SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   HPE Intelligent Management Center Vendors:   HPE
HPE Intelligent Management Center PLAT Multiple JSF Expression Language Injection Flaws Let Remote Authenticated Users Execute Arbitrary Code on the Target System
SecurityTracker Alert ID:  1039152
SecurityTracker URL:  http://securitytracker.com/id/1039152
CVE Reference:   CVE-2017-12487, CVE-2017-12488, CVE-2017-12489, CVE-2017-12490, CVE-2017-12491, CVE-2017-12492, CVE-2017-12493, CVE-2017-12494, CVE-2017-12495, CVE-2017-12496, CVE-2017-12497, CVE-2017-12498, CVE-2017-12499, CVE-2017-12500, CVE-2017-12501, CVE-2017-12502, CVE-2017-12503, CVE-2017-12504, CVE-2017-12505, CVE-2017-12506, CVE-2017-12507, CVE-2017-12508, CVE-2017-12509, CVE-2017-12510, CVE-2017-12511, CVE-2017-12512, CVE-2017-12513, CVE-2017-12514, CVE-2017-12515, CVE-2017-12516, CVE-2017-12517, CVE-2017-12518, CVE-2017-12519, CVE-2017-12520, CVE-2017-12521, CVE-2017-12522, CVE-2017-12523, CVE-2017-12524, CVE-2017-12525, CVE-2017-12526, CVE-2017-12527, CVE-2017-12528, CVE-2017-12529, CVE-2017-12530, CVE-2017-12531, CVE-2017-12532, CVE-2017-12533, CVE-2017-12534, CVE-2017-12535, CVE-2017-12536, CVE-2017-12537, CVE-2017-12538, CVE-2017-12539, CVE-2017-12540, CVE-2017-12541   (Links to External Site)
Date:  Aug 15 2017
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): iMC PLAT 7.3 (E0504)
Description:   Multiple vulnerabilities were reported in HPE Intelligent Management Center PLAT. A remote authenticated user can execute arbitrary code on the target system.

A remote authenticated user can send specially crafted beanName parameter values to exploit an input validation flaw and inject Java Server Faces (JSF) expressions and execute arbitrary code on the target system. The code will run with System privileges.

The original advisories are available at:

https://www.zerodayinitiative.com/advisories/ZDI-17-690
https://www.zerodayinitiative.com/advisories/ZDI-17-689
https://www.zerodayinitiative.com/advisories/ZDI-17-688
https://www.zerodayinitiative.com/advisories/ZDI-17-687
https://www.zerodayinitiative.com/advisories/ZDI-17-686
https://www.zerodayinitiative.com/advisories/ZDI-17-685
https://www.zerodayinitiative.com/advisories/ZDI-17-684
https://www.zerodayinitiative.com/advisories/ZDI-17-683
https://www.zerodayinitiative.com/advisories/ZDI-17-682
https://www.zerodayinitiative.com/advisories/ZDI-17-681
https://www.zerodayinitiative.com/advisories/ZDI-17-680
https://www.zerodayinitiative.com/advisories/ZDI-17-679
https://www.zerodayinitiative.com/advisories/ZDI-17-678
https://www.zerodayinitiative.com/advisories/ZDI-17-677
https://www.zerodayinitiative.com/advisories/ZDI-17-676
https://www.zerodayinitiative.com/advisories/ZDI-17-675
https://www.zerodayinitiative.com/advisories/ZDI-17-674
https://www.zerodayinitiative.com/advisories/ZDI-17-673
https://www.zerodayinitiative.com/advisories/ZDI-17-672
https://www.zerodayinitiative.com/advisories/ZDI-17-671
https://www.zerodayinitiative.com/advisories/ZDI-17-670
https://www.zerodayinitiative.com/advisories/ZDI-17-669
https://www.zerodayinitiative.com/advisories/ZDI-17-668
https://www.zerodayinitiative.com/advisories/ZDI-17-667
https://www.zerodayinitiative.com/advisories/ZDI-17-666
https://www.zerodayinitiative.com/advisories/ZDI-17-665
https://www.zerodayinitiative.com/advisories/ZDI-17-664
https://www.zerodayinitiative.com/advisories/ZDI-17-663
https://www.zerodayinitiative.com/advisories/ZDI-17-662
https://www.zerodayinitiative.com/advisories/ZDI-17-661
https://www.zerodayinitiative.com/advisories/ZDI-17-660
https://www.zerodayinitiative.com/advisories/ZDI-17-659
https://www.zerodayinitiative.com/advisories/ZDI-17-658
https://www.zerodayinitiative.com/advisories/ZDI-17-657
https://www.zerodayinitiative.com/advisories/ZDI-17-656
https://www.zerodayinitiative.com/advisories/ZDI-17-655
https://www.zerodayinitiative.com/advisories/ZDI-17-654
https://www.zerodayinitiative.com/advisories/ZDI-17-653
https://www.zerodayinitiative.com/advisories/ZDI-17-652
https://www.zerodayinitiative.com/advisories/ZDI-17-651

Steven Seeley (mr_me) (via Trend Micro's Zero Day Initiative) reported these vulnerabilities.

Impact:   A remote authenticated user can execute arbitrary code with System level privileges on the target system.
Solution:   HPE has issued a fix (iMC PLAT 7.3 (E0506)).

The HPE advisory is available at:

http://h20565.www2.hpe.com/hpsc/doc/public/display?docId=hpesbhf03768en_us

Vendor URL:  h20565.www2.hpe.com/hpsc/doc/public/display?docId=hpesbhf03768en_us (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Red Hat Enterprise), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  http://h20565.www2.hpe.com/hpsc/doc/public/display?docId=hpesbhf03768en_us

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC