SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   HPE Intelligent Management Center Vendors:   HPE
HPE Intelligent Management Center PLAT Multiple JSF Expression Language Injection Flaws Let Remote Authenticated Users Execute Arbitrary Code on the Target System
SecurityTracker Alert ID:  1039152
SecurityTracker URL:  http://securitytracker.com/id/1039152
CVE Reference:   CVE-2017-12487, CVE-2017-12488, CVE-2017-12489, CVE-2017-12490, CVE-2017-12491, CVE-2017-12492, CVE-2017-12493, CVE-2017-12494, CVE-2017-12495, CVE-2017-12496, CVE-2017-12497, CVE-2017-12498, CVE-2017-12499, CVE-2017-12500, CVE-2017-12501, CVE-2017-12502, CVE-2017-12503, CVE-2017-12504, CVE-2017-12505, CVE-2017-12506, CVE-2017-12507, CVE-2017-12508, CVE-2017-12509, CVE-2017-12510, CVE-2017-12511, CVE-2017-12512, CVE-2017-12513, CVE-2017-12514, CVE-2017-12515, CVE-2017-12516, CVE-2017-12517, CVE-2017-12518, CVE-2017-12519, CVE-2017-12520, CVE-2017-12521, CVE-2017-12522, CVE-2017-12523, CVE-2017-12524, CVE-2017-12525, CVE-2017-12526, CVE-2017-12527, CVE-2017-12528, CVE-2017-12529, CVE-2017-12530, CVE-2017-12531, CVE-2017-12532, CVE-2017-12533, CVE-2017-12534, CVE-2017-12535, CVE-2017-12536, CVE-2017-12537, CVE-2017-12538, CVE-2017-12539, CVE-2017-12540, CVE-2017-12541   (Links to External Site)
Date:  Aug 15 2017
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): iMC PLAT 7.3 (E0504)
Description:   Multiple vulnerabilities were reported in HPE Intelligent Management Center PLAT. A remote authenticated user can execute arbitrary code on the target system.

A remote authenticated user can send specially crafted beanName parameter values to exploit an input validation flaw and inject Java Server Faces (JSF) expressions and execute arbitrary code on the target system. The code will run with System privileges.

The original advisories are available at:

https://www.zerodayinitiative.com/advisories/ZDI-17-690
https://www.zerodayinitiative.com/advisories/ZDI-17-689
https://www.zerodayinitiative.com/advisories/ZDI-17-688
https://www.zerodayinitiative.com/advisories/ZDI-17-687
https://www.zerodayinitiative.com/advisories/ZDI-17-686
https://www.zerodayinitiative.com/advisories/ZDI-17-685
https://www.zerodayinitiative.com/advisories/ZDI-17-684
https://www.zerodayinitiative.com/advisories/ZDI-17-683
https://www.zerodayinitiative.com/advisories/ZDI-17-682
https://www.zerodayinitiative.com/advisories/ZDI-17-681
https://www.zerodayinitiative.com/advisories/ZDI-17-680
https://www.zerodayinitiative.com/advisories/ZDI-17-679
https://www.zerodayinitiative.com/advisories/ZDI-17-678
https://www.zerodayinitiative.com/advisories/ZDI-17-677
https://www.zerodayinitiative.com/advisories/ZDI-17-676
https://www.zerodayinitiative.com/advisories/ZDI-17-675
https://www.zerodayinitiative.com/advisories/ZDI-17-674
https://www.zerodayinitiative.com/advisories/ZDI-17-673
https://www.zerodayinitiative.com/advisories/ZDI-17-672
https://www.zerodayinitiative.com/advisories/ZDI-17-671
https://www.zerodayinitiative.com/advisories/ZDI-17-670
https://www.zerodayinitiative.com/advisories/ZDI-17-669
https://www.zerodayinitiative.com/advisories/ZDI-17-668
https://www.zerodayinitiative.com/advisories/ZDI-17-667
https://www.zerodayinitiative.com/advisories/ZDI-17-666
https://www.zerodayinitiative.com/advisories/ZDI-17-665
https://www.zerodayinitiative.com/advisories/ZDI-17-664
https://www.zerodayinitiative.com/advisories/ZDI-17-663
https://www.zerodayinitiative.com/advisories/ZDI-17-662
https://www.zerodayinitiative.com/advisories/ZDI-17-661
https://www.zerodayinitiative.com/advisories/ZDI-17-660
https://www.zerodayinitiative.com/advisories/ZDI-17-659
https://www.zerodayinitiative.com/advisories/ZDI-17-658
https://www.zerodayinitiative.com/advisories/ZDI-17-657
https://www.zerodayinitiative.com/advisories/ZDI-17-656
https://www.zerodayinitiative.com/advisories/ZDI-17-655
https://www.zerodayinitiative.com/advisories/ZDI-17-654
https://www.zerodayinitiative.com/advisories/ZDI-17-653
https://www.zerodayinitiative.com/advisories/ZDI-17-652
https://www.zerodayinitiative.com/advisories/ZDI-17-651

Steven Seeley (mr_me) (via Trend Micro's Zero Day Initiative) reported these vulnerabilities.
Impact:   A remote authenticated user can execute arbitrary code with System level privileges on the target system.
Solution:   HPE has issued a fix (iMC PLAT 7.3 (E0506)).

The HPE advisory is available at:

http://h20565.www2.hpe.com/hpsc/doc/public/display?docId=hpesbhf03768en_us
Vendor URL:  h20565.www2.hpe.com/hpsc/doc/public/display?docId=hpesbhf03768en_us (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Red Hat Enterprise), Windows (Any)

Message History:   None.

 Source Message Contents
Subject:  http://h20565.www2.hpe.com/hpsc/doc/public/display?docId=hpesbhf03768en_us


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC