Information Disclosure, Privilege Escalation, and Arbitrary Code Execution
Source: HP, HP Product Security Response Team (PSRT)
Reported by: Eldar Marcussen - xen1thLabs - Software Labs (PSR-2019-0173, CVE-2019-16285, CVE-2019-16286, CVE-2019-16287, CVE-2019-18909, CVE-2019-18910) and Doug Ipperciel - NCC Group (PSR-2019-0184, CVE-2019-16286)
Potential security vulnerabilities have been identified with certain versions of HP ThinPro components that may allow unauthorized information disclosure, privilege escalation, and arbitrary code execution.
HP has released security updates for all affected components and solutions are available through HP Easy Update, HP Thin Update, and HP Update Center within HP Device Manager. Individual updates for each vulnerability can be identified by the table below:
Reference
|
Available Patch Version
—|—
CVE-2019-16286
|
Firefox 60.9.0esr for ThinPro 6.2-7.1 version hp2a
CVE-2019-16285
CVE-2019-16287
CVE-2019-18909
|
HP ThinPro 7.1 Service Pack 4
Security Update 2019 Rollup 005 For ThinPro 7.0
Security Update 2019 Rollup 005 For ThinPro 6.2.1
Security Update 2019 Rollup 005 For ThinPro 6.2
CVE-2019-18910
|
Citrix Workspace app 19.6.0 hp2d for ThinPro 6.2, 6.2.1, 7.0 and 7.1