HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Displaying articles for: December 2009

Top Five Web Application Vulnerabilities 12/1/09 - 12/14/09

1) HP OpenView Network Node Manager Multiple Remote Code Execution Vulnerabilities


HP OpenView Network Node Manager is susceptible to multiple remote code execution vulnerabilities. Many of these are exploitable via HTTP requests. Successful exploitation will give an attacker the means to execute arbitrary code with system-level privileges and could lead to a complete system compromise. Updates which resolve these issues are available. Contact the vendor for additional information.


http://www.securityfocus.com/bid/37261


2) Microsoft Windows Active Directory Single Sign On Authentication Spoofing Vulnerability


Microsoft Windows Active Directory Federation Services (ADFS) is susceptible to an authentication-spoofing vulnerability. An authenticated attacker can send specially crafted HTTP requests to an ADFS-enabled web server and spoof legitimate user credentials. An advisory and updates which address this issue have been released. Contact the vendor for more details.


http://www.securityfocus.com/bid/37215


3) IBM InfoSphere Information Server Unspecified Cross-Site Scripting Vulnerability


IBM InfoSphere Information Server is susceptible to a Cross-Site Scripting vulnerability. An attacker can leverage this to execute script code in the browsers of unsuspecting users in context of the affected application, possibly leading to theft of authentication credentials and other attacks. Updates which resolve this issue are available. Contact the vendor for further information.


http://www.securityfocus.com/bid/37246


4) Sun Java System Portal Server Multiple Unspecified Cross-Site Scripting Vulnerabilities


Sun Java System Portal Server is susceptible to multiple instances of Cross-Site Scripting. If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. Updates which address this vulnerability are available. Contact the vendor for further details.


http://www.securityfocus.com/bid/37186


5) Computer Associates Service Desk Cross-Site Scripting Vulnerability


Computer Associates Service Desk is susceptible to a Cross-Site Scripting vulnerability. These vulnerabilities can be exploited to execute code in the browser of an unsuspecting user and steal cookie-based authentication credentials. Updates which address this vulnerability are available. Contact the vendor for more information.


http://www.securityfocus.com/bid/37253

National data breach notification bill passed in U.S. House

The US House of Representatives has passed new national standards for data breach notifications.  Types of data that would require notice be delivered to affected individuals include the standard assortment of social security numbers, credit card information, financial account numbers, state identification and driver’s license numbers, and so on.  At this point, the legislation seems to be a mixed bag, at best. Federal standards are past due, to say the least. States currently enjoy a mix of competing breach notification regulations. So, any movement towards consistency at a national level is a good one. However, there are issues. The enforcement portions will be handled by the Federal Trade Commission. A significant number of industries, not to mention the government itself, are exempt from FTC regulation enforcement. According to the Open Security Foundation, the banking and insurance industries are not under the jurisdiction of the FTC, nor are nonprofit organizations, which includes colleges and universities. It doesn’t make a whole lot of sense not to cover the industries that arguably contain the most important data. And considering that national standards for data breach notifications of Personal Health Information have already been enacted, it seems there are less pertinent industries covered by this than not.    

 

As well, if the accessed data was encrypted or protected by other technologies that would hopefully render the data unreadable, no notifications would be necessary. Because, as we all know, encryption is foolproof. Ahem.

 

The Senate has already passed several versions of federal data breach notification standards. Hopefully the lack of teeth and oversight in the House’s version will be addressed during bicameral conference committee negotiations.

 

http://www.scmagazineus.com/national-data-breach-notification-bill-passed-in-us-house/article/159404

 

 

Top Five Web Application Vulnerabilities 11/09/09 - 11/30/09

1) IBM WebSphere Application Server Administrative Console HTML Injection Vulnerability


IBM WebSphere Application Server is susceptible to an HTML Injection vulnerability. HTML Injection is used to add content into a web server’s response, which can then be used to steal cookie-based authentication credentials, execute arbitrary code in context of the site, or simply alter how the site appears. Updates which address this vulnerability have been released. Contact the vendor for additional information.


http://www.securityfocus.com/bid/37015


2) Apache HTTP TRACE Cross Site Scripting Vulnerability


Apache is susceptible to a Cross-Site Scripting vulnerability. This can be exploited to execute code in the browser of an unsuspecting user and steal cookie-based authentication credentials. Updates which resolve this vulnerability are available. Contact the vendor for more information.


http://www.securityfocus.com/bid/36990


3) IBM Rational Products Multiple Cross Site Scripting Vulnerabilities


IBM Rational products are susceptible to multiple instances of Cross-Site Scripting. If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. Updates which resolve these issues have been released. Contact the vendor for further details.


http://www.securityfocus.com/bid/37083


4) HP ProCurve Switch Management Interface Multiple HTML Injection Vulnerabilities


HP ProCurve Switch web management interface is susceptible to multiple HTML Injection vulnerabilities. Successful exploitation will give an attacker the means steal cookie-based authentication credentials, execute arbitrary code in context of the site, or simply alter how the site appears. A solution has yet to be released. Contact the vendor for further details.


http://www.securityfocus.com/bid/37001


5) WordPress 'wp-admin/includes/file.php' Arbitrary File Upload Vulnerability


WordPress is susceptible to an arbitrary File Upload vulnerability. An attacker can leverage this vulnerability to upload and run arbitrary code in context of the webserver process, possibly leading to unauthorized access or an escalation of privileges. Other attacks are also likely possible. Note that this situation only occurs in specific Apache configurations that utilize Add* directives and PHP to facilitate handling of files with multiple extensions. Updates which resolve this vulnerability are available. Contact the vendor for more information.


http://www.securityfocus.com/bid/37005

Search
Showing results for 
Search instead for 
Do you mean 
About the Author(s)
HP Blog

HP Software Solutions Blog

Featured


Follow Us
Labels
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.