Vulnerability Note VU#842252

HP ArcSight Logger contains multiple vulnerabilities

Original Release date: 19 Oct 2015 | Last revised: 26 Oct 2015


HP ArcSight Logger contains multiple vulnerabilities, allowing authentication bypass and privilege escalation in certain scenarios.


CWE-285: Improper Authorization - CVE-2015-2136

A remote authenticated user without Logger Search permissions may be able to bypass authorization and perform searches via the SOAP interface.

According to the reporter, ArcSight Logger is affected, and other versions may also be affected.

CWE-307: Improper Restriction of Excessive Authentication Attempts - CVE-2015-6029

Incorrect login attempts via the SOAP interface are not logged or locked out, as they are through the standard web GUI. This may allow a remote unauthenticated attacker to attempt brute force password guesses without triggering an alert.

According to the reporter, ArcSight Logger is affected, and other versions may also be affected.

CWE-653: Insufficient Compartmentalization - CVE-2015-6030

Several key files for ArcSight are owned by the arcsight user, but are executed with root privileges. This may allow a user with arcsight credentials to escalate privileges to root when running commands.

According to the reporter, ArcSight Logger, ArcSight Command Center, and ArcSight Connector Appliance are affected. Other versions may also be affected. ArcSight SmartConnector for UNIX-like systems may also be affected.

The CVSS score below is based on CVE-2015-2136. While the Insufficient Compartmentalization issue could potentially be serious, the arcsight user credentials appear to only be known by system administrators in practice, greatly lessening the severity of this vulnerability. Future evidence of an alternate way to obtain arcsight credentials may change this impact.


An authenticated remote user without ArcSight Logger search privileges may be able to perform Logger searches. An unauthenticated remote user may be able to brute force guess a password without triggering any alerts. A user with arcsight credentials may be able to execute commands with the privileges of root.


Apply an update

HP has released HP ArcSight Logger v6.0 P2 addressing CVE-2015-2136 and CVE-2015-6029. Affected users are recommended to update as soon as possible to ArcSight Logger v6.0 P2, or a subsequent release. HP has also released a Security Bulletin regarding CVE-2015-6029.

HP has begun to roll out updates addressing the remaining issues on all supported platforms, and expects to have all updates available by the end of October. In the meantime, consider the following workarounds:

Restrict access to the system and network

Restrict access to the arcsight user account. Network monitoring may help detect brute force password attempts.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Hewlett-Packard CompanyAffected20 Jul 201508 Sep 2015
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N
Temporal 3.1 E:POC/RL:OF/RC:C
Environmental 2.3 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND



Thanks to Hubert Mach and Julian Horoszkiewicz for reporting these issues to us.

This document was written by Garret Wassermann.

Other Information


If you have feedback, comments, or additional information about this vulnerability, please send us email.