Hewlett Packard Enterprise Application Performance Management Staging Data Replicator hpbsmsdr Missing Authentication for Critical Function Remote Code Execution Vulnerability

2017-09-26T00:00:00
ID ZDI-17-825
Type zdi
Reporter rgod
Modified 2017-06-22T00:00:00

Description

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett Packard Enterprise Application Performance Management Staging Data Replicator. The specific flaw exists within the hpbsmsdr web service, which listens on TCP port 29921 by default. The software does not provide any authentication for functionality that can invoke arbitrary classes. An attacker can leverage this vulnerability to execute code under the context of SYSTEM.