Vulnerability Note VU#350508
HP ArcSight SmartConnector fails to properly validate SSL and contains a hard-coded password
The HP ArcSight SmartConnector fails to properly validate SSL certificates, and also contains a hard-coded password.
CWE-295: Improper Certificate Validation - CVE-2015-2902
The ArcSight SmartConnector fails to validate the certificate of the upstream Logger device it is reporting logs to. An eavesdropper can perform a man-in-the-middle attack against log traffic.
A remote attacker may be able to utilize a man-in-the-middle attack to read SSL-encrypted log traffic. A remote attacker may use the hard-coded password to gain root access to the device.
Apply an update
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Hewlett-Packard Company||Affected||08 Jul 2015||20 Oct 2015|
CVSS Metrics (Learn More)
Thanks to Jefferson Ogata for reporting this vulnerability to us.
This document was written by Garret Wassermann.
- CVE IDs: CVE-2015-2902 CVE-2015-2903
- Date Public: 19 Oct 2015
- Date First Published: 27 Oct 2015
- Date Last Updated: 03 Nov 2015
- Document Revision: 56
If you have feedback, comments, or additional information about this vulnerability, please send us email.