-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 CVE-2009-2898: Stored XSS in alerts list Severity: Moderate Vendor: SpringSource Versions Affected: Hyperic HQ 3.2, 4.0, 4.1, 4.2-beta1. Earlier, unsupported versions may also be affected Description: An authenticated Hyperic user can create an alert with JavaScript code in the Description field. When a user visits the Alerts list, the Description field of every alert is displayed without properly escaping especial HTML characters, thus leading to a persistent XSS. Mitigation: 3.2 users should upgrade to 3.2.6 and then apply the 3.2.6.1 patch 4.0 users should upgrade to 4.0.3 and then apply the 4.0.3.1 patch 4.1 users should upgarde to 4.1.2 and then apply the 4.1.2.1 patch 4.2-beta1 users should upgrade to 4.2-beta2 or later To protect against this issue until patches have been applied, system administrators should ensure untrusted users do not have the necessary privileges to create alerts. Credit: This vulnerability was discovered and researched by Gastn Rey and Pablo Carballo from Core Security Technologies during Core Bugweek 2009. References: 1. http://www.coresecurity.com/content/hyperic-hq-vulnerabilities 2. http://jira.hyperic.com/browse/HHQ-3390 3. http://www.springsource.com/security/hyperic-hq Obtaining the security patches: The security patches may be obtained from: http://download.hyperic.com/dl/patch/hq.jar.3.2.6.1.zip http://download.hyperic.com/dl/patch/hq.jar.4.0.3.1.zip http://download.hyperic.com/dl/patch/hq.jar.4.1.2.1.zip Applying the security patches: The security patches may be applied by following these steps: 1. If you are not already running version 3.2.6, 4.0.3 or 4.1.2, you must upgrade to one of these versions. 2. Download the zip file containing the appropriate patch for your version. 3. Stop the Hypric HQ server. 4. Copy the original hq-engine/server/default/deploy/hq.ear/hq.jar to a safe location outside of the Hyperic HQ installation 5. Copy the original hq-engine/server/default/deploy/hq.ear/hq.war/WEB-INF/lib/hq_jsp.jar to a safe location outside of the Hyperic HQ installation 6. Extract the hq.jar and hq_jsp.jar files from the zip file 7. Replace hq-engine/server/default/deploy/hq.ear/hq.jar with the hq.jar file you extracted in step 6. 8. Replace hq-engine/server/default/deploy/hq.ear/hq.war/WEB-INF/lib/hq_jsp.jar with the hq_jsp.jar file you extracted in step 6. 9. Start the Hyperic HQ server. Note: applying this patch will correct CVE-2009-2897 and CVE-2009-2898 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCgAGBQJKxnbzAAoJECc+NjlVtVax+ocQAKBeqBl/rnj3fLi+ZDjY3AE+ g5HTzgD7O+Km2VtkwdNx8ms1JV4acfIAlh61sQLQijMCMsWh/B++ho5jA3HMg9j0 +mylMbsPPdPcoxKWTWW2Cxx7voAlEuQMGbe5DjRRO12kUnYcOyNoyrAqagCFzBNM ZoIMmpTQ+U71ZIXNZyWU6JflAwtKOttNNcFtgsIK2SPLWAC/hZSX6uFJhqG1s1cG cr/TbKRFdWR9hyqF2d2SA8ky1CONCTdmptBr4lWNwSPvHsScixOhpLIaXY0T2oIE cgNFvNWjePLbZT+oGm0aepl2s8DAD5xH5x1wew7gko6Eqq8sstNhtZYhjOQknWju rbGEJMFlpkuUfw2t/ayQq4PB8eVzLOVKEsnGtPH2vDAEV0HoIdC7USPZYeu388sa LNKnUr2GCqoX8GQReIVJOIPB7mRwCct9j0xJd6xEV8vijaVIzVj2AgwYFquMaHEK nsRDw7n+9OrwQzfIrxTFg4iL9hbBfl9UrGRxokBVf4mxRl14HYcmK2NwhdO2ewVS 3ShkCw49Wab15d/oI27vt4a5qKCmU0u/CLqZi4n1BsWZieyyVXmwz6RcJr1PTFrG OM7GvxhImqGNoLwBkYa5TO/2yloa5gEVnwwFCGd4MSTMHQsuffB6wEj5mO1Ue9KJ sZNilaelENLtiD1xgekZ =2+r7 -----END PGP SIGNATURE-----