Multiple HP Performance Insight Security Vulnerabilities

Release date:
Updated on:

Affected Systems:
HP Performance Insight 5.x
Description:
--------------------------------------------------------------------------------
Cve id: CVE-2012-2007, CVE-2012-2008, CVE-2012-2009

HP Performance Insight software is used to collect, collect, and centralize Performance data.

HP Performance Insight 5.3.x, 5.41, 5.41.001, and 5.41.002 on HP-UX, Linux, Solaris, and Windows platforms have multiple implementation vulnerabilities, attackers can bypass certain security restrictions and execute cross-site scripting and SQL injection attacks.

1) some unspecified inputs are used in SQL queries if they are not properly filtered. Some SQL queries can be operated by injecting SQL code.

2) some unspecified inputs are returned to the user if they are not properly filtered. attackers can execute arbitrary HTML and script code.

3) an unspecified error in the application can be exploited to obtain unauthorized access.

<* Source: vendor

Link: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay? DocId = emr_na-c03312417
*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

HP
--
HP has released a Security Bulletin (HPSBMU02775) and corresponding patches for this:

HPSBMU02775: SSRT100853 rev.1-HP Performance Insight for Networks Running on HP-UX, Linux, Solaris, and Windows, Remote SQL Injection, Cross Site Scripting (XSS), Privilege Elevation

Link: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay? DocId = emr_na-c03312417