SUPPORT COMMUNICATION - SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01205079
Version: 1
HPSBMA02279 SSRT071298 rev.1 - HP OpenView Configuration Management (CM) Infrastructure (Radia) and Client Configuration Manager (CCM) Running httpd.tkd, Remote Unauthorized Access to Data
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2007-10-23
Last Updated: 2007-10-23
vulnerable to CSRF, not just the ones listed below. It is recommended to
upgrade to version 2009R1.2C or later.
Exploiting the identified vulnerabilities requires that the nagiosadmin
be logged into the web interface. Note that the admin does not have to
be logged into the configuration manager, the attacker can accomplish
that themselves.
Technical Details
Impact: Refer to the CVE identifiers for details.
Summary: Multiple security risks exist in Apache Tomcat as
included with CA Cohesion Application Configuration Manager. CA
has issued an update to address the vulnerabilities. Refer to the
References section for the full list of resolved issues by CVE
identifier.
Severity: CA has given this vulnerability a Medium risk rating.
Affected Products:
CA Cohesion Application Configuration Manager 4.5
CA CMDB Application Server 11.1
Unicenter Service Desk 11.2
Non-Affected Products
// Files", Add -> New Item
// 10. Choose "Module-Definition File (.def)" and enter
// "iebsfix1.def" for the name
// 11. Paste everything in the block comment below (between the
// rows of ****'s) into the new .def file
// 12. Build -> Configuration Manager; for "Active solution
// configuration", choose "Release"
// 13. For maximum portability, Project -> Properties,
// Configuration Properties: C/C++: Code Generation: set
// "Runtime Library" to "Multi-threaded (/MT)"; this will
// keep iebsfix1.dll from requiring MSVCR*.DLL
* Cisco Video Surveillance SP/ISP Decoder Software firmware version
1.11.0 and earlier
* Cisco Video Surveillance SP/ISP firmware version 1.23.7 and
earlier
Users should consult their Stream Manager configuration management
tool to determine the versions of firmware installed on deployed video
surveillance devices.
Products Confirmed Not Vulnerable
+--------------------------------
1) Introduction
===============
From vendor's website:
"Perforce SCM (Software Configuration Management) versions and manages
source code and digital assets for enterprises large and small."
#######################################################################
===============
From vendor's website:
"Borland® StarTeam® is a fully integrated, cost-effective software
change and configuration management tool, designed for both centralized
and geographically distributed software development environments."
#######################################################################
ZDI-10-078: Novell ZENworks Configuration Management UploadServlet Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-078
April 23, 2010
-- Affected Vendors:
Novell
-- Affected Products:
Novell Zenworks
ZDI-10-090: Novell ZENworks Configuration Management Preboot Service Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-090
June 1, 2010
-- Affected Vendors:
Novell
-- Affected Products:
Novell Zenworks
http://www.tippingpoint.com
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Novell Zenworks Configuration Manager.
Authentication is not required to exploit this vulnerability.
The flaw exists within the novell-tftp.exe component which listens by
default on UDP port 69. When handling a request the process blindly
copies user supplied data into a fixed-length buffer on the heap. A
