[security bulletin] HPESBGN03733 rev.1 - HPE Universal CMDB using Apache Struts, Remote Code Execution

LS0tLS1CRUdJTiBQR1AgU0lHTkVEIE1FU1NBR0UtLS0tLQpIYXNoOiBTSEEyNTYKCk5v
dGU6IHRoZSBjdXJyZW50IHZlcnNpb24gb2YgdGhlIGZvbGxvd2luZyBkb2N1bWVudCBp
cyBhdmFpbGFibGUgaGVyZToNCmh0dHBzOi8vaDIwNTY0Lnd3dzIuaHBlLmNvbS9ocHNj
L2RvYy9wdWJsaWMvZGlzcGxheT9kb2NJZD1lbXJfbmEtaHBlc2JnbjAzNzMzZW5fdXMN
Cg0KU1VQUE9SVCBDT01NVU5JQ0FUSU9OIC0gU0VDVVJJVFkgQlVMTEVUSU4NCg0KRG9j
dW1lbnQgSUQ6IGhwZXNiZ24wMzczM2VuX3VzDQpWZXJzaW9uOiAxDQoNCkhQRVNCR04w
MzczMyByZXYuMSAtIEhQRSBVbml2ZXJzYWwgQ01EQiB1c2luZyBBcGFjaGUgU3RydXRz
LCBSZW1vdGUgQ29kZQ0KRXhlY3V0aW9uDQoNCk5PVElDRTogVGhlIGluZm9ybWF0aW9u
IGluIHRoaXMgU2VjdXJpdHkgQnVsbGV0aW4gc2hvdWxkIGJlIGFjdGVkIHVwb24gYXMN
CnNvb24gYXMgcG9zc2libGUuDQoNClJlbGVhc2UgRGF0ZTogMjAxNy0wNC0wNw0KTGFz
dCBVcGRhdGVkOiAyMDE3LTA0LTA3DQoNClBvdGVudGlhbCBTZWN1cml0eSBJbXBhY3Q6
IFJlbW90ZTogQ29kZSBFeGVjdXRpb24NCg0KU291cmNlOiBIZXdsZXR0IFBhY2thcmQg
RW50ZXJwcmlzZSwgUHJvZHVjdCBTZWN1cml0eSBSZXNwb25zZSBUZWFtDQoNClZVTE5F
UkFCSUxJVFkgU1VNTUFSWQ0KQSBwb3RlbnRpYWwgc2VjdXJpdHkgdnVsbmVyYWJpbGl0
eSBpbiBKYWthcnRhIE11bHRpcGFydCBwYXJzZXIgaW4gQXBhY2hlDQpTdHJ1dHMgaGFz
IGJlZW4gYWRkcmVzc2VkIGluIEhQRSBVbml2ZXJzYWwgQ01EQi4gVGhpcyB2dWxuZXJh
YmlsaXR5IGNvdWxkIGJlDQpyZW1vdGVseSBleHBsb2l0ZWQgdG8gYWxsb3cgY29kZSBl
eGVjdXRpb24gdmlhIG1pc2hhbmRsZWQgZmlsZSB1cGxvYWQuDQoNClJlZmVyZW5jZXM6
DQoNCiAgLSBDVkUtMjAxNy01NjM4IC0gVnVsbmVyYWJpbGl0eSBpbiBBcGFjaGUgU3Ry
dXRzIDIsIFJlbW90ZSBDb2RlIEV4ZWN1dGlvbg0KDQpTVVBQT1JURUQgU09GVFdBUkUg
VkVSU0lPTlMqOiBPTkxZIGltcGFjdGVkIHZlcnNpb25zIGFyZSBsaXN0ZWQuDQoNCiAg
LSBIUCBVbml2ZXJzYWwgQ01EQiBGb3VuZGF0aW9uIFNvZnR3YXJlIC0gdjEwLjIyIENV
UDUNCg0KQkFDS0dST1VORA0KDQogIENWU1MgQmFzZSBNZXRyaWNzDQogID09PT09PT09
PT09PT09PT09DQogIFJlZmVyZW5jZSwgQ1ZTUyBWMyBTY29yZS9WZWN0b3IsIENWU1Mg
VjIgU2NvcmUvVmVjdG9yDQoNCiAgICBDVkUtMjAxNy01NjM4DQogICAgICAxMC4wIENW
U1M6My4wL0FWOk4vQUM6TC9QUjpOL1VJOk4vUzpDL0M6SC9JOkgvQTpIDQogICAgICAx
MC4wIChBVjpOL0FDOkwvQXU6Ti9DOkMvSTpDL0E6QykNCg0KICAgIEluZm9ybWF0aW9u
IG9uIENWU1MgaXMgZG9jdW1lbnRlZCBpbg0KICAgIEhQRSBDdXN0b21lciBOb3RpY2Ug
SFBTTi0yMDA4LTAwMiBoZXJlOg0KDQpodHRwczovL2gyMDU2NC53d3cyLmhwZS5jb20v
aHBzYy9kb2MvcHVibGljL2Rpc3BsYXk/ZG9jSWQ9ZW1yX25hLWMwMTM0NTQ5OQ0KDQpS
RVNPTFVUSU9ODQoNCkhQRSBoYXMgbWFkZSB0aGUgZm9sbG93aW5nIG1pdGlnYXRpb24g
aW5mb3JtYXRpb24gYXZhaWxhYmxlIHRvIHJlc29sdmUgdGhlDQp2dWxuZXJhYmlsaXR5
IGZvciB0aGUgaW1wYWN0ZWQgdmVyc2lvbnMgb2YgSFBFIFVuaXZlcnNhbCBDTURCLg0K
DQoqDQo8aHR0cHM6Ly9zb2Z0d2FyZXN1cHBvcnQuaHBlLmNvbS9ncm91cC9zb2Z0d2Fy
ZXN1cHBvcnQvc2VhcmNoLXJlc3VsdC8tL2ZhY2V0cw0KYXJjaC9kb2N1bWVudC9LTTAy
NzY2NDI5Pg0KDQpISVNUT1JZDQpWZXJzaW9uOjEgKHJldi4xKSAtIDcgQXByaWwgMjAx
NyBJbml0aWFsIHJlbGVhc2UNCg0KVGhpcmQgUGFydHkgU2VjdXJpdHkgUGF0Y2hlczog
VGhpcmQgcGFydHkgc2VjdXJpdHkgcGF0Y2hlcyB0aGF0IGFyZSB0byBiZQ0KaW5zdGFs
bGVkIG9uIHN5c3RlbXMgcnVubmluZyBIZXdsZXR0IFBhY2thcmQgRW50ZXJwcmlzZSAo
SFBFKSBzb2Z0d2FyZQ0KcHJvZHVjdHMgc2hvdWxkIGJlIGFwcGxpZWQgaW4gYWNjb3Jk
YW5jZSB3aXRoIHRoZSBjdXN0b21lcidzIHBhdGNoIG1hbmFnZW1lbnQNCnBvbGljeS4N
Cg0KU3VwcG9ydDogRm9yIGlzc3VlcyBhYm91dCBpbXBsZW1lbnRpbmcgdGhlIHJlY29t
bWVuZGF0aW9ucyBvZiB0aGlzIFNlY3VyaXR5DQpCdWxsZXRpbiwgY29udGFjdCBub3Jt
YWwgSFBFIFNlcnZpY2VzIHN1cHBvcnQgY2hhbm5lbC4gRm9yIG90aGVyIGlzc3VlcyBh
Ym91dA0KdGhlIGNvbnRlbnQgb2YgdGhpcyBTZWN1cml0eSBCdWxsZXRpbiwgc2VuZCBl
LW1haWwgdG8gc2VjdXJpdHktYWxlcnRAaHBlLmNvbS4NCg0KUmVwb3J0OiBUbyByZXBv
cnQgYSBwb3RlbnRpYWwgc2VjdXJpdHkgdnVsbmVyYWJpbGl0eSBmb3IgYW55IEhQRSBz
dXBwb3J0ZWQNCnByb2R1Y3Q6DQogIFdlYiBmb3JtOiBodHRwczovL3d3dy5ocGUuY29t
L2luZm8vcmVwb3J0LXNlY3VyaXR5LXZ1bG5lcmFiaWxpdHkNCiAgRW1haWw6IHNlY3Vy
aXR5LWFsZXJ0QGhwZS5jb20NCg0KU3Vic2NyaWJlOiBUbyBpbml0aWF0ZSBhIHN1YnNj
cmlwdGlvbiB0byByZWNlaXZlIGZ1dHVyZSBIUEUgU2VjdXJpdHkgQnVsbGV0aW4NCmFs
ZXJ0cyB2aWEgRW1haWw6IGh0dHA6Ly93d3cuaHBlLmNvbS9zdXBwb3J0L1N1YnNjcmli
ZXJfQ2hvaWNlDQoNClNlY3VyaXR5IEJ1bGxldGluIEFyY2hpdmU6IEEgbGlzdCBvZiBy
ZWNlbnRseSByZWxlYXNlZCBTZWN1cml0eSBCdWxsZXRpbnMgaXMNCmF2YWlsYWJsZSBo
ZXJlOiBodHRwOi8vd3d3LmhwZS5jb20vc3VwcG9ydC9TZWN1cml0eV9CdWxsZXRpbl9B
cmNoaXZlDQoNClNvZnR3YXJlIFByb2R1Y3QgQ2F0ZWdvcnk6IFRoZSBTb2Z0d2FyZSBQ
cm9kdWN0IENhdGVnb3J5IGlzIHJlcHJlc2VudGVkIGluDQp0aGUgdGl0bGUgYnkgdGhl
IHR3byBjaGFyYWN0ZXJzIGZvbGxvd2luZyBIUFNCLg0KDQozQyA9IDNDT00NCjNQID0g
M3JkIFBhcnR5IFNvZnR3YXJlDQpHTiA9IEhQRSBHZW5lcmFsIFNvZnR3YXJlDQpIRiA9
IEhQRSBIYXJkd2FyZSBhbmQgRmlybXdhcmUNCk1VID0gTXVsdGktUGxhdGZvcm0gU29m
dHdhcmUNCk5TID0gTm9uU3RvcCBTZXJ2ZXJzDQpPViA9IE9wZW5WTVMNClBWID0gUHJv
Q3VydmUNClNUID0gU3RvcmFnZSBTb2Z0d2FyZQ0KVVggPSBIUC1VWA0KDQpDb3B5cmln
aHQgMjAxNiBIZXdsZXR0IFBhY2thcmQgRW50ZXJwcmlzZQ0KDQpIZXdsZXR0IFBhY2th
cmQgRW50ZXJwcmlzZSBzaGFsbCBub3QgYmUgbGlhYmxlIGZvciB0ZWNobmljYWwgb3Ig
ZWRpdG9yaWFsDQplcnJvcnMgb3Igb21pc3Npb25zIGNvbnRhaW5lZCBoZXJlaW4uIFRo
ZSBpbmZvcm1hdGlvbiBwcm92aWRlZCBpcyBwcm92aWRlZA0KImFzIGlzIiB3aXRob3V0
IHdhcnJhbnR5IG9mIGFueSBraW5kLiBUbyB0aGUgZXh0ZW50IHBlcm1pdHRlZCBieSBs
YXcsIG5laXRoZXINCkhQIG9yIGl0cyBhZmZpbGlhdGVzLCBzdWJjb250cmFjdG9ycyBv
ciBzdXBwbGllcnMgd2lsbCBiZSBsaWFibGUgZm9yDQppbmNpZGVudGFsLHNwZWNpYWwg
b3IgY29uc2VxdWVudGlhbCBkYW1hZ2VzIGluY2x1ZGluZyBkb3dudGltZSBjb3N0OyBs
b3N0DQpwcm9maXRzOyBkYW1hZ2VzIHJlbGF0aW5nIHRvIHRoZSBwcm9jdXJlbWVudCBv
ZiBzdWJzdGl0dXRlIHByb2R1Y3RzIG9yDQpzZXJ2aWNlczsgb3IgZGFtYWdlcyBmb3Ig
bG9zcyBvZiBkYXRhLCBvciBzb2Z0d2FyZSByZXN0b3JhdGlvbi4gVGhlDQppbmZvcm1h
dGlvbiBpbiB0aGlzIGRvY3VtZW50IGlzIHN1YmplY3QgdG8gY2hhbmdlIHdpdGhvdXQg
bm90aWNlLiBIZXdsZXR0DQpQYWNrYXJkIEVudGVycHJpc2UgYW5kIHRoZSBuYW1lcyBv
ZiBIZXdsZXR0IFBhY2thcmQgRW50ZXJwcmlzZSBwcm9kdWN0cw0KcmVmZXJlbmNlZCBo
ZXJlaW4gYXJlIHRyYWRlbWFya3Mgb2YgSGV3bGV0dCBQYWNrYXJkIEVudGVycHJpc2Ug
aW4gdGhlIFVuaXRlZA0KU3RhdGVzIGFuZCBvdGhlciBjb3VudHJpZXMuIE90aGVyIHBy
b2R1Y3QgYW5kIGNvbXBhbnkgbmFtZXMgbWVudGlvbmVkIGhlcmVpbg0KbWF5IGJlIHRy
YWRlbWFya3Mgb2YgdGhlaXIgcmVzcGVjdGl2ZSBvd25lcnMuDQotLS0tLUJFR0lOIFBH
UCBTSUdOQVRVUkUtLS0tLQpWZXJzaW9uOiBHbnVQRyB2MQoKaVFFY0JBRUJDQUFHQlFK
WTU4a2hBQW9KRUxYaEF4dDdTWmFpcjRjSC8yOHBUUEYvWmQyKzJwTUhvMSt6dW5rOQpY
c29ZdWV3SVJFM1g4MWVKc3lIZEdlZEV2UUlQRlpBenBYdHZTVTc4TEdCVTdhZmJFRFNG
dW5weWZlNFh1L29wClN3VEgxTjRkK0Y5cjI1dnNWUWtpUzdzQTVtQ0FkeWJSbUJHemYy
OWNXZU84cEltd2U1WVRzWTJ1RzN3QzhMam0KRUhDUVZqbUlDOVVtblhzOUZFemM4d1J5
REk5NjloT3NpY0duVE5sWTdLSnhsTkw2YTVycW1SSlJoWGV6SDROKwozT1MxVFZFdmx3
bEdjUXRIWjNDMUxiMnh6bU1TeXBSa203RXY3dTNLcHNua1dqSDZQVHZSOWZWTXJ3cGp4
cXdECjBwci9yNTNFc0srd2t0U2RwYldGZmx1MlFDcXhKYWFXRWVFdWlGZEpUdTRFaWNu
ZDRDUVJqaE52U1NYczIrMD0KPTlTMnYKLS0tLS1FTkQgUEdQIFNJR05BVFVSRS0tLS0t
Cg==