search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Hewlett-Packard Network Automation contains multiple vulnerabilities

Vulnerability Note VU#750060

Original Release Date: 2015-04-17 | Last Revised: 2015-04-17

Overview

HP Network Automation versions 9.0x, 9.1x, 9.2x, and 10.x contain multiple vulnerabilities affecting the administrative web interface.

Description

HP Network Automation versions 9.0x, 9.1x, 9.2x, and 10.x contain vulnerabilities in the administrative web interface, including multiple cross site request forgery (CSRF), cross-site scripting (XSS), and clickjacking issues.

For more information, review the HP security bulletin.

Impact

A remote, unauthenticated attacker may be able to trick an authenticated user into making an unintentional request to the web server that will be treated as an authentic request, leading to the possibility of privilege escalation, information leakage, code execution, or denial of service.

Solution

Apply an update

HP has released versions 9.22.02 and 10.00.01 to address these vulnerabilities.

Vendor Information

750060
 
Affected   Unknown   Unaffected

Hewlett-Packard Company

Notified:  December 08, 2014 Updated:  April 16, 2015

Statement Date:   April 15, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References


CVSS Metrics

Group Score Vector
Base 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
Temporal 5.3 E:POC/RL:OF/RC:C
Environmental 4 CDP:N/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Tim MalcomVetter of FishNet Security for reporting these vulnerabilities.

This document was written by Joel Land.

Other Information

CVE IDs: CVE-2014-7886
Date Public: 2015-04-17
Date First Published: 2015-04-17
Date Last Updated: 2015-04-17 11:59 UTC
Document Revision: 12

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.