-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 CVE-2009-2897: Reflected XSS in stack trace Severity: Moderate Vendor: SpringSource Versions Affected: Hyperic HQ 3.2, 4.0, 4.1, 4.2-beta1. Earlier, unsupported versions may also be affected Description: The stack trace displayed on the default error page is displayed verbatim without running it through a sanitizer. This can be exploited by an attacker to execute arbitrary JavaScript code in the context of the browser of a legitimate logged in user. Mitigation: 3.2 users should upgrade to 3.2.6 and then apply the 3.2.6.1 patch 4.0 users should upgrade to 4.0.3 and then apply the 4.0.3.1 patch 4.1 users should upgarde to 4.1.2 and then apply the 4.1.2.1 patch 4.2-beta1 users should upgrade to 4.2-beta2 or later To protect themselves from this issue until the patches have been applied, users should not browse other web sites whilst signed in to Hyperic HQ and should sign out once they have completed their tasks. Credit: This vulnerability was first reported to SpringSource by Eric Searcy (via the Hyperic Forums). This vulnerability was independently discovered and researched by Gastn Rey and Pablo Carballo from Core Security Technologies during Core Bugweek 2009. References: 1. http://forums.hyperic.com/jiveforums/thread.jspa?messageID=22156嚌 2. http://jira.hyperic.com/browse/HHQ-2655 3. http://www.coresecurity.com/content/hyperic-hq-vulnerabilities 4. http://www.springsource.com/security/hyperic-hq Obtaining the security patches: The security patches may be obtained from: http://download.hyperic.com/dl/patch/hq.jar.3.2.6.1.zip http://download.hyperic.com/dl/patch/hq.jar.4.0.3.1.zip http://download.hyperic.com/dl/patch/hq.jar.4.1.2.1.zip Applying the security patches: The security patches may be applied by following these steps: 1. If you are not already running version 3.2.6, 4.0.3 or 4.1.2, you must upgrade to one of these versions. 2. Download the zip file containing the appropriate patch for your version. 3. Stop the Hypric HQ server. 4. Copy the original hq-engine/server/default/deploy/hq.ear/hq.jar to a safe location outside of the Hyperic HQ installation 5. Copy the original hq-engine/server/default/deploy/hq.ear/hq.war/WEB-INF/lib/hq_jsp.jar to a safe location outside of the Hyperic HQ installation 6. Extract the hq.jar and hq_jsp.jar files from the zip file 7. Replace hq-engine/server/default/deploy/hq.ear/hq.jar with the hq.jar file you extracted in step 6. 8. Replace hq-engine/server/default/deploy/hq.ear/hq.war/WEB-INF/lib/hq_jsp.jar with the hq_jsp.jar file you extracted in step 6. 9. Start the Hyperic HQ server. Note: applying this patch will correct CVE-2009-2897 and CVE-2009-2898 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCgAGBQJKxnbuAAoJECc+NjlVtVaxL1UP/AhL0+XKHnCtmRV+sidAHP9l r8muxxnW5+GXggmOPJ2t6qrRz4LooBAKXzYfyW/Xr93QpFY6wN3Sm6hsuIEZmHzl j9Iw+joqNkf0WMNYmQE9S7OviSwcOsGP9lVK2/cw4lGiSoxpCcUeAVtaGzIxzokh 6FRSe/kqPE547DYqW9KnUSvgzhAME0Vu+AuP1sW6tinmcRp0Tes4ZLvrLJbKbUuO jR5qRksKJJiOJoABOuKE0lOkePCQ5ihmIn0wFSTYWmBe0LKBE8lNzhFc2uuw4PJ3 KjWm1eYEV2S3ZjCoGVcBBwduMjjgE2w0ORQwK6vgImQNDCFFdiTQRbLOx7qogV9g 9J1uNOKBobsCM4uM4E7daTNDmPxEo+yQyqcR7nJaw5GE/Our9N2FVfwHo1KDj46B g3OigVXnitLVigFbDWH5kTGU0vVmiasjbIP+7Dnh4X2i0D6ZAVZ4leriWe3RnPwr HL4oUitgrmqDkuOwFkhXoPhE1RYXMoPB2I6PlcD4CTXz7gTFNJC/4MPp7q9PkIgN 4KFeog1Qz5N1tvwvNayVmEXSTXJMXchMbuMnXTH8FHkBwznAjPVarWJhYtrnqn2B 4naegXddJ+kNWOIFr8KrlET8Kkxo59y3fybENYSp6OjghhrzGFusr1JEhxUCOLmL a0CweWoymEzkr7cyb6nr =IpJ/ -----END PGP SIGNATURE-----