CVE-2009-2897: Hyperic HQ - Reflected XSS in stack trace

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

CVE-2009-2897: Reflected XSS in stack trace

Severity: Moderate

Vendor: SpringSource

Versions Affected: Hyperic HQ 3.2, 4.0, 4.1, 4.2-beta1. Earlier,
unsupported versions may also be affected

Description:
The stack trace displayed on the default error page is displayed
verbatim without running it through a sanitizer. This can be exploited
by an attacker to execute arbitrary JavaScript code in the context of
the browser of a legitimate logged in user.

Mitigation:
3.2 users should upgrade to 3.2.6 and then apply the 3.2.6.1 patch
4.0 users should upgrade to 4.0.3 and then apply the 4.0.3.1 patch
4.1 users should upgarde to 4.1.2 and then apply the 4.1.2.1 patch
4.2-beta1 users should upgrade to 4.2-beta2 or later
To protect themselves from this issue until the patches have been
applied, users should not browse other web sites whilst signed in to
Hyperic HQ and should sign out once they have completed their tasks.

Credit:
This vulnerability was first reported to SpringSource by Eric Searcy
(via the Hyperic Forums).
This vulnerability was independently discovered and researched by Gastón
Rey and Pablo Carballo from Core Security Technologies during Core
Bugweek 2009.

References:

1. http://forums.hyperic.com/jiveforums/thread.jspa?messageID=22156&#22156
2. http://jira.hyperic.com/browse/HHQ-2655
3. http://www.coresecurity.com/content/hyperic-hq-vulnerabilities
4. http://www.springsource.com/security/hyperic-hq

Obtaining the security patches:
The security patches may be obtained from:
http://download.hyperic.com/dl/patch/hq.jar.3.2.6.1.zip
http://download.hyperic.com/dl/patch/hq.jar.4.0.3.1.zip
http://download.hyperic.com/dl/patch/hq.jar.4.1.2.1.zip

Applying the security patches:
The security patches may be applied by following these steps:

1. If you are not already running version 3.2.6, 4.0.3 or 4.1.2, you
   must upgrade to one of these versions.
2. Download the zip file containing the appropriate patch for your version.
3. Stop the Hypric HQ server.
4. Copy the original hq-engine/server/default/deploy/hq.ear/hq.jar to a
   safe location outside of the Hyperic HQ installation
5. Copy the original
   hq-engine/server/default/deploy/hq.ear/hq.war/WEB-INF/lib/hq_jsp.jar to
   a safe location outside of the Hyperic HQ installation
6. Extract the hq.jar and hq_jsp.jar files from the zip file
7. Replace hq-engine/server/default/deploy/hq.ear/hq.jar with the hq.jar
   file you extracted in step 6.
8. Replace
   hq-engine/server/default/deploy/hq.ear/hq.war/WEB-INF/lib/hq_jsp.jar
   with the hq_jsp.jar file you extracted in step 6.
9. Start the Hyperic HQ server.
   Note: applying this patch will correct CVE-2009-2897 and CVE-2009-2898
   -----BEGIN PGP SIGNATURE-----
   Version: GnuPG v2.0.12 (MingW32)
   Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCgAGBQJKxnbuAAoJECc+NjlVtVaxL1UP/AhL0+XKHnCtmRV+sidAHP9l
r8muxxnW5+GXggmOPJ2t6qrRz4LooBAKXzYfyW/Xr93QpFY6wN3Sm6hsuIEZmHzl
j9Iw+joqNkf0WMNYmQE9S7OviSwcOsGP9lVK2/cw4lGiSoxpCcUeAVtaGzIxzokh
6FRSe/kqPE547DYqW9KnUSvgzhAME0Vu+AuP1sW6tinmcRp0Tes4ZLvrLJbKbUuO
jR5qRksKJJiOJoABOuKE0lOkePCQ5ihmIn0wFSTYWmBe0LKBE8lNzhFc2uuw4PJ3
KjWm1eYEV2S3ZjCoGVcBBwduMjjgE2w0ORQwK6vgImQNDCFFdiTQRbLOx7qogV9g
9J1uNOKBobsCM4uM4E7daTNDmPxEo+yQyqcR7nJaw5GE/Our9N2FVfwHo1KDj46B
g3OigVXnitLVigFbDWH5kTGU0vVmiasjbIP+7Dnh4X2i0D6ZAVZ4leriWe3RnPwr
HL4oUitgrmqDkuOwFkhXoPhE1RYXMoPB2I6PlcD4CTXz7gTFNJC/4MPp7q9PkIgN
4KFeog1Qz5N1tvwvNayVmEXSTXJMXchMbuMnXTH8FHkBwznAjPVarWJhYtrnqn2B
4naegXddJ+kNWOIFr8KrlET8Kkxo59y3fybENYSp6OjghhrzGFusr1JEhxUCOLmL
a0CweWoymEzkr7cyb6nr
=IpJ/
-----END PGP SIGNATURE-----