HP ArcSight Logger contains multiple vulnerabilities

ID VU:842252
Type cert
Reporter CERT
Modified 2015-10-26T00:00:00



HP ArcSight Logger contains multiple vulnerabilities, allowing authentication bypass and privilege escalation in certain scenarios.


CWE-285: Improper Authorization - CVE-2015-2136

A remote authenticated user without Logger Search permissions may be able to bypass authorization and perform searches via the SOAP interface.

According to the reporter, ArcSight Logger is affected, and other versions may also be affected.

CWE-307: Improper Restriction of Excessive Authentication Attempts - CVE-2015-6029

Incorrect login attempts via the SOAP interface are not logged or locked out, as they are through the standard web GUI. This may allow a remote unauthenticated attacker to attempt brute force password guesses without triggering an alert.

According to the reporter, ArcSight Logger is affected, and other versions may also be affected.

CWE-653: Insufficient Compartmentalization - CVE-2015-6030

Several key files for ArcSight are owned by the arcsight user, but are executed with root privileges. This may allow a user with arcsight credentials to escalate privileges to root when running commands.

According to the reporter, ArcSight Logger, ArcSight Command Center, and ArcSight Connector Appliance are affected. Other versions may also be affected. ArcSight SmartConnector for UNIX-like systems may also be affected.

The CVSS score below is based on CVE-2015-2136. While the Insufficient Compartmentalization issue could potentially be serious, the arcsight user credentials appear to only be known by system administrators in practice, greatly lessening the severity of this vulnerability. Future evidence of an alternate way to obtain arcsight credentials may change this impact.


An authenticated remote user without ArcSight Logger search privileges may be able to perform Logger searches. An unauthenticated remote user may be able to brute force guess a password without triggering any alerts. A user with arcsight credentials may be able to execute commands with the privileges of root.


Apply an update

HP has released HP ArcSight Logger v6.0 P2 addressing CVE-2015-2136 and CVE-2015-6029. Affected users are recommended to update as soon as possible to ArcSight Logger v6.0 P2, or a subsequent release. HP has also released a Security Bulletin regarding CVE-2015-6029.

HP has begun to roll out updates addressing the remaining issues on all supported platforms, and expects to have all updates available by the end of October. In the meantime, consider the following workarounds:

Restrict access to the system and network

Restrict access to the arcsight user account. Network monitoring may help detect brute force password attempts.

Vendor Information

Vendor| Status| Date Notified| Date Updated
Hewlett-Packard Company| | 20 Jul 2015| 08 Sep 2015
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
Base | 4.0 | AV:N/AC:L/Au:S/C:P/I:N/A:N
Temporal | 3.1 | E:POC/RL:OF/RC:C
Environmental | 2.3 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND


  • <https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04762372>
  • <https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04863612>
  • <http://cwe.mitre.org/data/definitions/285.html>
  • <http://cwe.mitre.org/data/definitions/307.html>
  • <http://cwe.mitre.org/data/definitions/653.html>


Thanks to Hubert Mach and Julian Horoszkiewicz for reporting these issues to us.

This document was written by Garret Wassermann.

Other Information