-----BEGIN PGP SIGNED MESSAGE-----
CVE-2009-2897: Reflected XSS in stack trace
Versions Affected: Hyperic HQ 3.2, 4.0, 4.1, 4.2-beta1. Earlier,
unsupported versions may also be affected
The stack trace displayed on the default error page is displayed
verbatim without running it through a sanitizer. This can be exploited
the browser of a legitimate logged in user.
3.2 users should upgrade to 3.2.6 and then apply the 188.8.131.52 patch
4.0 users should upgrade to 4.0.3 and then apply the 184.108.40.206 patch
4.1 users should upgarde to 4.1.2 and then apply the 220.127.116.11 patch
4.2-beta1 users should upgrade to 4.2-beta2 or later
To protect themselves from this issue until the patches have been
applied, users should not browse other web sites whilst signed in to
Hyperic HQ and should sign out once they have completed their tasks.
This vulnerability was first reported to SpringSource by Eric Searcy
(via the Hyperic Forums).
This vulnerability was independently discovered and researched by Gast=F3n
Rey and Pablo Carballo from Core Security Technologies during Core
Obtaining the security patches:
The security patches may be obtained from:
Applying the security patches:
The security patches may be applied by following these steps:
1. If you are not already running version 3.2.6, 4.0.3 or 4.1.2, you
must upgrade to one of these versions.
2. Download the zip file containing the appropriate patch for your version.
3. Stop the Hypric HQ server.
4. Copy the original hq-engine/server/default/deploy/hq.ear/hq.jar to a
safe location outside of the Hyperic HQ installation
5. Copy the original
a safe location outside of the Hyperic HQ installation
6. Extract the hq.jar and hq_jsp.jar files from the zip file
7. Replace hq-engine/server/default/deploy/hq.ear/hq.jar with the hq.jar
file you extracted in step 6.
with the hq_jsp.jar file you extracted in step 6.
9. Start the Hyperic HQ server.
Note: applying this patch will correct CVE-2009-2897 and CVE-2009-2898
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----