normal Micro Focus services support channel.
For other issues about the content of this Security Bulletin, send e-mail to  
cyber-p...@microfocus.com.

Report: To report a potential security vulnerability for any supported product:
  Web form: https://www.microfocus.com/support-and-services/report-security
  Email: secur...@microfocus.com

Subscribe:
 To initiate receiving subscriptions for future Micro Focus Security Bulletin 
alerts via Email,  please subscribe here - 
https://softwaresupport.hpe.com/group/softwaresupport/email-notification/-/subscriptions/registerdocumentnotification
 Once you are logged in to the portal, please choose security bulletins under 
product and document types.
 Please note that you will need to sign in using a Passport account. If you do 
not have a Passport account yet, you can create one- its free and easy 
https://cf.passport.softwaregrp.com/hppcf/createuser.do

Security Bulletin Archive:
 A list of recently released Security Bulletins is available here: 
https://softwaresupport.hpe.com/security-vulnerability
 
Software Product Category: The Software Product Category is represented in
the title by the two characters following Micro Focus Security Bulletin.

3P = 3rd Party Software
GN = Micro Focus General Software
MU = Multi-Platform Software

System management and security procedures must be reviewed frequently to 
maintain system integrity.
Micro Focus is continually reviewing and enhancing the security features of 
software products to provide
customers with current secure solutions.

"Micro Focus is broadly distributing this Security Bulletin in order to bring 
to the attention of users of the
affected Micro Focus products the important security information contained in 
this Bulletin. Micro Focus recommends
that all users determine the applicability of this information to their 
individual situations and take appropriate action.
Micro Focus does not warrant that this information is necessarily accurate or 
complete for all user situations and, consequently,
Micro Focus will not be responsible for any damages resulting from user's use 
or disregard of the information provided in
this Security Bulletin. To the extent permitted by law, Micro Focus  disclaims  
all warranties, either express or
implied, including the warranties of merchantability and fitness for a 
particular purpose, title and non-infringement."


Copyright 2017 EntIT Software LLC

Micro Focus shall not be liable for technical or editorial errors or omissions 
contained herein.
The information provided is provided "as is" without warranty of any kind. To 
the extent permitted by law,
neither Micro Focus nor its affiliates, subcontractors or suppliers will

[security bulletin] MFSBGN03813 rev.1 - Network Operations Management (NOM) Suite CDF, Remote Code Execution

2018-08-30 Thread cyber-psrt 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://softwaresupport.hpe.com/document/-/facetsearch/document/KM03236632

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM03236632
Version: 1

MFSBGN03813 rev.1 - Network Operations Management (NOM) Suite CDF, Remote
Code Execution

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2018-08-30
Last Updated: 2018-08-30

Potential Security Impact: Remote: Code Execution

Source: Micro Focus, Product Security Response Team

VULNERABILITY SUMMARY
A potential vulnerabilities has been identified in Micro Focus Autopass
License Server (APLS) and Container Deployment Foundation (CDF) available as
part of Micro Focus Network Operations Management (NOM) Suite CDF.
The vulnerabilities could be exploited to Remote Code Execution.

References:

  - PSRT110621
  - CVE-2017-5647
  - CVE-2018-6498

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - Network Operations Management (NOM) Suite 2017.11, 2018.02, and 2018.05

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector


Micro Focus would like to thank Lukasz Mikula for reporting the AutoPass
License Server issue tocyber-p...@microfocus.com.

RESOLUTION

MicroFocus requests its customer to replace 2017.11, 2018.02 and 2018.05
version of NOM Suite CDF with fresh install of 2018.08 version of NOM Suite
CDF.

HISTORY
Version:1 (rev.1) - 30 August 2018 Initial release

Third Party Security Patches: Third party security patches that are to be 
installed on
systems running Micro Focus products should be applied in accordance with the 
customer's
patch management policy.

Support: For issues about implementing the recommendations of this Security 
Bulletin, contact normal Micro Focus services support channel.
For other issues about the content of this Security Bulletin, send e-mail to  
cyber-p...@microfocus.com.

Report: To report a potential security vulnerability for any supported product:
  Web form: https://www.microfocus.com/support-and-services/report-security
  Email: secur...@microfocus.com

Subscribe:
 To initiate receiving subscriptions for future Micro Focus Security Bulletin 
alerts via Email,  please subscribe here - 
https://softwaresupport.hpe.com/group/softwaresupport/email-notification/-/subscriptions/registerdocumentnotification
 Once you are logged in to the portal, please choose security bulletins under 
product and document types.
 Please note that you will need to sign in using a Passport account. If you do 
not have a Passport account yet, you can create one- its free and easy 
https://cf.passport.softwaregrp.com/hppcf/createuser.do

Security Bulletin Archive:
 A list of recently released Security Bulletins is available here: 
https://softwaresupport.hpe.com/security-vulnerability
 
Software Product Category: The Software Product Category is represented in
the title by the two characters following Micro Focus Security Bulletin.

3P = 3rd Party Software
GN = Micro Focus General Software
MU = Multi-Platform Software

System management and security procedures must be reviewed frequently to 
maintain system integrity.
Micro Focus is continually reviewing and enhancing the security features of 
software products to provide
customers with current secure solutions.

"Micro Focus is broadly distributing this Security Bulletin in order to bring 
to the attention of users of the
affected Micro Focus products the important security information contained in 
this Bulletin. Micro Focus recommends
that all users determine the applicability of this information to their 
individual situations and take appropriate action.
Micro Focus does not warrant that this information is necessarily accurate or 
complete for all user situations and, consequently,
Micro Focus will not be responsible for any damages resulting from user's use 
or disregard of the information provided in
this Security Bulletin. To the extent permitted by law, Micro Focus  disclaims  
all warranties, either express or
implied, including the warranties of merchantability and fitness for a 
particular purpose, title and non-infringement."


Copyright 2017 EntIT Software LLC

Micro Focus shall not be liable for technical or editorial errors or omissions 
contained herein.
The information provided is provided "as is" without warranty of any kind. To 
the extent permitted by law,
neither Micro Focus nor its affiliates, subcontractors or suppliers will be 
liable for incidental, special
or consequential damages including downtime cost; lost profits; damages 
relating to the procurement of
substitute products or services; or damages for loss of data, or software 
restoration.
The information in this document is subject to change without notice. Micro 
Focus and the names of
Micro Focus products referenced herein are trademarks of Micro Focus in the

[security bulletin] MFSBGN03821 rev.1 - Micro Focus Hybrid Cloud Management (HCM) containerized suite, Remote Code Execution

2018-08-30 Thread cyber-psrt 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://softwaresupport.hpe.com/document/-/facetsearch/document/KM03236725

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM03236725
Version: 1

MFSBGN03821 rev.1 - Micro Focus Hybrid Cloud Management (HCM) containerized
suite, Remote Code Execution

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2018-08-30
Last Updated: 2018-08-30

Potential Security Impact: Remote: Code Execution

Source: Micro Focus, Product Security Response Team

VULNERABILITY SUMMARY
A potential vulnerability has been identified in Micro Focus Container
Deployment Foundation (CDF) available as part of Micro Focus Hybrid Cloud
Management (HCM) containerized suite.
The vulnerabilities could be exploited to Remote Code Execution.

References:

  - PSRT110628
  - CVE-2018-6498

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - Micro Focus Hybrid Cloud Management containerized suites HCM2017.11
HCM2018.02 HCM2018.05

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector


RESOLUTION

Micro Focus has made the following mitigation information available to
resolve the vulnerability for the impacted versions of Micro Focus Hybrid
Cloud Management containerized suites:
Please go the link:
[https://softwaresupport.softwaregrp.com/km/KM03235997](https://softwaresuppo
t.softwaregrp.com/km/KM03235997)

HISTORY
Version:1 (rev.1) - 30 August 2018 Initial release

Third Party Security Patches: Third party security patches that are to be 
installed on
systems running Micro Focus products should be applied in accordance with the 
customer's
patch management policy.

Support: For issues about implementing the recommendations of this Security 
Bulletin, contact normal Micro Focus services support channel.
For other issues about the content of this Security Bulletin, send e-mail to  
cyber-p...@microfocus.com.

Report: To report a potential security vulnerability for any supported product:
  Web form: https://www.microfocus.com/support-and-services/report-security
  Email: secur...@microfocus.com

Subscribe:
 To initiate receiving subscriptions for future Micro Focus Security Bulletin 
alerts via Email,  please subscribe here - 
https://softwaresupport.hpe.com/group/softwaresupport/email-notification/-/subscriptions/registerdocumentnotification
 Once you are logged in to the portal, please choose security bulletins under 
product and document types.
 Please note that you will need to sign in using a Passport account. If you do 
not have a Passport account yet, you can create one- its free and easy 
https://cf.passport.softwaregrp.com/hppcf/createuser.do

Security Bulletin Archive:
 A list of recently released Security Bulletins is available here: 
https://softwaresupport.hpe.com/security-vulnerability
 
Software Product Category: The Software Product Category is represented in
the title by the two characters following Micro Focus Security Bulletin.

3P = 3rd Party Software
GN = Micro Focus General Software
MU = Multi-Platform Software

System management and security procedures must be reviewed frequently to 
maintain system integrity.
Micro Focus is continually reviewing and enhancing the security features of 
software products to provide
customers with current secure solutions.

"Micro Focus is broadly distributing this Security Bulletin in order to bring 
to the attention of users of the
affected Micro Focus products the important security information contained in 
this Bulletin. Micro Focus recommends
that all users determine the applicability of this information to their 
individual situations and take appropriate action.
Micro Focus does not warrant that this information is necessarily accurate or 
complete for all user situations and, consequently,
Micro Focus will not be responsible for any damages resulting from user's use 
or disregard of the information provided in
this Security Bulletin. To the extent permitted by law, Micro Focus  disclaims  
all warranties, either express or
implied, including the warranties of merchantability and fitness for a 
particular purpose, title and non-infringement."


Copyright 2017 EntIT Software LLC

Micro Focus shall not be liable for technical or editorial errors or omissions 
contained herein.
The information provided is provided "as is" without warranty of any kind. To 
the extent permitted by law,
neither Micro Focus nor its affiliates, subcontractors or suppliers will be 
liable for incidental, special
or consequential damages including downtime cost; lost profits; damages 
relating to the procurement of
substitute products or services; or damages for loss of data, or software 
restoration.
The information in this document is subject to change without notice. Micro 
Focus and the names of
Micro Focus products referenced herein are trademarks of

[security bulletin] MFSBGN03812 rev.1 - Application Performance Management, remote cross-site tracing

2018-08-30 Thread cyber-psrt 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://softwaresupport.hpe.com/document/-/facetsearch/document/KM03235847

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM03235847
Version: 1

MFSBGN03812 rev.1 - Application Performance Management, remote cross-site
tracing

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2018-08-29
Last Updated: 2018-08-29

Potential Security Impact: Remote: Disclosure of Information

Source: Micro Focus, Product Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified in Micro Focus
Application Performance Management. The vulnerability could be remotely
exploited to remote cross-site tracing and Remote Disclosure of Information.

References:

  - PSRT110566
  - CVE-2007-3008
  - CVE-2004-2320

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - HPE Application Performance Management (APM) 9.25,9.26, 9.30, 9.40,9.50

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector


RESOLUTION

Microfocus has made the following software updates and mitigation information
to resolve the vulnerability in Application Performance Management, please go
to the link below:


HISTORY
Version:1 (rev.1) - 29 August 2018 Initial release

Third Party Security Patches: Third party security patches that are to be 
installed on
systems running Micro Focus products should be applied in accordance with the 
customer's
patch management policy.

Support: For issues about implementing the recommendations of this Security 
Bulletin, contact normal Micro Focus services support channel.
For other issues about the content of this Security Bulletin, send e-mail to  
cyber-p...@microfocus.com.

Report: To report a potential security vulnerability for any supported product:
  Web form: https://www.microfocus.com/support-and-services/report-security
  Email: secur...@microfocus.com

Subscribe:
 To initiate receiving subscriptions for future Micro Focus Security Bulletin 
alerts via Email,  please subscribe here - 
https://softwaresupport.hpe.com/group/softwaresupport/email-notification/-/subscriptions/registerdocumentnotification
 Once you are logged in to the portal, please choose security bulletins under 
product and document types.
 Please note that you will need to sign in using a Passport account. If you do 
not have a Passport account yet, you can create one- its free and easy 
https://cf.passport.softwaregrp.com/hppcf/createuser.do

Security Bulletin Archive:
 A list of recently released Security Bulletins is available here: 
https://softwaresupport.hpe.com/security-vulnerability
 
Software Product Category: The Software Product Category is represented in
the title by the two characters following Micro Focus Security Bulletin.

3P = 3rd Party Software
GN = Micro Focus General Software
MU = Multi-Platform Software

System management and security procedures must be reviewed frequently to 
maintain system integrity.
Micro Focus is continually reviewing and enhancing the security features of 
software products to provide
customers with current secure solutions.

"Micro Focus is broadly distributing this Security Bulletin in order to bring 
to the attention of users of the
affected Micro Focus products the important security information contained in 
this Bulletin. Micro Focus recommends
that all users determine the applicability of this information to their 
individual situations and take appropriate action.
Micro Focus does not warrant that this information is necessarily accurate or 
complete for all user situations and, consequently,
Micro Focus will not be responsible for any damages resulting from user's use 
or disregard of the information provided in
this Security Bulletin. To the extent permitted by law, Micro Focus  disclaims  
all warranties, either express or
implied, including the warranties of merchantability and fitness for a 
particular purpose, title and non-infringement."


Copyright 2017 EntIT Software LLC

Micro Focus shall not be liable for technical or editorial errors or omissions 
contained herein.
The information provided is provided "as is" without warranty of any kind. To 
the extent permitted by law,
neither Micro Focus nor its affiliates, subcontractors or suppliers will be 
liable for incidental, special
or consequential damages including downtime cost; lost profits; damages 
relating to the procurement of
substitute products or services; or damages for loss of data, or software 
restoration.
The information in this document is subject to change without notice. Micro 
Focus and the names of
Micro Focus products referenced herein are trademarks of Micro Focus in the 
United States and other

[security bulletin] MFSBGN03811 rev.1 - Fortify Software Security Center (SSC), Multiple vulnerabilities

2018-07-12 Thread cyber-psrt 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://softwaresupport.hpe.com/document/-/facetsearch/document/KM03201085

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM03201085
Version: 1

MFSBGN03811 rev.1 - Fortify Software Security Center (SSC), Multiple
vulnerabilities

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2018-07-12
Last Updated: 2018-07-12

Potential Security Impact: Remote: Denial of Service (DoS), Disclosure of
Privileged Information, Unauthorized Data Injection

Source: Micro Focus, Product Security Response Team

VULNERABILITY SUMMARY
An XML external entity (XXE) vulnerability in Fortify Software Security
Center (SSC) allows remote unauthenticated users to read arbitrary files or
conduct server-side request forgery (SSRF) attacks via a crafted DTD in an
XML request.

References:

  - PSRT110617
  - CVE-2018-12463

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - Fortify Software Security Center (SSC) v- 17.1, 17.2, 18.1

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector


Micro Focus would like to extend a special thanks to Alex Hernandez aka
alt3kx for responsibly disclosing this vulnerability.

RESOLUTION

Apply hotfix to SSC 17.1, 17.2, and 18.1, as applicable.  
(Download hotfix via ftp at
 or, alternatively, go
to Software Support Online at  and
log into your SSO account.)

HISTORY
Version:1 (rev.1) - 12 July 2018 Initial release

Third Party Security Patches: Third party security patches that are to be 
installed on 
systems running Micro Focus products should be applied in accordance with the 
customer's 
patch management policy.

Support: For issues about implementing the recommendations of this Security 
Bulletin, contact normal Micro Focus services support channel. 
For other issues about the content of this Security Bulletin, send e-mail to  
cyber-p...@microfocus.com.

Report: To report a potential security vulnerability for any supported product:
  Web form: https://www.microfocus.com/support-and-services/report-security
  Email: secur...@microfocus.com

Subscribe:
 To initiate receiving subscriptions for future Micro Focus Security Bulletin 
alerts via Email,  please subscribe here - 
https://softwaresupport.hpe.com/group/softwaresupport/email-notification/-/subscriptions/registerdocumentnotification
 Once you are logged in to the portal, please choose security bulletins under 
product and document types.
 Please note that you will need to sign in using a Passport account. If you do 
not have a Passport account yet, you can create one- its free and easy 
https://cf.passport.softwaregrp.com/hppcf/createuser.do 

Security Bulletin Archive:
 A list of recently released Security Bulletins is available here: 
https://softwaresupport.hpe.com/security-vulnerability
 
Software Product Category: The Software Product Category is represented in
the title by the two characters following Micro Focus Security Bulletin.

3P = 3rd Party Software
GN = Micro Focus General Software
MU = Multi-Platform Software

System management and security procedures must be reviewed frequently to 
maintain system integrity. 
Micro Focus is continually reviewing and enhancing the security features of 
software products to provide 
customers with current secure solutions. 

"Micro Focus is broadly distributing this Security Bulletin in order to bring 
to the attention of users of the 
affected Micro Focus products the important security information contained in 
this Bulletin. Micro Focus recommends 
that all users determine the applicability of this information to their 
individual situations and take appropriate action. 
Micro Focus does not warrant that this information is necessarily accurate or 
complete for all user situations and, consequently, 
Micro Focus will not be responsible for any damages resulting from user's use 
or disregard of the information provided in 
this Security Bulletin. To the extent permitted by law, Micro Focus  disclaims  
all warranties, either express or 
implied, including the warranties of merchantability and fitness for a 
particular purpose, title and non-infringement." 


Copyright 2017 EntIT Software LLC

Micro Focus shall not be liable for technical or editorial errors or omissions 
contained herein. 
The information provided is provided "as is" without warranty of any kind. To 
the extent permitted by law, 
neither Micro Focus nor its affiliates, subcontractors or suppliers will be 
liable for incidental, special 
or consequential damages including downtime cost; lost profits; damages 
relating to the procurement of 
substitute products or services; or damages for loss of data, or software 
restoration. 
The information in this document is subject to

[security bulletin] MFSBGN03794 rev.2 - Micro Focus Operations Agent Multiple vulnerabilities

2018-02-28 Thread cyber-psrt 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://softwaresupport.hpe.com/document/-/facetsearch/document/KM03060544

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM03060544
Version: 2

MFSBGN03794 rev.2 - Micro Focus Operations Agent Multiple vulnerabilities

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2018-03-01
Last Updated: 2018-02-28

Potential Security Impact: Remote: Disclosure of Information

Source: Micro Focus, Product Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerabilities has been identified in Micro Focus
Operations Agent. The vulnerabilities could be remotely exploited to Remote
Disclosure of Information. At this time Micro Focus Alarm Manager uses a
vulnerable encryption infrastructure.

References:

  - CVE-2016-6329 - Sweet32

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - HPE Operations Agent - v12.00, v12.01

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector


Micro Focus would like to thank Diwakar Kuntamukkala for reporting this issue
to security-al...@hpe.com

RESOLUTION

Micro Focus has made the following software updates and mitigation
information to resolve the vulnerability in Micro Focus Operations Agent.

Upgrade to Operations Agent 12.02 or Higher, this includes fixes for SWEET32
Vulnerability and for Alarm Manager vulnerable encryption infrastructure.

For Micro Focus Operations Agent and Infrastructure SPI 12.05 updates, please
visit the [Software License](http://www.hpe.com/software/entitlements) and
Downloads Portal.

HISTORY

Version:1 (rev.1) - 22 December 2017 Initial release

Version:2 (rev.2) - 28 February 2018 Adding new vulnerability


Third Party Security Patches: Third party security patches that are to be 
installed on 
systems running Micro Focus products should be applied in accordance with the 
customer's 
patch management policy.

Support: For issues about implementing the recommendations of this Security 
Bulletin, contact normal Micro Focus services support channel. 
For other issues about the content of this Security Bulletin, send e-mail to  
cyber-p...@microfocus.com.

Report: To report a potential security vulnerability for any supported product:
  Web form: https://www.microfocus.com/support-and-services/report-security
  Email: secur...@microfocus.com

Subscribe:
 To initiate receiving subscriptions for future Micro Focus Security Bulletin 
alerts via Email,  please subscribe here - 
https://softwaresupport.hpe.com/group/softwaresupport/email-notification/-/subscriptions/registerdocumentnotification
 Once you are logged in to the portal, please choose security bulletins under 
product and document types.
 Please note that you will need to sign in using a Passport account. If you do 
not have a Passport account yet, you can create one- its free and easy 
https://cf.passport.softwaregrp.com/hppcf/createuser.do 

Security Bulletin Archive:
 A list of recently released Security Bulletins is available here: 
https://softwaresupport.hpe.com/security-vulnerability
 
Software Product Category: The Software Product Category is represented in
the title by the two characters following Micro Focus Security Bulletin.

3P = 3rd Party Software
GN = Micro Focus General Software
MU = Multi-Platform Software

System management and security procedures must be reviewed frequently to 
maintain system integrity. 
Micro Focus is continually reviewing and enhancing the security features of 
software products to provide 
customers with current secure solutions. 

"Micro Focus is broadly distributing this Security Bulletin in order to bring 
to the attention of users of the 
affected Micro Focus products the important security information contained in 
this Bulletin. Micro Focus recommends 
that all users determine the applicability of this information to their 
individual situations and take appropriate action. 
Micro Focus does not warrant that this information is necessarily accurate or 
complete for all user situations and, consequently, 
Micro Focus will not be responsible for any damages resulting from user's use 
or disregard of the information provided in 
this Security Bulletin. To the extent permitted by law, Micro Focus  disclaims  
all warranties, either express or 
implied, including the warranties of merchantability and fitness for a 
particular purpose, title and non-infringement." 


Copyright 2017 EntIT Software LLC

Micro Focus shall not be liable for technical or editorial errors or omissions 
contained herein. 
The information provided is provided "as is" without warranty of any kind. To 
the extent permitted by law, 
neither Micro Focus nor its affiliates, subcontractors or suppliers will be 
liable for incidental, special 
or consequential damages including downtime cost; lost profits; damages

[security bulletin] MFSBGN03802 - Virtualization Performance Viewer (vPV) / Cloud Optimizer, Local Disclosure of Information

2018-04-13 Thread cyber-psrt 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://softwaresupport.hpe.com/document/-/facetsearch/document/KM03140487

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM03140487
Version: 1

MFSBGN03802 - Virtualization Performance Viewer (vPV) / Cloud Optimizer,
Local Disclosure of Information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2018-04-12
Last Updated: 2018-04-12

Potential Security Impact: Local: Disclosure of Information

Source: Micro Focus, Product Security Response Team

VULNERABILITY SUMMARY
A potential vulnerability has been identified in Micro Focus Virtualization
Performance Viewer (vPV) / Cloud Optimizer. The vulnerability could be
exploited to Local Disclosure of Information.

References:

  - PSRT110609
  - CVE-2017-5753
  - CVE-2017-5715
  - CVE-2017-5754

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - HP Virtualization Performance Viewer Software 2.20, 3.0, 3.01, 3.02, 3.03
  - HPE Cloud Optimizer 2.20, 3.0, 3.01, 3.02, 3.03

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector


RESOLUTION

Micro Focus is actively working with its vendors to address any systems-level
Spectre and Meltdown impacts.However, if you have immediate concerns or
questions regarding CentOS and its approach to Spectre or Meltdown, please
contact them directly.

HISTORY
Version:1 (rev.1) - 12 April 2018 Initial release

Third Party Security Patches: Third party security patches that are to be 
installed on 
systems running Micro Focus products should be applied in accordance with the 
customer's 
patch management policy.

Support: For issues about implementing the recommendations of this Security 
Bulletin, contact normal Micro Focus services support channel. 
For other issues about the content of this Security Bulletin, send e-mail to  
cyber-p...@microfocus.com.

Report: To report a potential security vulnerability for any supported product:
  Web form: https://www.microfocus.com/support-and-services/report-security
  Email: secur...@microfocus.com

Subscribe:
 To initiate receiving subscriptions for future Micro Focus Security Bulletin 
alerts via Email,  please subscribe here - 
https://softwaresupport.hpe.com/group/softwaresupport/email-notification/-/subscriptions/registerdocumentnotification
 Once you are logged in to the portal, please choose security bulletins under 
product and document types.
 Please note that you will need to sign in using a Passport account. If you do 
not have a Passport account yet, you can create one- its free and easy 
https://cf.passport.softwaregrp.com/hppcf/createuser.do 

Security Bulletin Archive:
 A list of recently released Security Bulletins is available here: 
https://softwaresupport.hpe.com/security-vulnerability
 
Software Product Category: The Software Product Category is represented in
the title by the two characters following Micro Focus Security Bulletin.

3P = 3rd Party Software
GN = Micro Focus General Software
MU = Multi-Platform Software

System management and security procedures must be reviewed frequently to 
maintain system integrity. 
Micro Focus is continually reviewing and enhancing the security features of 
software products to provide 
customers with current secure solutions. 

"Micro Focus is broadly distributing this Security Bulletin in order to bring 
to the attention of users of the 
affected Micro Focus products the important security information contained in 
this Bulletin. Micro Focus recommends 
that all users determine the applicability of this information to their 
individual situations and take appropriate action. 
Micro Focus does not warrant that this information is necessarily accurate or 
complete for all user situations and, consequently, 
Micro Focus will not be responsible for any damages resulting from user's use 
or disregard of the information provided in 
this Security Bulletin. To the extent permitted by law, Micro Focus  disclaims  
all warranties, either express or 
implied, including the warranties of merchantability and fitness for a 
particular purpose, title and non-infringement." 


Copyright 2017 EntIT Software LLC

Micro Focus shall not be liable for technical or editorial errors or omissions 
contained herein. 
The information provided is provided "as is" without warranty of any kind. To 
the extent permitted by law, 
neither Micro Focus nor its affiliates, subcontractors or suppliers will be 
liable for incidental, special 
or consequential damages including downtime cost; lost profits; damages 
relating to the procurement of 
substitute products or services; or damages for loss of data, or software 
restoration. 
The information in this document is subject to change without notice. Micro 
Focus and the names of 
Micro Focus products referenced herein are trademarks of Micro Focus in the

[security bulletin] MFSBGN03803 rev.1 - UCMDB, Installation File Access Control Privilege Escalation Vulnerability

2018-04-12 Thread cyber-psrt 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://softwaresupport.hpe.com/document/-/facetsearch/document/KM03141180

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM03141180
Version: 1

MFSBGN03803 rev.1 - UCMDB, Installation File Access Control Privilege
Escalation Vulnerability

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2018-04-12
Last Updated: 2018-04-12

Potential Security Impact: Local: Escalation of Privilege

Source: Micro Focus, Product Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified in Micro Focus UCMDB.
The vulnerability could be remotely exploited to Local Escalation of
Privilege.

References:

  - CVE-2018-6491

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - HP UCMDB Configuration Manager Software 10.20 / 10.21 / 10.22 / 10.30 /
10.31 / 10.32 / 10.33 / 11.0

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector


Micro Focus would like to thank TrendyTofy of Trend Micro's Zero Day
Initiative for reporting this issue to cyber-p...@microfocus.com.

RESOLUTION

HPE has made the following software updates and mitigation information to
resolve the vulnerability in Micro Focus UCMDB.

Please go to the link below: 


HISTORY
Version:1 (rev.1) - 12 April 2018 Initial release

Third Party Security Patches: Third party security patches that are to be 
installed on 
systems running Micro Focus products should be applied in accordance with the 
customer's 
patch management policy.

Support: For issues about implementing the recommendations of this Security 
Bulletin, contact normal Micro Focus services support channel. 
For other issues about the content of this Security Bulletin, send e-mail to  
cyber-p...@microfocus.com.

Report: To report a potential security vulnerability for any supported product:
  Web form: https://www.microfocus.com/support-and-services/report-security
  Email: secur...@microfocus.com

Subscribe:
 To initiate receiving subscriptions for future Micro Focus Security Bulletin 
alerts via Email,  please subscribe here - 
https://softwaresupport.hpe.com/group/softwaresupport/email-notification/-/subscriptions/registerdocumentnotification
 Once you are logged in to the portal, please choose security bulletins under 
product and document types.
 Please note that you will need to sign in using a Passport account. If you do 
not have a Passport account yet, you can create one- its free and easy 
https://cf.passport.softwaregrp.com/hppcf/createuser.do 

Security Bulletin Archive:
 A list of recently released Security Bulletins is available here: 
https://softwaresupport.hpe.com/security-vulnerability
 
Software Product Category: The Software Product Category is represented in
the title by the two characters following Micro Focus Security Bulletin.

3P = 3rd Party Software
GN = Micro Focus General Software
MU = Multi-Platform Software

System management and security procedures must be reviewed frequently to 
maintain system integrity. 
Micro Focus is continually reviewing and enhancing the security features of 
software products to provide 
customers with current secure solutions. 

"Micro Focus is broadly distributing this Security Bulletin in order to bring 
to the attention of users of the 
affected Micro Focus products the important security information contained in 
this Bulletin. Micro Focus recommends 
that all users determine the applicability of this information to their 
individual situations and take appropriate action. 
Micro Focus does not warrant that this information is necessarily accurate or 
complete for all user situations and, consequently, 
Micro Focus will not be responsible for any damages resulting from user's use 
or disregard of the information provided in 
this Security Bulletin. To the extent permitted by law, Micro Focus  disclaims  
all warranties, either express or 
implied, including the warranties of merchantability and fitness for a 
particular purpose, title and non-infringement." 


Copyright 2017 EntIT Software LLC

Micro Focus shall not be liable for technical or editorial errors or omissions 
contained herein. 
The information provided is provided "as is" without warranty of any kind. To 
the extent permitted by law, 
neither Micro Focus nor its affiliates, subcontractors or suppliers will be 
liable for incidental, special 
or consequential damages including downtime cost; lost profits; damages 
relating to the procurement of 
substitute products or services; or damages for loss of data, or software 
restoration. 
The information in this document is subject to change without notice. Micro 
Focus and the names of 
Micro Focus products

[security bulletin] MFSBGN03801 rev.1 - Micro Focus Operations Orchestration, Remote Denial of Service (DoS)

2018-03-02 Thread cyber-psrt 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://softwaresupport.hpe.com/document/-/facetsearch/document/KM03103896

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM03103896
Version: 1

MFSBGN03801 rev.1 - Micro Focus Operations Orchestration, Remote Denial of
Service (DoS)

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2018-03-01
Last Updated: 2018-03-01

Potential Security Impact: Remote: Denial of Service (DoS)

Source: Micro Focus, Product Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified in Micro Focus
Operations Orchestration. The vulnerability could be remotely exploited to
allow Denial of Service (DoS).

References:

  - CVE-2018-6490 - DoS

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - HP Operations Orchestration Software - v10.x

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector


Micro Focus would like to thank Jacob Baines of Tenable for reporting this
issue to security-al...@hpe.com

RESOLUTION

Micro Focus has made the following software updates and mitigation
information to resolve the vulnerability in Operations Orchestration.

* For more information use the following link:


HISTORY
Version:1 (rev.1) - 1 March 2018 Initial release

Third Party Security Patches: Third party security patches that are to be 
installed on 
systems running Micro Focus products should be applied in accordance with the 
customer's 
patch management policy.

Support: For issues about implementing the recommendations of this Security 
Bulletin, contact normal Micro Focus services support channel. 
For other issues about the content of this Security Bulletin, send e-mail to  
cyber-p...@microfocus.com.

Report: To report a potential security vulnerability for any supported product:
  Web form: https://www.microfocus.com/support-and-services/report-security
  Email: secur...@microfocus.com

Subscribe:
 To initiate receiving subscriptions for future Micro Focus Security Bulletin 
alerts via Email,  please subscribe here - 
https://softwaresupport.hpe.com/group/softwaresupport/email-notification/-/subscriptions/registerdocumentnotification
 Once you are logged in to the portal, please choose security bulletins under 
product and document types.
 Please note that you will need to sign in using a Passport account. If you do 
not have a Passport account yet, you can create one- its free and easy 
https://cf.passport.softwaregrp.com/hppcf/createuser.do 

Security Bulletin Archive:
 A list of recently released Security Bulletins is available here: 
https://softwaresupport.hpe.com/security-vulnerability
 
Software Product Category: The Software Product Category is represented in
the title by the two characters following Micro Focus Security Bulletin.

3P = 3rd Party Software
GN = Micro Focus General Software
MU = Multi-Platform Software

System management and security procedures must be reviewed frequently to 
maintain system integrity. 
Micro Focus is continually reviewing and enhancing the security features of 
software products to provide 
customers with current secure solutions. 

"Micro Focus is broadly distributing this Security Bulletin in order to bring 
to the attention of users of the 
affected Micro Focus products the important security information contained in 
this Bulletin. Micro Focus recommends 
that all users determine the applicability of this information to their 
individual situations and take appropriate action. 
Micro Focus does not warrant that this information is necessarily accurate or 
complete for all user situations and, consequently, 
Micro Focus will not be responsible for any damages resulting from user's use 
or disregard of the information provided in 
this Security Bulletin. To the extent permitted by law, Micro Focus  disclaims  
all warranties, either express or 
implied, including the warranties of merchantability and fitness for a 
particular purpose, title and non-infringement." 


Copyright 2017 EntIT Software LLC

Micro Focus shall not be liable for technical or editorial errors or omissions 
contained herein. 
The information provided is provided "as is" without warranty of any kind. To 
the extent permitted by law, 
neither Micro Focus nor its affiliates, subcontractors or suppliers will be 
liable for incidental, special 
or consequential damages including downtime cost; lost profits; damages 
relating to the procurement of 
substitute products or services; or damages for loss of data, or software 
restoration. 
The information in this document is subject to change without notice. Micro 
Focus and the names of 
Micro Focus products referenced herein are trademarks of Micro

[security bulletin] MFSBGN03827 rev.1 - Microfocus Real User Monitoring 9.4.0 BPRDownload Java Deserialization Vulnerability

2018-10-23 Thread cyber-psrt 
Note: the current version of the following document is available here:
https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03272900

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM03272900
Version: 1

MFSBGN03827 rev.1 - Microfocus Real User Monitoring 9.4.0 BPRDownload Java
Deserialization Vulnerability

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2018-10-23
Last Updated: 2018-10-23

Potential Security Impact: Remote: Arbitrary Code Execution

Source: Micro Focus, Product Security Response Team

VULNERABILITY SUMMARY
A potential vulnerability has been identified in Micro Focus Real User
Monitoring software. The vulnerability could be exploited to execute
arbitrary.

References:

  - CVE-2018-18589

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - Real User Monitoring 9.26IP, 9.30, 9.40 and 9.50

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector


Micro Focus would like to thank Deapesh Misra of iDefense Labs, Accenture for
reporting this issue to cyber-p...@microfocus.com.

RESOLUTION

Micro Focus has made the following mitigation information available to
resolve the vulnerability for the impacted versions of Real User Monitor
(RUM):

https://softwaresupport.softwaregrp.com/group/softwaresupport/searc
-result/-/facetsearch/document/KM03241665

HISTORY
Version:1 (rev.1) - 23 October 2018 Initial release

Third Party Security Patches: Third party security patches that are to be 
installed on 
systems running Micro Focus products should be applied in accordance with the 
customer's 
patch management policy.

Support: For issues about implementing the recommendations of this Security 
Bulletin, contact normal Micro Focus services support channel. 
For other issues about the content of this Security Bulletin, send e-mail to  
cyber-p...@microfocus.com.

Report: To report a potential security vulnerability for any supported product:
  Web form: https://www.microfocus.com/support-and-services/report-security
  Email: secur...@microfocus.com

Subscribe:
 To initiate receiving subscriptions for future Micro Focus Security Bulletin 
alerts via Email,  please subscribe here - 
https://softwaresupport.softwaregrp.com/group/softwaresupport/email-notification/-/subscriptions/registerdocumentnotification
 Once you are logged in to the portal, please choose security bulletins under 
product and document types.
 Please note that you will need to sign in using a Passport account. If you do 
not have a Passport account yet, you can create one- its free and easy 
https://cf.passport.softwaregrp.com/hppcf/createuser.do 

Security Bulletin Archive:
 A list of recently released Security Bulletins is available here: 
https://softwaresupport.softwaregrp.com/security-vulnerability
 
Software Product Category: The Software Product Category is represented in
the title by the two characters following Micro Focus Security Bulletin.

3P = 3rd Party Software
GN = Micro Focus General Software
MU = Multi-Platform Software

System management and security procedures must be reviewed frequently to 
maintain system integrity. 
Micro Focus is continually reviewing and enhancing the security features of 
software products to provide 
customers with current secure solutions. 

"Micro Focus is broadly distributing this Security Bulletin in order to bring 
to the attention of users of the 
affected Micro Focus products the important security information contained in 
this Bulletin. Micro Focus recommends 
that all users determine the applicability of this information to their 
individual situations and take appropriate action. 
Micro Focus does not warrant that this information is necessarily accurate or 
complete for all user situations and, consequently, 
Micro Focus will not be responsible for any damages resulting from user's use 
or disregard of the information provided in 
this Security Bulletin. To the extent permitted by law, Micro Focus  disclaims  
all warranties, either express or 
implied, including the warranties of merchantability and fitness for a 
particular purpose, title and non-infringement." 


Copyright 2017 EntIT Software LLC

Micro Focus shall not be liable for technical or editorial errors or omissions 
contained herein. 
The information provided is provided "as is" without warranty of any kind. To 
the extent permitted by law, 
neither Micro Focus nor its affiliates, subcontractors or suppliers will be 
liable for incidental, special 
or consequential damages including downtime cost; lost profits; damages 
relating to the procurement of 
substitute products or services; or damages for loss of data, or software 
restoration. 
The information in this document is subject to change without notice. Micro 
Focus and the names of 
Micro Focus products referenced herein are trademarks of Micro Focus in the 
United States and other countries. 
Other product

[security bulletin] MFSBGN03829 rev.1 - Micro Focus Operation Bridge Containerized Suite, Remote Code Execution

2018-11-07 Thread cyber-psrt 
Note: the current version of the following document is available here:
https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03283416

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM03283416
Version: 1

MFSBGN03829 rev.1 - Micro Focus Operation Bridge Containerized Suite, Remote
Code Execution

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2018-11-07
Last Updated: 2018-11-07

Potential Security Impact: Remote: Code Execution, Disclosure of Information

Source: Micro Focus, Product Security Response Team

VULNERABILITY SUMMARY
A potential vulnerability has been identified in the Operations Bridge
Manager capability of the Micro Focus Operations Bridge containerized suite.
The vulnerability could be exploited to remote code execution and information
disclosure.

References:

  - CVE-2018-18590

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - Micro Focus Operations Bridge containerized suite 2017.11 until 2018.08
(Operations Bridge Manager capability)

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector


RESOLUTION

Micro Focus has made the following mitigation information available to
resolve the vulnerability for the impacted versions of Micro Focus Operations
Bridge:

The procedure to exchange the CA certificate for the BBC based
communication for the Operations Bridge Manager capability needs to be
executed:

[https://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/
/facetsearch/document/KM03261931](https://softwaresupport.softwaregrp.com/gro
p/softwaresupport/search-result/-/facetsearch/document/KM03261931)

HISTORY
Version:1 (rev.1) - 7 November 2018 Initial release

Third Party Security Patches: Third party security patches that are to be 
installed on 
systems running Micro Focus products should be applied in accordance with the 
customer's 
patch management policy.

Support: For issues about implementing the recommendations of this Security 
Bulletin, contact normal Micro Focus services support channel. 
For other issues about the content of this Security Bulletin, send e-mail to  
cyber-p...@microfocus.com.

Report: To report a potential security vulnerability for any supported product:
  Web form: https://www.microfocus.com/support-and-services/report-security
  Email: secur...@microfocus.com

Subscribe:
 To initiate receiving subscriptions for future Micro Focus Security Bulletin 
alerts via Email,  please subscribe here - 
https://softwaresupport.softwaregrp.com/group/softwaresupport/email-notification/-/subscriptions/registerdocumentnotification
 Once you are logged in to the portal, please choose security bulletins under 
product and document types.
 Please note that you will need to sign in using a Passport account. If you do 
not have a Passport account yet, you can create one- its free and easy 
https://cf.passport.softwaregrp.com/hppcf/createuser.do 

Security Bulletin Archive:
 A list of recently released Security Bulletins is available here: 
https://softwaresupport.softwaregrp.com/security-vulnerability
 
Software Product Category: The Software Product Category is represented in
the title by the two characters following Micro Focus Security Bulletin.

3P = 3rd Party Software
GN = Micro Focus General Software
MU = Multi-Platform Software

System management and security procedures must be reviewed frequently to 
maintain system integrity. 
Micro Focus is continually reviewing and enhancing the security features of 
software products to provide 
customers with current secure solutions. 

"Micro Focus is broadly distributing this Security Bulletin in order to bring 
to the attention of users of the 
affected Micro Focus products the important security information contained in 
this Bulletin. Micro Focus recommends 
that all users determine the applicability of this information to their 
individual situations and take appropriate action. 
Micro Focus does not warrant that this information is necessarily accurate or 
complete for all user situations and, consequently, 
Micro Focus will not be responsible for any damages resulting from user's use 
or disregard of the information provided in 
this Security Bulletin. To the extent permitted by law, Micro Focus  disclaims  
all warranties, either express or 
implied, including the warranties of merchantability and fitness for a 
particular purpose, title and non-infringement." 


Copyright 2017 EntIT Software LLC

Micro Focus shall not be liable for technical or editorial errors or omissions 
contained herein. 
The information provided is provided "as is" without warranty of any kind. To 
the extent permitted by law, 
neither Micro Focus nor its affiliates, subcontractors or suppliers will be 
liable for incidental, special 
or consequential damages including downtime cost; lost profits; damages 
relating to the procurement of 
substitute products or

[security bulletin] MFSBGN03830 rev.1 - Service Manager, unauthorized disclosure of information

2018-11-13 Thread cyber-psrt 
Note: the current version of the following document is available here:
https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03286177

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM03286177
Version: 1

MFSBGN03830 rev.1 - Service Manager, unauthorized disclosure of information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2018-11-12
Last Updated: 2018-11-12

Potential Security Impact: Remote: Disclosure of Sensitive Information

Source: Micro Focus, Product Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with Service Manager
The vulnerability could be exploited to unauthorized disclosure of
information

References:

  - CVE-2017-5647

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - Micro Focus Service Manager 9.30, 9.31, 9.32, 9.34, 9.34, 9.35, 9.40,
9.41, 9.50, 9.51

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector


RESOLUTION

MicroFocus has made the following information available to resolve the
vulnerability for the impacted versions of Service Manager:

For versions 9.30, 9.31, 9.32, 9.33, 9.34, 9.35 please:

Upgrade to SM 9.35.P6

SM9.35 P6 packages,

SM 9.35 AIX Server 9.35.6007 p6

[http://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/-
facetsearch/document/LID/HPSM_00916](http://softwaresupport.softwaregrp.com/g
oup/softwaresupport/search-result/-/facetsearch/document/LID/HPSM_00916)

SM 9.35 HP Itanium Server 9.35.6007 p6

[http://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/-
facetsearch/document/LID/HPSM_00917](http://softwaresupport.softwaregrp.com/g
oup/softwaresupport/search-result/-/facetsearch/document/LID/HPSM_00917)

SM 9.35 HP Itanium Server for Oracle 12c 9.35.6007 p6

[http://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/-
facetsearch/document/LID/HPSM_00918](http://softwaresupport.softwaregrp.com/g
oup/softwaresupport/search-result/-/facetsearch/document/LID/HPSM_00918)

SM 9.35 Linux Server 9.35.6007 p6

[http://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/-
facetsearch/document/LID/HPSM_00919](http://softwaresupport.softwaregrp.com/g
oup/softwaresupport/search-result/-/facetsearch/document/LID/HPSM_00919)

SM 9.35 Solaris Server 9.35.6007 p6

[http://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/-
facetsearch/document/LID/HPSM_00920](http://softwaresupport.softwaregrp.com/g
oup/softwaresupport/search-result/-/facetsearch/document/LID/HPSM_00920)

SM 9.35 Windows Server 9.35.6007 p6

[http://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/-
facetsearch/document/LID/HPSM_00921](http://softwaresupport.softwaregrp.com/g
oup/softwaresupport/search-result/-/facetsearch/document/LID/HPSM_00921)

SM 9.35 Knowledge Management 9.35.6007 p6

[http://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/-
facetsearch/document/LID/HPSM_00924](http://softwaresupport.softwaregrp.com/g
oup/softwaresupport/search-result/-/facetsearch/document/LID/HPSM_00924)

For version 9.40, 9.41 please:

Upgrade to SM 9.41.P7

SM9.41.P7 packages,

Service Manager 9.41.7001 p7 - Server for AIX

[http://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/-
facetsearch/document/LID/HPSM_00925](http://softwaresupport.softwaregrp.com/g
oup/softwaresupport/search-result/-/facetsearch/document/LID/HPSM_00925)

Service Manager 9.41.7001 p7 - Server for HP-UX/IA

[http://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/-
facetsearch/document/LID/HPSM_00926](http://softwaresupport.softwaregrp.com/g
oup/softwaresupport/search-result/-/facetsearch/document/LID/HPSM_00926)

Service Manager 9.41.7001 p7 - Server for Linux

[http://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/-
facetsearch/document/LID/HPSM_00927](http://softwaresupport.softwaregrp.com/g
oup/softwaresupport/search-result/-/facetsearch/document/LID/HPSM_00927)

Service Manager 9.41.7001 p7 - Server for Solaris

[http://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/-
facetsearch/document/LID/HPSM_00928](http://softwaresupport.softwaregrp.com/g
oup/softwaresupport/search-result/-/facetsearch/document/LID/HPSM_00928)

Service Manager 9.41.7001 p7 - Server for Windows

[http://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/-
facetsearch/document/LID/HPSM_00929](http://softwaresupport.softwaregrp.com/g
oup/softwaresupport/search-result/-/facetsearch/document/LID/HPSM_00929)

Service Manager 9.41.7001 p7  Knowledge Management

[http://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/-
facetsearch/document/LID/HPSM_00933](http://softwaresupport.softwaregrp.com/g
oup/softwaresupport/search-result/-/facetsearch/document/LID/HPSM_00933)

For version 9.50, 9.51 please:

Upgrade to SM

[security bulletin] MFSBGN03823 rev.1 - Micro Focus Service Manager, unauthorized disclosure of data

2018-11-13 Thread cyber-psrt 
Note: the current version of the following document is available here:
https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03286176

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM03286176
Version: 1

MFSBGN03823 rev.1 - Micro Focus Service Manager, unauthorized disclosure of
data

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2018-11-12
Last Updated: 2018-11-12

Potential Security Impact: Remote: Disclosure of Information

Source: Micro Focus, Product Security Response Team

VULNERABILITY SUMMARY
A potential vulnerability has been identified in Micro Focus Service Manager.
The vulnerability could be exploited to unauthorized disclosure of data.

References:

  - CVE-2018-18591

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - Micro Focus Service Manager 9.30, 9.31, 9.32, 9.33, 9.34, 9.35, 9.40,
9.41, 9.50, 9.51

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector


RESOLUTION

MicroFocus has made the following information available to resolve the
vulnerability for the impacted versions of Service Manager:

For versions 9.30, 9.31, 9.32, 9.33, 9.34, 9.35 please:

Upgrade to SM 9.35.P6

SM9.35 P6 packages,

SM 9.35 Web Tier 9.35.6007 p6

[http://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/-
facetsearch/document/LID/HPSM_00922](http://softwaresupport.softwaregrp.com/g
oup/softwaresupport/search-result/-/facetsearch/document/LID/HPSM_00922)

For version 9.40, 9.41 please:

Upgrade to SM 9.41.P7

SM9.41.P7 packages,

Service Manager 9.41.7001 p7  Web Tier

[http://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/-
facetsearch/document/LID/HPSM_00930](http://softwaresupport.softwaregrp.com/g
oup/softwaresupport/search-result/-/facetsearch/document/LID/HPSM_00930)

For version 9.50, 9.51 please:

Upgrade to SM 9.52.P2

SM9.52.P2 packages,

Service Manager 9.52.2021 p2  Web Tier

[http://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/-
facetsearch/document/LID/HPSM_00908](http://softwaresupport.softwaregrp.com/g
oup/softwaresupport/search-result/-/facetsearch/document/LID/HPSM_00908)

HISTORY
Version:1 (rev.1) - 12 November 2018 Initial release

Third Party Security Patches: Third party security patches that are to be 
installed on 
systems running Micro Focus products should be applied in accordance with the 
customer's 
patch management policy.

Support: For issues about implementing the recommendations of this Security 
Bulletin, contact normal Micro Focus services support channel. 
For other issues about the content of this Security Bulletin, send e-mail to  
cyber-p...@microfocus.com.

Report: To report a potential security vulnerability for any supported product:
  Web form: https://www.microfocus.com/support-and-services/report-security
  Email: secur...@microfocus.com

Subscribe:
 To initiate receiving subscriptions for future Micro Focus Security Bulletin 
alerts via Email,  please subscribe here - 
https://softwaresupport.softwaregrp.com/group/softwaresupport/email-notification/-/subscriptions/registerdocumentnotification
 Once you are logged in to the portal, please choose security bulletins under 
product and document types.
 Please note that you will need to sign in using a Passport account. If you do 
not have a Passport account yet, you can create one- its free and easy 
https://cf.passport.softwaregrp.com/hppcf/createuser.do 

Security Bulletin Archive:
 A list of recently released Security Bulletins is available here: 
https://softwaresupport.softwaregrp.com/security-vulnerability
 
Software Product Category: The Software Product Category is represented in
the title by the two characters following Micro Focus Security Bulletin.

3P = 3rd Party Software
GN = Micro Focus General Software
MU = Multi-Platform Software

System management and security procedures must be reviewed frequently to 
maintain system integrity. 
Micro Focus is continually reviewing and enhancing the security features of 
software products to provide 
customers with current secure solutions. 

"Micro Focus is broadly distributing this Security Bulletin in order to bring 
to the attention of users of the 
affected Micro Focus products the important security information contained in 
this Bulletin. Micro Focus recommends 
that all users determine the applicability of this information to their 
individual situations and take appropriate action. 
Micro Focus does not warrant that this information is necessarily accurate or 
complete for all user situations and, consequently, 
Micro Focus will not be responsible for any damages resulting from user's use 
or disregard of the information provided in 
this Security Bulletin. To the extent permitted by law, Micro Focus  disclaims  
all warranties, either express or 
implied, including the warranties of merchantability and fitness for a 
particular

[security bulletin] MFSBGN03831 rev. - Service Management Automation, remote disclosure of information

2018-11-13 Thread cyber-psrt 
Note: the current version of the following document is available here:
https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03286178

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM03286178
Version: 1

MFSBGN03831 rev. - Service Management Automation, remote disclosure of
information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2018-11-12
Last Updated: 2018-11-12

Potential Security Impact: Remote: Disclosure of Information

Source: Micro Focus, Product Security Response Team

VULNERABILITY SUMMARY
A potential vulnerability has been identified in Micro Focus Service
Management Automation. The vulnerability could be exploited to remote
disclosure of information

References:

  - CVE-2016-2183

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - Micro Focus Service Management Automation (SMA) 2018.05, 2018.02, 2017.11
- Component: propel-search

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector


RESOLUTION

Micro Focus has made the following information available to resolve the
vulnerability for the affected versions listed above: Customers must upgrade
to SMA 2018.08 or newer.

[https://entitlement.microfocus.com/mysoftware/index](https://entitlement.mic
ofocus.com/mysoftware/index)

HISTORY
Version:1 (rev.1) - 12 November 2018 Initial release

Third Party Security Patches: Third party security patches that are to be 
installed on 
systems running Micro Focus products should be applied in accordance with the 
customer's 
patch management policy.

Support: For issues about implementing the recommendations of this Security 
Bulletin, contact normal Micro Focus services support channel. 
For other issues about the content of this Security Bulletin, send e-mail to  
cyber-p...@microfocus.com.

Report: To report a potential security vulnerability for any supported product:
  Web form: https://www.microfocus.com/support-and-services/report-security
  Email: secur...@microfocus.com

Subscribe:
 To initiate receiving subscriptions for future Micro Focus Security Bulletin 
alerts via Email,  please subscribe here - 
https://softwaresupport.softwaregrp.com/group/softwaresupport/email-notification/-/subscriptions/registerdocumentnotification
 Once you are logged in to the portal, please choose security bulletins under 
product and document types.
 Please note that you will need to sign in using a Passport account. If you do 
not have a Passport account yet, you can create one- its free and easy 
https://cf.passport.softwaregrp.com/hppcf/createuser.do 

Security Bulletin Archive:
 A list of recently released Security Bulletins is available here: 
https://softwaresupport.softwaregrp.com/security-vulnerability
 
Software Product Category: The Software Product Category is represented in
the title by the two characters following Micro Focus Security Bulletin.

3P = 3rd Party Software
GN = Micro Focus General Software
MU = Multi-Platform Software

System management and security procedures must be reviewed frequently to 
maintain system integrity. 
Micro Focus is continually reviewing and enhancing the security features of 
software products to provide 
customers with current secure solutions. 

"Micro Focus is broadly distributing this Security Bulletin in order to bring 
to the attention of users of the 
affected Micro Focus products the important security information contained in 
this Bulletin. Micro Focus recommends 
that all users determine the applicability of this information to their 
individual situations and take appropriate action. 
Micro Focus does not warrant that this information is necessarily accurate or 
complete for all user situations and, consequently, 
Micro Focus will not be responsible for any damages resulting from user's use 
or disregard of the information provided in 
this Security Bulletin. To the extent permitted by law, Micro Focus  disclaims  
all warranties, either express or 
implied, including the warranties of merchantability and fitness for a 
particular purpose, title and non-infringement." 


Copyright 2017 EntIT Software LLC

Micro Focus shall not be liable for technical or editorial errors or omissions 
contained herein. 
The information provided is provided "as is" without warranty of any kind. To 
the extent permitted by law, 
neither Micro Focus nor its affiliates, subcontractors or suppliers will be 
liable for incidental, special 
or consequential damages including downtime cost; lost profits; damages 
relating to the procurement of 
substitute products or services; or damages for loss of data, or software 
restoration. 
The information in this document is subject to change without notice. Micro 
Focus and the names of 
Micro Focus products referenced herein are trademarks of Micro Focus in the 
United States and other countries. 
Other product and company names mentioned herein may be trademarks of their

[security bulletin] MFSBGN03786 rev.1 - HPE Connected Backup, Local Escalation of Privilege

2017-10-16 Thread swpmb . cyber-psrt 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://softwaresupport.hpe.com/km/KM02987868

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM02987868
Version: 1

MFSBGN03786 rev.1 - HPE Connected Backup, Local Escalation of Privilege

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2017-10-13
Last Updated: 2017-10-13

Potential Security Impact: Local: Elevation of Privilege

Source: Micro Focus, Product Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified in the HPE Connected
Backup agent. This vulnerability could be exploited locally to allow
escalation of privilege.

References:

  - CVE-2017-14355 - Local Escalation of Privilege

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - Connected Backup - v8.6, v8.8.6

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector


Micro Focus would like to thank Peter Lapp (lappsec) for reporting this issue
to security-al...@hpe.com

RESOLUTION

Micro Focus has made the following mitigation steps available to resolve the
vulnerability in the impacted versions of Connected Backup.

* **SaaS customers** - Connected Backup agent version 8.8.7.1 is available
via your Support Center

* **On-prem/licensed customers** - Connected Backup agent version 8.8.7.1 is
available at 

HISTORY
Version:1 (rev.1) - 13 October 2017 Initial release

Third Party Security Patches: Third party security patches that are to be 
installed on 
systems running Micro Focus products should be applied in accordance with the 
customer's 
patch management policy.

Support: For issues about implementing the recommendations of this Security 
Bulletin, contact normal Micro Focus services support channel. 
For other issues about the content of this Security Bulletin, send e-mail to  
cyber-p...@hpe.com.

Report: To report a potential security vulnerability for any supported product:
  Web form: https://www.microfocus.com/support-and-services/report-security
  Email: cyber-p...@hpe.com

Software Product Category: The Software Product Category is represented in
the title by the two characters following Micro Focus Security Bulletin.

3P = 3rd Party Software
GN = Micro Focus General Software
MU = Multi-Platform Software

System management and security procedures must be reviewed frequently to 
maintain system integrity. 
Micro Focus is continually reviewing and enhancing the security features of 
software products to provide 
customers with current secure solutions. 

"Micro Focus is broadly distributing this Security Bulletin in order to bring 
to the attention of users of the 
affected Micro Focus products the important security information contained in 
this Bulletin. Micro Focus recommends 
that all users determine the applicability of this information to their 
individual situations and take appropriate action. 
Micro Focus does not warrant that this information is necessarily accurate or 
complete for all user situations and, consequently, 
Micro Focus will not be responsible for any damages resulting from user's use 
or disregard of the information provided in 
this Security Bulletin. To the extent permitted by law, Micro Focus  disclaims  
all warranties, either express or 
implied, including the warranties of merchantability and fitness for a 
particular purpose, title and non-infringement." 


Copyright 2017 EntIT Software LLC

Micro Focus shall not be liable for technical or editorial errors or omissions 
contained herein. 
The information provided is provided "as is" without warranty of any kind. To 
the extent permitted by law, 
neither Micro Focus nor its affiliates, subcontractors or suppliers will be 
liable for incidental, special 
or consequential damages including downtime cost; lost profits; damages 
relating to the procurement of 
substitute products or services; or damages for loss of data, or software 
restoration. 
The information in this document is subject to change without notice. Micro 
Focus and the names of 
Micro Focus products referenced herein are trademarks of Micro Focus in the 
United States and other countries. 
Other product and company names mentioned herein may be trademarks of their 
respective owners.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBCAAGBQJZ4SE6AAoJEHfErXedNUNK/moH/2FLMQWcsZbe5Y131SjWKPa2
+ZYN2qhXJXK638+k2HjfeLn0rdTpNgStthx9NNZOQONH3PtDjZr0TRBQsy9BgH5f
cdlhdVbXdcx9IcozalYOzcDSkeeGCROUrA6NVIsQZeESCMJ2xwFdXjNk1o+s9qZz
nEqIMaMtIcX+KC511vnb3fXkBbQZpebXRSIsX6NS10G2GfUSZA0jkDCRIH3YB6ED
juWXdRfHExA8QXxIveXDLkoNMkTGSsInELLyrVVUUuxdSi0olWRbWh+7lJSG9A2S
QBrHJGdjQ2F7kuN3UtULs2ERrk15vtDzz58pvN14m9A5+b2VJzKQG4situ52odY=
=QfZo
-END PGP SIGNATURE-

[security bulletin] HPESBGN03773 rev.2 - HPE Application Performance Management (BSM), Remote Code Execution

2017-09-29 Thread swpmb . cyber-psrt 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://softwaresupport.hpe.com/km/KM02960811

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM02960811
Version: 2

HPESBGN03773 rev.2 - HPE Application Performance Management (BSM), Remote
Code Execution

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2017-09-29
Last Updated: 2017-09-28

Potential Security Impact: Remote: Code Execution

Source: Micro Focus, Product Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified in Application
Performance Management (BSM) Platform. The vulnerability could be remotely
exploited to allow code execution.

References:

  - CVE-2017-14350 - Remote Code Execution

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - HPE BSM Platform -v9.26, v9.30 and v9.40

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector


Micro Focus would like to thank rgod working with Trend Micro Zero Day
Initiative (ZDI) for reporting this issue to security-al...@hpe.com

RESOLUTION

Micro Focus has made the following software updates and mitigation
information to resolve this vulnerability in Application Performance
Management(BSM) Platform.

Please visit the following link for additional information:



HISTORY

Version:1 (rev.1) - 26 September 2017 Initial release

Version:2 (rev.2) - 29 September 2017 Changed the resolution link


Third Party Security Patches: Third party security patches that are to be 
installed on 
systems running Micro Focus products should be applied in accordance with the 
customer's 
patch management policy.

Support: For issues about implementing the recommendations of this Security 
Bulletin, contact normal Micro Focus services support channel. 
For other issues about the content of this Security Bulletin, send e-mail to  
cyber-p...@hpe.com.

Report: To report a potential security vulnerability for any supported product:
  Web form: https://www.microfocus.com/support-and-services/report-security
  Email: cyber-p...@hpe.com

Software Product Category: The Software Product Category is represented in
the title by the two characters following Micro Focus Security Bulletin.

3P = 3rd Party Software
GN = Micro Focus General Software
MU = Multi-Platform Software

System management and security procedures must be reviewed frequently to 
maintain system integrity. 
Micro Focus is continually reviewing and enhancing the security features of 
software products to provide 
customers with current secure solutions. 

"Micro Focus is broadly distributing this Security Bulletin in order to bring 
to the attention of users of the 
affected Micro Focus products the important security information contained in 
this Bulletin. Micro Focus recommends 
that all users determine the applicability of this information to their 
individual situations and take appropriate action. 
Micro Focus does not warrant that this information is necessarily accurate or 
complete for all user situations and, consequently, 
Micro Focus will not be responsible for any damages resulting from user's use 
or disregard of the information provided in 
this Security Bulletin. To the extent permitted by law, Micro Focus  disclaims  
all warranties, either express or 
implied, including the warranties of merchantability and fitness for a 
particular purpose, title and non-infringement." 


Copyright 2017 EntIT Software LLC

Micro Focus shall not be liable for technical or editorial errors or omissions 
contained herein. 
The information provided is provided "as is" without warranty of any kind. To 
the extent permitted by law, 
neither Micro Focus nor its affiliates, subcontractors or suppliers will be 
liable for incidental, special 
or consequential damages including downtime cost; lost profits; damages 
relating to the procurement of 
substitute products or services; or damages for loss of data, or software 
restoration. 
The information in this document is subject to change without notice. Micro 
Focus and the names of 
Micro Focus products referenced herein are trademarks of Micro Focus in the 
United States and other countries. 
Other product and company names mentioned herein may be trademarks of their 
respective owners.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBCAAGBQJZzW/nAAoJEHfErXedNUNKdUsH/jyh7oeB8oxtXfbB1LkbdR1C
sZQ2VeZb6Pg70RGEz1CR4MJw5RwzonDc9IEb8NYO/Ch9KliqoEoLJwoDZVf0hRQ1
ZrsUuhmvjIZ5emLZkXXGnWt7pP+xmjcZTH65m83CxFp0dDfMO4KVA/qSGdUFaML8
iOpfuHgAotftg/VZ5BXPBwlBzu4hSsh7te0pc4yuC4uYR9z6hLJ6HbiUq0yBrSNW
ZPbUGRQC0tEAEE11ZNbVuJWsVsOu1MzWUq3NDRacLyqrIwGo2k0vhD8ov2EJfTMy
MjRrk1OKXrN9KablC6D3c7Rq938vMwObOu+NGLVYKFOZpSejBy79qNYj229XN+Q=
=gNAC
-END PGP SIGNATURE-

[security bulletin] HPESBGN03773 rev.1 - HPE Application Performance Management (BSM), Remote Code Execution

2017-09-26 Thread swpmb . cyber-psrt 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://softwaresupport.hpe.com/km/KM02960811

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM02960811
Version: 1

HPESBGN03773 rev.1 - HPE Application Performance Management (BSM), Remote
Code Execution

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2017-09-25
Last Updated: 2017-09-25

Potential Security Impact: Remote: Code Execution

Source: Micro Focus, Product Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified in Application
Performance Management (BSM) Platform. The vulnerability could be remotely
exploited to allow code execution.

References:

  - CVE-2017-14350 - Remote Code Execution

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - HPE BSM Platform -v9.26, v9.30 and v9.40

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector


Micro Focus would like to thank rgod working with Trend Micro Zero Day
Initiative (ZDI) for reporting this issue to security-al...@hpe.com

RESOLUTION

Micro Focus has made the following software updates and mitigation
information to resolve this vulnerability in Application Performance
Management(BSM) Platform.

Please visit the following link for additional information:



* Patch for Version 9.26 can be found here:

  
* Patch for Version 9.30 can be found
here:
  
* Patch for Version 9.40 can be found
here:

HISTORY
Version:1 (rev.1) - 26 September 2017 Initial release

Third Party Security Patches: Third party security patches that are to be 
installed on 
systems running Micro Focus products should be applied in accordance with the 
customer's 
patch management policy.

Support: For issues about implementing the recommendations of this Security 
Bulletin, contact normal Micro Focus services support channel. 
For other issues about the content of this Security Bulletin, send e-mail to  
cyber-p...@hpe.com.

Report: To report a potential security vulnerability for any supported product:
  Web form: https://www.microfocus.com/support-and-services/report-security
  Email: cyber-p...@hpe.com

Software Product Category: The Software Product Category is represented in
the title by the two characters following Micro Focus Security Bulletin.

3C = 3COM
3P = 3rd Party Software
GN = Micro Focus General Software
MU = Multi-Platform Software
NS = Non Stop Servers
OV = OpenVMS
PV = ProCurve
ST = Storage Software
UX = MF-UX

System management and security procedures must be reviewed frequently to 
maintain system integrity. 
Micro Focus is continually reviewing and enhancing the security features of 
software products to provide 
customers with current secure solutions. 

"Micro Focus is broadly distributing this Security Bulletin in order to bring 
to the attention of users of the 
affected Micro Focus products the important security information contained in 
this Bulletin. Micro Focus recommends 
that all users determine the applicability of this information to their 
individual situations and take appropriate action. 
Micro Focus does not warrant that this information is necessarily accurate or 
complete for all user situations and, consequently, 
Micro Focus will not be responsible for any damages resulting from user's use 
or disregard of the information provided in 
this Security Bulletin. To the extent permitted by law, Micro Focus  disclaims  
all warranties, either express or 
implied, including the warranties of merchantability and fitness for a 
particular purpose, title and non-infringement." 


Copyright 2017 EntIT Software LLC

Micro Focus shall not be liable for technical or editorial errors or omissions 
contained herein. 
The information provided is provided "as is" without warranty of any kind. To 
the extent permitted by law, 
neither Micro Focus nor its affiliates, subcontractors or suppliers will be 
liable for incidental, special 
or consequential damages including downtime cost; lost profits; damages 
relating to the procurement of 
substitute products or services; or damages for loss of data, or software 
restoration. 
The information in this document is subject to change without notice. Micro 
Focus and the names of 
Micro Focus products referenced herein are trademarks of Micro Focus in the 
United States and