Hyperic HQ Known Vulnerabilities
Components of Hyperic HQ
Hyperic HQ is built with the following components. Please see the security advisories information for each component for more information on the security vulnerabilities and issues that may affect that component.
| Component | Security advisories |
|---|---|
| JBoss Application Server 4.0.x | No longer supported |
| JBoss Application Server 4.2.x | 4.2.x errata |
| Dojo | Dojo security advisories |
Hyperic HQ is built using the following versions of these components
| Hyperic HQ version | JBoss Application Server version | Dojo versions |
|---|---|---|
| 3.2.x | 4.0.3 SP1 | 0.4.0 and 1.1.0 |
| 4.0.x | 4.0.3 SP1 | 0.4.0 and 1.1.0 |
| 4.1.x | 4.2.3 | 0.4.0 and 1.1.0 |
| 4.2.x | 4.2.3 | 0.4.0 and 1.1.0 |
CVE-2009-3555, the SSL protocol MITM vulnerability, may be worked around via configuration. Since JBoss 4.2.x uses Apache Tomcat 6.0.x, details may be obtained from the Tomcat 6 security advisories page.
Authenticated users are exposed to the Dojo security vulnerabilities. Hyperic HQ users are advised not to browse untrusted sites whilst logged in to Hyperic HQ and to log out of Hyperic HQ when they have finished.
The next release of Hyperic HQ (4.3) will include updated Dojo components that are not vulnerable to the issues announced on 11 March 2010.
Known Vulnerabilities in Hyperic HQ
The following vulnerabilities are known to exist in Hyperic HQ. The information in this section may not be complete for unsupported versions. Users of unsupported versions are strongly encouraged to upgrade to a supported version.
| Date | Vulnerability | Fixed in version | |||
| 4.2 | 4.1 | 4.0 | 3.2 | ||
|---|---|---|---|---|---|
| 2 October 2009 | CVE-2009-2898 | 4.2-beta2 | 4.1.2.1 | 4.0.3.1 | 3.2.6.1 |
| 2 October 2009 | CVE-2009-2897 | 4.2-beta2 | 4.1.2.1 | 4.0.3.1 | 3.2.6.1 |
| 23 March 2010 | CVE-2009-2907 | 4.2.0.0 | 4.1.2.1 | 4.0.3.2 | N/A |
| 5 February 2011 | CVE-2009-2899 | 4.2.x | N/A | N/A | N/A |