ESA-2014-045: EMC Documentum D2 Arbitrary DQL Query Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ESA-2014-045: EMC Documentum D2 Arbitrary DQL Query Execution Vulnerability EMC Identifier: ESA-2014-045 CVE Identifier: CVE-2014-2504 Severity: CVSSv2 Base Score: 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C) Affected products: EMC Documentum D2 3.1 and patch versions EMC Documentum D2 3.1SP1 and patch versions EMC Documentum D2 4.0 and patch versions EMC Documentum D2 4.1 and patch versions EMC Documentum D2 4.2 and patch versions Summary: EMC Documentum D2 may be vulnerable to an arbitrary Documentum Query Language (DQL) query execution vulnerability. Details: EMC Documentum D2 contains several D2 core methods and a D2FS web service method that may allow an authenticated user to execute arbitrary DQL queries with superuser privileges. Resolution: The following products contain the resolution to this issue: EMC Documentum D2 3.1P20 EMC Documentum D2 3.1SP1P02 EMC Documentum D2 4.0P10 EMC Documentum D2 4.1P13 EMC Documentum D2 4.2P01 EMC strongly recommends all customers upgrade to these versions at the earliest opportunity. Link to remedies: Customers can download software from https://emc.subscribenet.com Read and use the information in this EMC Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact EMC Software Technical Support at 1-877-534-2867. For an explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831. EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. EMC Corporation distributes EMC Security Advisories, in order to bring to the attention of users of the affected EMC products, important security information. EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided as is without warranty of any kind. EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply. EMC Product Security Response Center security_al...@emc.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (Cygwin) iEYEARECAAYFAlN95v4ACgkQtjd2rKp+ALzrrwCg1R1eFShTEFd5G35s510+yad6 mN8Anjqkb7kd0lTYwukguT6sLuxNZa9Z =fG1q -END PGP SIGNATURE-
[security bulletin] HPSBMU02995 rev.8 - HP Software HP Service Manager, Asset Manager, UCMDB Browser, UCMDB Configuration Manager, Executive Scorecard, Server Automation, Diagnostics, LoadRunner, and
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04236102 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04236102 Version: 8 HPSBMU02995 rev.8 - HP Software HP Service Manager, Asset Manager, UCMDB Browser, UCMDB Configuration Manager, Executive Scorecard, Server Automation, Diagnostics, LoadRunner, and Performance Center, running OpenSSL, Remote Disclosure of Information NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2014-04-11 Last Updated: 2014-05-22 Potential Security Impact: Remote disclosure of information Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY The Heartbleed vulnerability was detected in specific OpenSSL versions. OpenSSL is a 3rd party product that is embedded with some of HP Software products. This bulletin objective is to notify HP Software customers about products affected by the Heartbleed vulnerability. Note: The Heartbleed vulnerability (CVE-2014-0160) is a vulnerability found in the OpenSSL product cryptographic software library product. This weakness potentially allows disclosure of information protected, under normal conditions, by the SSL/TLS protocol. The impacted products appear in the list below are vulnerable due to embedding OpenSSL standard release software. References: CVE-2014-0160 (SSRT101499) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Product Impacted HP Product Versions Notes HP Service Manager v9.32, v9.33 Security bulletin HPSBGN03008: https://h20564.www2.hp.com/portal/site/hpsc/p ublic/kb/docDisplay/?docId=emr_na-c04248997 HP Asset Manager v9.40, v9.40 CSC Security Bulletin HPSBMU03018: https://h20564.www2.hp.com/portal/site/hpsc/p ublic/kb/docDisplay/?docId=emr_na-c04260505 HP UCMDB Browser v1.x, v2.x, v3.x Security bulletin HPSBMU03019: https://h20564.www2.hp.com/portal/site/hpsc/p ublic/kb/docDisplay/?docId=emr_na-c04260353 note: APR enabled on Tomcat includes an affected OpenSSL version HP UCMDB Configuration Manager v9.1x, v9.2x, v9.3x, v10.01, v10.10 Security bulletin HPSBMU03019: https://h20564.www2.hp.com/portal/site/hpsc/p ublic/kb/docDisplay/?docId=emr_na-c04260353 HP CIT (ConnectIT) v9.52, v9.53 Security bulletin HPSBMU03017: https://h20564.www2.hp.com/portal/site/hpsc/p ublic/kb/docDisplay/?docId=emr_na-c04260456 HP Executive Scorecard v9.40, v9.41 HP Server Automation v10.00, v10.01 Security bulletin HPSBGN03010: https://h20564.www2.hp.com/portal/site/hpsc/p ublic/kb/docDisplay/?docId=emr_na-c04250814 HP Diagnostics v9.23, v9.23 IP1 Security bulletin HPSBMU03025 : https://h20564.www2.hp.com/portal/site/hpsc/ public/kb/docDisplay?docId=emr_na-c04267775 HP Business Process Monitor v.9.23, v.9.24 Security bulletin HPSBMU03044: https://h20564.www2.hp.com/portal/site/hpsc/p ublic/kb/docDisplay?docId=emr_na-c04307186 HP LoadRunner v11.52, v12.0 Security bulletin HPSBMU03040: https://h20564.www2.hp.com/portal/site/hpsc/p ublic/kb/docDisplay?docId=emr_na-c04286049 HP Performance Center v11.52, v12.0 Security bulletin HPSBMU03040: https://h20564.www2.hp.com/portal/site/hpsc/p ublic/kb/docDisplay?docId=emr_na-c04286049 HP Autonomy WorkSite Server v9.0 SP1 (on-premises software) Security bulletin HPSBMU02999: https://h20564.www2.hp.com/portal/site/hpsc/p ublic/kb/docDisplay/?docId=emr_na-c04239374 Impacted Versions table BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2014-0160(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP Software is working to address this vulnerability for all affected product versions. HP Software will release product specific security bulletins for each impacted product. Each bulletin will include a patch and/or mitigation guideline. HP will update this bulletin with references to security bulletins for each product in the impacted versions table. Note: OpenSSL is an external product embedded in HP products. Bulletin Applicability: This bulletin applies to each OpenSSL component that is embedded within the HP products listed in the security bulletin. The bulletin does not apply to any other 3rd party application (e.g. operating system, web server, or application server) that may be required to be installed by the customer according instructions in the product install guide. To learn more about HP Software Incident Response, please visit http://www8.h p.com/us/en/software-solutions/enterprise-software-security-center/response-c enter.html . Software updates are available from HP Software Support Online at
[security bulletin] HPSBMU03025 rev.2 - HP Diagnostics running OpenSSL, Remote Disclosure of Information
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04267775 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04267775 Version: 2 HPSBMU03025 rev.2 - HP Diagnostics running OpenSSL, Remote Disclosure of Information NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2014-04-25 Last Updated: 2014-05-21 Potential Security Impact: Remote disclosure of information Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified in HP Diagnostics running OpenSSL. OpenSSL is a 3rd party product that is embedded with some of HP Software products. This bulletin objective is to notify HP Software customers about products affected by the Heartbleed vulnerability. NOTE: The Heartbleed vulnerability (CVE-2014-0160) is a vulnerability found in the OpenSSL cryptographic software library. This weakness potentially allows disclosure of information that is normally protected by the SSL/TLS protocol. The impacted products in the list below are vulnerable due to embedding OpenSSL standard release software. References: CVE-2014-0160 (SSRT101539) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Diagnostics 9.23 and 9.23 IP1 BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2014-0160(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION Customers should download Diagnostics 9.23 IP #2 Patch: Diag Servers: HP Software Support Online Diag Server 9.23 IP2 for Linux32 http://support.openview.hp.com/selfsolve/document/LID/DIAGSRV_00062 Diag Server 9.23 IP2 for Linux64 http://support.openview.hp.com/selfsolve/document/LID/DIAGSRV_00063 Diag Server 9.23 IP2 for Solaris http://support.openview.hp.com/selfsolve/document/LID/DIAGSRV_00064 Diag Server 9.23 IP2 for Win32 http://support.openview.hp.com/selfsolve/document/LID/DIAGSRV_00065 Diag Server 9.23 IP2 for Win64 http://support.openview.hp.com/selfsolve/document/LID/DIAGSRV_00066 Diag Collectors: Diag Collector 9.23 IP2 for Linux32 http://support.openview.hp.com/selfsolve/document/LID/DIAGCOL_00059 Diag Collector 9.23 IP2 for Solaris32 http://support.openview.hp.com/selfsolve/document/LID/DIAGCOL_00060 Diag Collector 9.23 IP2 for Unix32 http://support.openview.hp.com/selfsolve/document/LID/DIAGCOL_00061 Diag Collector 9.23 IP2 for Windows http://support.openview.hp.com/selfsolve/document/LID/DIAGCOL_00062 Diag Agents: Diag Python Agent 9.23 IP2 http://support.openview.hp.com/selfsolve/document/LID/DIAGPRB_00109 Diag .NET Agent 9.23 IP2 for Win32 http://support.openview.hp.com/selfsolve/document/LID/DIAGPRB_00110 Diag .NET Agent 9.23 IP2 for Win64 http://support.openview.hp.com/selfsolve/document/LID/DIAGPRB_00111 Diag Java Agent 9.23 IP2 for Linux/Unix/Solaris http://support.openview.hp.com/selfsolve/document/LID/DIAGPRB_00112 Diag Java Agent 9.23 IP2 http://support.openview.hp.com/selfsolve/document/LID/DIAGPRB_00113 Diag Java Agent 9.23 IP2 for zOS http://support.openview.hp.com/selfsolve/document/LID/DIAGPRB_00114 HP recommends completing the following action items: Revocation of the old key pairs that were just superseded Changing potentially affected passwords Invalidating all session keys and cookies Bulletin Applicability: This bulletin applies to each OpenSSL component that is embedded within the HP products listed in the security bulletin. The bulletin does not apply to any other 3rd party application (e.g. operating system, web server, or application server) that may be required to be installed by the customer according instructions in the product install guide. To learn more about HP Software Incident Response, please visit http://www8.hp.com/us/en/software-so lutions/enterprise-software-security-center/response-center.html . Software updates are available from HP Software Support Online at http://support.openview.hp.com/downloads.jsp HISTORY Version:1 (rev.1) - 25 April 2014 - Initial release Version:2 (rev.2) - 21 May 2014 - Added table with pointer for Diagnostics 9.23 IP #2 Patch Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability
[SECURITY] [DSA 2936-1] torque security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2936-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso May 23, 2014 http://www.debian.org/security/faq - - Package: torque CVE ID : CVE-2014-0749 Debian Bug : 748827 John Fitzpatrick from MWR Labs reported a stack-based buffer overflow vulnerability in torque, a PBS-derived batch processing queueing system. An unauthenticated remote attacker could exploit this flaw to execute arbitrary code with root privileges. For the oldstable distribution (squeeze), this problem has been fixed in version 2.4.8+dfsg-9squeeze4. For the stable distribution (wheezy), this problem has been fixed in version 2.4.16+dfsg-1+deb7u3. For the unstable distribution (sid), this problem has been fixed in version 2.4.16+dfsg-1.4. We recommend that you upgrade your torque packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTfxKGAAoJEAVMuPMTQ89EQp8QAJnp462bdRlyCSh0flxIxdnF m1TwK9I76qWhbxIF/f6uxFB/AF7lMkLtHzNPvfZr4GwNXNgcb9oTSf4vs1olccwI VfJsvt1vwaAhKjFmTiP8LlnAfL7LPFnOIs7yYVquLZ2pDOYlgOTQURL5sSSiSJ/H 8IjxgvASJMPLF/vQNTBOxOKJhqerloQXmBtHbYuMwglOx4c6K+d8mNTMlB1TO+M2 KO90E5PBq1gK3tJ02XXy4/ykS3bqBaW6U7IvEtzCC8z/yxoqIvZFQwdWKHDjB2wE a6RTzNUD9p24ShXLzabJQGD++H+3VnpECzj+wjh1sQN8pE/2KlzJoIiRfBsce3jt 1mzvMBIJNwhie5VKRqI/KlEl6C+AAMqAIvXORWhO9HYmTcdD8YFpkAF28cW1f++C xwr3V1WKXZQnFHEO02sLoxKXcCinHvTF8C55vVlxZO6Lng06w5Braun46v8i0zGy oq1Tu9kHF7DYsRaENStTBaeaq4SuVKzGxMtFN+HYZDAWxx1uRjZFyShr6BDup6im ROS38IgdV1cuE7v1wnk8YVzxxryao+JYQgItGrsgabC3ojbUEvpUIObMZ6wdyA5Q dMSl6qxQWcQMG5ANmSDmnCUbYXGB0ibL/jUUXOuZCQbcSPABnr+KoQ6BG5BUEgRY 290BbLzaKsviiMhHG0CN =rBXi -END PGP SIGNATURE-
ESA-2014-021: RSA Archer® GRC Multiple Cross-Site Scripting Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ESA-2014-021: RSA Archer® GRC Multiple Cross-Site Scripting Vulnerabilities EMC Identifier: ESA-2014-021 CVE Identifier: CVE-2014-0639 Severity Rating: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Affected Products: RSA Archer version 5.x Summary: RSA Archer GRC 5.4 SP1 P3 platform contains fixes for multiple cross-site scripting vulnerabilities that could potentially be exploited by malicious users to compromise the affected system. Details: RSA Archer GRC 5.4 SP1 P3 platform contains fixes for multiple cross-site scripting vulnerabilities. These vulnerabilities can be exploited to execute arbitrary HTML and script code in an RSA Archer users browser session in context of an affected RSA Archer application. Recommendation: RSA strongly recommends all customers upgrade to RSA Archer GRC 5.4 SP1 P3 at their earliest opportunity. · 5.4 SP1 P3 installers are available through RSA SecureCare Online (SCOL) https://know ledge.rsasecurity.com. · For additional information on fixes and steps to reduce risk, see the RSA Archer GRC ESA-2014-021 FAQ in the documentation section of SCOL. Severity Rating: For an explanation of Severity Ratings, refer to the Knowledge Base Article, Security Advisories Severity Rating at https://knowledge.rsasecurity.com/scolcms/knowledge.aspx?solution=a46604. RSA recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. Obtaining Downloads: To obtain the latest RSA product downloads, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com and click Products in the top navigation menu. Select the specific product whose download you want to obtain. Scroll to the section for the product download that you want and click on the link. Obtaining Documentation: To obtain the Platform documentation, log on to RSA Archer Community at https://community.emc.com/community/connect/grc_ecosystem/rsa_archer and click Documents in the top navigation menu. Select the specific category and the version tag of the Platform version you want. Scroll to the document that you want and click the document name. If you have any questions on the Community, please email archer_commun...@emc.com. Severity Rating: For an explanation of Severity Ratings, refer to the Knowledge Base Article, Security Advisories Severity Rating at https://knowledge.rsasecurity.com/scolcms/knowledge.aspx?solution=a46604. RSA recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. Obtaining More Information: For more information about RSA Archer GRC in general, visit the public RSA web site at http://www.emc.com/security/rsa-archer.htm. RSA Archer Community/Exchange: https://community.emc.com/community/connect/grc_ecosystem/rsa_archer Getting Support and Service: For customers with current maintenance contracts, contact your local RSA Customer Support center with any additional questions regarding this RSA SecurCare Note. For contact telephone numbers or e-mail addresses, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com, click Help Contact, and then click the Contact Us - Phone tab or the Contact Us - Email tab. General Customer Support Information: http://www.emc.com/support/rsa/index.htm RSA SecurCare Online: https://knowledge.rsasecurity.com EOPS Policy: RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the link below for additional details. http://www.emc.com/support/rsa/eops/index.htm SecurCare Online Security Advisories RSA, The Security Division of EMC, distributes SCOL Security Advisories in order to bring to the attention of users of the affected RSA products important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided as is without warranty of any kind. RSA disclaim all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall RSA or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. About RSA SecurCare Notes Security Advisories Subscription RSA SecurCare Notes Security Advisories are targeted e-mail messages that RSA sends