The HP ArcSight SmartConnector fails to properly validate SSL certificates, and also contains a hard-coded password.
CWE-295: Improper Certificate Validation - CVE-2015-2902
The ArcSight SmartConnector fails to validate the certificate of the upstream Logger device it is reporting logs to. An eavesdropper can perform a man-in-the-middle attack against log traffic.
A remote attacker may be able to utilize a man-in-the-middle attack to read SSL-encrypted log traffic. A remote attacker may use the hard-coded password to gain root access to the device.
Apply an update
Thanks to Jefferson Ogata for reporting this vulnerability to us.
This document was written by Garret Wassermann.