HP ArcSight Logger contains multiple vulnerabilities, allowing authentication bypass and privilege escalation in certain scenarios.
CWE-285: Improper Authorization - CVE-2015-2136
A remote authenticated user without Logger Search permissions may be able to bypass authorization and perform searches via the SOAP interface.
An authenticated remote user without ArcSight Logger search privileges may be able to perform Logger searches. An unauthenticated remote user may be able to brute force guess a password without triggering any alerts. A user with arcsight credentials may be able to execute commands with the privileges of root.
Apply an update
Restrict access to the system and network
Thanks to Hubert Mach and Julian Horoszkiewicz for reporting these issues to us.
This document was written by Garret Wassermann.