Sign-up

ID

VAR-201504-0559


CVE

CVE-2014-7886


TITLE

Hewlett-Packard Network Automation contains multiple vulnerabilities

Trust: 0.8

sources: CERT/CC: VU#750060

DESCRIPTION

HP Network Automation Has multiple vulnerabilities in the web administration screen. HP Network Automation Contains multiple vulnerabilities including cross-site request forgery, cross-site scripting, and clickjacking issues. For more information HP security bulletin Please confirm. HP security bulletin http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04574207By sending a management request unintended by the user to the server by remote third party guidance, privilege escalation, information leakage, code execution, service operation interruption (DoS) May be affected. ** ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04574207 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04574207 Version: 1 HPSBMU03264 rev.1 - HP Network Automation, Multiple Remote Vulnerabilities NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. References: CVE-2014-7886 VU#750060 SSRT101865 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. Note: Customers running Network Automation v9.0X and v9.1X should upgrade to v09.22.02 to resolve these issues. Network Automation Patch v09.22.02: NA_00027 https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsea rch/document/KM01512941 Network Automation Patch v10.00.01: NA_00028 https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsea rch/document/KM01512943 See Knowledge Document for further configuration information: https://softwaresupport.hp.com/group/softwaresupport/search- result/-/facetsearch/document/KM01411842 HISTORY Version:1 (rev.1) - 15 April 2015 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2015 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iEYEARECAAYFAlUu3sQACgkQ4B86/C0qfVmrngCffhWHa2TLzf7x2XGUwK54dXnE 2tMAnR0B6tyjj14ZPHADJte6ytb4tGyI =sl7r -----END PGP SIGNATURE-----

Trust: 2.25

sources: CERT/CC: VU#750060 // JVNDB: JVNDB-2015-002378 // CNVD: CNVD-2015-02759 // IVD: cc53ce32-2351-11e6-abef-000c29c66e3d // PACKETSTORM: 131489

IOT TAXONOMY

category:['IoT', 'ICS']sub_category: -

Trust: 0.6

category:['ICS']sub_category: -

Trust: 0.2

sources: IVD: cc53ce32-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-02759

AFFECTED PRODUCTS

vendor:hpmodel:network automationscope:eqversion:10.x

Trust: 0.8

vendor:hewlett packardmodel: - scope: - version: -

Trust: 0.8

vendor:hewlett packardmodel:hp network automationscope:eqversion:10.x

Trust: 0.8

vendor:hewlett packardmodel:hp network automationscope:eqversion:9.0x

Trust: 0.8

vendor:hewlett packardmodel:hp network automationscope:eqversion:9.1x

Trust: 0.8

vendor:hewlett packardmodel:hp network automationscope:eqversion:9.2x

Trust: 0.8

vendor:hpmodel:network automationscope:eqversion:9.0x

Trust: 0.6

vendor:hpmodel:network automationscope:eqversion:9.1x

Trust: 0.6

vendor:hpmodel:network automationscope:eqversion:9.2x

Trust: 0.6

vendor:hpmodel:network automationscope:eqversion:9.0x*

Trust: 0.2

vendor:hpmodel:network automationscope:eqversion:9.1x*

Trust: 0.2

vendor:hpmodel:network automationscope:eqversion:9.2x*

Trust: 0.2

sources: IVD: cc53ce32-2351-11e6-abef-000c29c66e3d // CERT/CC: VU#750060 // CNVD: CNVD-2015-02759 // JVNDB: JVNDB-2015-002378

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2014-7886
value: MEDIUM

Trust: 0.8

IPA: JVNDB-2015-002378
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2015-02759
value: MEDIUM

Trust: 0.6

IVD: cc53ce32-2351-11e6-abef-000c29c66e3d
value: MEDIUM

Trust: 0.2

NVD: CVE-2014-7886
severity: MEDIUM
baseScore: 6.8
vectorString: NONE
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

IPA: JVNDB-2015-002378
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2015-02759
severity: MEDIUM
baseScore: 6.0
vectorString: AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 6.8
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: cc53ce32-2351-11e6-abef-000c29c66e3d
severity: MEDIUM
baseScore: 6.0
vectorString: AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 6.8
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

sources: IVD: cc53ce32-2351-11e6-abef-000c29c66e3d // CERT/CC: VU#750060 // CNVD: CNVD-2015-02759 // JVNDB: JVNDB-2015-002378

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 131489 // CNNVD: CNNVD-201504-458

TYPE

other

Trust: 0.2

sources: IVD: cc53ce32-2351-11e6-abef-000c29c66e3d

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-002378

EXPLOIT AVAILABILITY
sources:
            
            
            CERT/CC: VU#750060

PATCH
title:c04574207: HPSBMU03264 rev.2 - HP Network Automation, Multiple Remote Vulnerabilitiesurl:http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c04574207
Trust: 0.8
title:HP Network Automation has multiple vulnerabilitiesurl:https://www.cnvd.org.cn/patchInfo/show/57826
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2015-02759 // 
            
            
            
            JVNDB: JVNDB-2015-002378

EXTERNAL IDS
db:NVDid:CVE-2014-7886
Trust: 2.3
db:CERT/CCid:VU#750060
Trust: 2.2
db:CNVDid:CNVD-2015-02759
Trust: 0.8
db:CNNVDid:CNNVD-201504-458
Trust: 0.8
db:JVNid:JVNVU90341582
Trust: 0.8
db:JVNDBid:JVNDB-2015-002378
Trust: 0.8
db:SECUNIAid:64162
Trust: 0.6
db:IVDid:CC53CE32-2351-11E6-ABEF-000C29C66E3D
Trust: 0.2
db:PACKETSTORMid:131489
Trust: 0.1
sources:
            
            
            IVD: cc53ce32-2351-11e6-abef-000c29c66e3d // 
            
            
            
            CERT/CC: VU#750060 // 
            
            
            
            CNVD: CNVD-2015-02759 // 
            
            
            
            JVNDB: JVNDB-2015-002378 // 
            
            
            
            PACKETSTORM: 131489 // 
            
            
            
            CNNVD: CNNVD-201504-458

REFERENCES
url:https://h20564.www2.hp.com/hpsc/doc/public/display?docid=emr_na-c04574207
Trust: 2.0
url:http://www.kb.cert.org/vuls/id/750060
Trust: 1.4
url:http://cwe.mitre.org/data/definitions/352.html
Trust: 0.8
url:http://cwe.mitre.org/data/definitions/79.html
Trust: 0.8
url:http://cwe.mitre.org/data/definitions/20.html
Trust: 0.8
url:https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay/?docid=emr_na-c
Trust: 0.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-7886
Trust: 0.8
url:http://jvn.jp/vu/jvnvu90341582/index.html
Trust: 0.8
url:http://secunia.com/advisories/64162
Trust: 0.6
url:https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
Trust: 0.1
url:https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secbullarchive/
Trust: 0.1
url:http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-7886
Trust: 0.1
url:https://softwaresupport.hp.com/group/softwaresupport/search-
Trust: 0.1
url:https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsea
Trust: 0.1
sources:
            
            
            CERT/CC: VU#750060 // 
            
            
            
            CNVD: CNVD-2015-02759 // 
            
            
            
            JVNDB: JVNDB-2015-002378 // 
            
            
            
            PACKETSTORM: 131489 // 
            
            
            
            CNNVD: CNNVD-201504-458

CREDITS
HP
Trust: 0.1
sources:
            
            
            PACKETSTORM: 131489

SOURCES
db:IVDid:cc53ce32-2351-11e6-abef-000c29c66e3d
db:CERT/CCid:VU#750060
db:CNVDid:CNVD-2015-02759
db:JVNDBid:JVNDB-2015-002378
db:PACKETSTORMid:131489
db:CNNVDid:CNNVD-201504-458

LAST UPDATE DATE
2024-09-09T23:15:32.566000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#750060date:2015-04-17T00:00:00
db:CNVDid:CNVD-2015-02759date:2015-04-28T00:00:00
db:JVNDBid:JVNDB-2015-002378date:2015-04-21T00:00:00
db:CNNVDid:CNNVD-201504-458date:2015-04-23T00:00:00

SOURCES RELEASE DATE
db:IVDid:cc53ce32-2351-11e6-abef-000c29c66e3ddate:2015-04-28T00:00:00
db:CERT/CCid:VU#750060date:2015-04-17T00:00:00
db:CNVDid:CNVD-2015-02759date:2015-04-28T00:00:00
db:JVNDBid:JVNDB-2015-002378date:2015-04-21T00:00:00
db:PACKETSTORMid:131489date:2015-04-17T06:48:32
db:CNNVDid:CNNVD-201504-458date:2015-04-23T00:00:00