Software Engineering Institute

CWE-285: Improper Authorization - CVE-2015-2136

A remote authenticated user without Logger Search permissions may be able to bypass authorization and perform searches via the SOAP interface.

According to the reporter, ArcSight Logger 6.0.0.7307.1 is affected, and other versions may also be affected.

CWE-307: Improper Restriction of Excessive Authentication Attempts - CVE-2015-6029

Incorrect login attempts via the SOAP interface are not logged or locked out, as they are through the standard web GUI. This may allow a remote unauthenticated attacker to attempt brute force password guesses without triggering an alert.

According to the reporter, ArcSight Logger 6.0.0.7307.1 is affected, and other versions may also be affected.

CWE-653: Insufficient Compartmentalization - CVE-2015-6030

Several key files for ArcSight are owned by the arcsight user, but are executed with root privileges. This may allow a user with arcsight credentials to escalate privileges to root when running commands.

According to the reporter, ArcSight Logger 6.0.0.7307.1, ArcSight Command Center 6.8.0.1896.0, and ArcSight Connector Appliance 6.4.0.6881.3 are affected. Other versions may also be affected. ArcSight SmartConnector for UNIX-like systems may also be affected.

The CVSS score below is based on CVE-2015-2136. While the Insufficient Compartmentalization issue could potentially be serious, the arcsight user credentials appear to only be known by system administrators in practice, greatly lessening the severity of this vulnerability. Future evidence of an alternate way to obtain arcsight credentials may change this impact.

An authenticated remote user without ArcSight Logger search privileges may be able to perform Logger searches. An unauthenticated remote user may be able to brute force guess a password without triggering any alerts. A user with arcsight credentials may be able to execute commands with the privileges of root.

Apply an update

HP has released HP ArcSight Logger v6.0 P2 addressing CVE-2015-2136 and CVE-2015-6029. Affected users are recommended to update as soon as possible to ArcSight Logger v6.0 P2, or a subsequent release. HP has also released a Security Bulletin regarding CVE-2015-6029.

HP has begun to roll out updates addressing the remaining issues on all supported platforms, and expects to have all updates available by the end of October. In the meantime, consider the following workarounds:

Restrict access to the system and network

Restrict access to the arcsight user account. Network monitoring may help detect brute force password attempts.