CVE-2009-2897

2 October 2009: CVE-2009-2897: Reflected XSS in stack trace

Severity: Moderate

Versions Affected:

• Hyperic HQ 3.2, 4.0, 4.1, 4.2-beta1 (earlier, unsupported versions may also be affected)
• AMS 2.0.0.SR3 and earlier
• tc Server 6.0.20.B and earlier

Description:

The stack trace displayed on the default error page is displayed verbatim without running it through a sanitizer. This can be exploited by an attacker to execute arbitrary JavaScript code in the context of the browser of a legitimate logged in user.

Mitigation:

• Hyperic HQ 3.2 users should upgrade to 3.2.6 and then apply the 3.2.6.1 patch
• Hyperic HQ 3.2 Enterprise users should upgrade to 3.2.6 and then apply the 3.2.6.1-EE patch
• Hyperic HQ 4.0 users should upgrade to 4.0.3 and then apply the 4.0.3.1 patch
• Hyperic HQ 4.0 Enterprise users should upgrade to 4.0.3 and then apply the 4.0.3.1-EE patch
• Hyperic HQ 4.1 users should upgrade to 4.1.2 and then apply the 4.1.2.1 patch
• Hyperic HQ 4.1 Enterprise users should upgrade to 4.1.2 and then apply the 4.1.2.1-EE patch
• Hyperic HQ 4.2-beta1 users should upgrade to 4.2-beta2 or later
• AMS users should upgrade to 2.0.0.SR4 when released (scheduled for 16-Oct-2009)
• tc Server users should upgrade to AMS 2.0.0.SR4 when released (scheduled for 16-Oct-2009)

To protect themselves from this issue until systems have been upgraded and/or patches have been applied, users should not browse other web sites whilst signed in to Hyperic HQ or AMS and should sign out once they have completed their tasks.

Credit:

This vulnerability was first reported to SpringSource by Eric Searcy (via the Hyperic Forums).

This vulnerability was independently discovered and researched by Gastón Rey and Pablo Carballo from Core Security Technologies during Core Bugweek 2009.

References:

• http://forums.hyperic.com/jiveforums/thread.jspa?messageID=22156&#22156
• http://jira.hyperic.com/browse/HHQ-2655
• http://www.coresecurity.com/content/hyperic-hq-vulnerabilities

Obtaining the security patches

The security patches for Hyperic HQ may be obtained from:

• http://download.hyperic.com/dl/patch/HQP-HQ3261.zip
• http://download.hyperic.com/dl/patch/HQP-HQ4031.zip
• http://download.hyperic.com/dl/patch/HQP-HQ4121.zip

The security patches for Hyperic HQ Enterprise may be obtained from:

• http://download.hyperic.com/dl/patch/HQP-HQ3261-EE.zip
• http://download.hyperic.com/dl/patch/HQP-HQ4031-EE.zip
• http://download.hyperic.com/dl/patch/HQP-HQ4121-EE.zip

Applying the security patches

The security patches may be applied by following these steps:

1. If you are not already running version 3.2.6, 4.0.3 or 4.1.2, you must upgrade to one of these versions.
2. Download the zip file containing the appropriate patch for your version.
3. Stop the Hyperic HQ server.
4. Copy the original hq-engine/server/default/deploy/hq.ear/hq.jar to a safe location outside of the Hyperic HQ installation.
5. Copy the original hq-engine/server/default/deploy/hq.ear/hq.war/WEB-INF/lib/hq_jsp.jar to a safe location outside of the Hyperic HQ installation.
6. Copy the original hq-engine/server/default/deploy/hq.ear/hq.war/WEB-INF/lib/hq-ui.jar to a safe location outside of the Hyperic HQ installation.
7. Extract the hq.jar, hq_jsp.jar and hq-ui.jar files from the zip file.
8. Replace hq-engine/server/default/deploy/hq.ear/hq.jar with the hq.jar file you extracted in step 7.
9. Replace hq-engine/server/default/deploy/hq.ear/hq.war/WEB-INF/lib/hq_jsp.jar with the hq_jsp.jar file you extracted in step 7.
10. Replace hq-engine/server/default/deploy/hq.ear/hq.war/WEB-INF/lib/hq-ui.jar with the hq_jsp.jar file you extracted in step 7.
11. Start the Hyperic HQ server.

Note: applying this patch will correct CVE-2009-2897 and CVE-2009-2898.

History

• 2009-10-02: Original Advisory
• 2009-10-03: Update to add AMS and tc Server to affected products
• 2009-10-07: Update to provide separate patches for Hyperic HQ and Hyperic HQ Enterprise
• 2010-03-23: Reformatting for clarity and consistency