Hewlett Packard (HP) released a Security Bulletin Advisory mentioning the addressal of a Security Vulnerability in their Database management system called UCMDB (Universal Configuration Management Database). UCDMB is found to be vulnerable to a critical security flaw called JMX-Console Authentication Bypass (CVE-2014-7883). Cybercriminals can leverage the vulnerability to remotely access critical company information from the database software easily.

Hans-Martin Muench, a researcher from Mogwai Security worked with HP to uncover this vulnerability and helped HP found the desirable fix for the flaw.

Vulnerability

According to the Security Advisory from Mogwai Security, the HP UCMB software is vulnerable to Remote attack via JMX Console Bypass. This can be used to create a new account which can then be used to access the JMX console.

JMX Console is a web application which gets installed automatically with the installation of UCMDB. Database Administrators heavily rely on a JMX-Console, that performs access control only for the GET and POST methods. These methods allow remote attackers to snd requests to this application's GET handler by using a different method (for example HEAD).

This vulnerability has been found to be identical with the CVE-2010-0738 (JBoss JMX-Console Authentication bypass).

Technical Details

Mogwai Security has provided a Proof-of-Concept (POC) also in the security advisory. According to the report,

The following Curl command will send a HEAD request to create a new user "pocuser" in the UCMDB Backend: curl -I "http://foobar:8080/jmx-console/HtmlAdaptor?action=invokeOpByName&name=UCMDB%3Aservice%3DAuthorization+Services&methodName=createUser&arg0=&arg1=zdi-poc&arg2=pocuser&arg3=zdi-poc&arg4=pocuser"

Mitigation

HP has provided below link from where the security fix can be downloaded and patch can be used.

Apply configuration changes from HP https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM01351169

What is HP UCMDB ?

The HP Universal CMDB (UCMDB) automatically collects and manages accurate and current business service definitions, associated infrastructure relationships and detailed information on the assets, and is a central component in many of the key processes in IT organization, such as change management, asset management, service management, and business service management.

In other words, HP UCMDB (Universal Configuration Management Database) is used by IT organizations for processes such as asset management, business service management, change management, and service management.

UCMDB is not the only multi-platform software for which HP released a security advisory this year. Last week, the company published a security update for HP Insight Control for Linux CMS Preboot Execution Environment to address several vulnerabilities.

HP advises researchers who uncover vulnerabilities in the companys products to report them to security-alert@hp.com.