HP Universal CMDB Server Axis2 default password

2011-02-22T00:00:00
ID SAINT:38FEBCB97AF707B0DE1B5D3F0340F099
Type saint
Reporter SAINT Corporation
Modified 2011-02-22T00:00:00

Description

Added: 02/22/2011
CVE: CVE-2010-0219
BID: 45625
OSVDB: 70233

Background

HP Universal CMDB Server 9.0 is a modular management system that consists of a rich business-service-oriented data model with built-in discovery of configuration items (CIs) and configuration item dependencies, visualization and mapping of business services, and tracking of configuration changes.

Problem

HP UCMDB deploys Axis2 with default credentials which can be used to gain unauthorized access to the web application server. By then uploading a specially crafted axis2 service, an attacker could execute arbitrary commands on the system.

Resolution

Change the password for the admin account in the axis2.xml file, which is found in the \hp\UCMDB\UCMDBServer\deploy\axis2\WEB-INF\conf\ folder.

References

<http://www.securityfocus.com/archive/1/515494>

Limitations

Exploit works on HP Universal CMDB Server 9.0.

There may be a delay before the exploit succeeds.

Platforms

Windows