[security bulletin] HPSBMU02933 rev.3 - HPE SiteScope, issueSiebelCmd and loadFileContents SOAP Requests, Remote Code Execution, Arbitrary File download, Denial of Service (DoS)

LS0tLS1CRUdJTiBQR1AgU0lHTkVEIE1FU1NBR0UtLS0tLQ0KSGFzaDogU0hBMjU2DQoNCk5vdGU6
IHRoZSBjdXJyZW50IHZlcnNpb24gb2YgdGhlIGZvbGxvd2luZyBkb2N1bWVudCBpcyBhdmFpbGFi
bGUgaGVyZToNCmh0dHBzOi8vaDIwNTY0Lnd3dzIuaHBlLmNvbS9ocHNjL2RvYy9wdWJsaWMvZGlz
cGxheT9kb2NJZD1lbXJfbmEtYzAzOTY5NDM1DQoNClNVUFBPUlQgQ09NTVVOSUNBVElPTiAtIFNF
Q1VSSVRZIEJVTExFVElODQoNCkRvY3VtZW50IElEOiBjMDM5Njk0MzUNClZlcnNpb246IDMNCg0K
SFBTQk1VMDI5MzMgcmV2LjMgLSBIUEUgU2l0ZVNjb3BlLCBpc3N1ZVNpZWJlbENtZCBhbmQgIGxv
YWRGaWxlQ29udGVudHMgU09BUCBSZXF1ZXN0cywgUmVtb3RlIENvZGUgRXhlY3V0aW9uLCBBcmJp
dHJhcnkgRmlsZSBkb3dubG9hZCwgRGVuaWFsIG9mIFNlcnZpY2UNCihEb1MpDQoNCk5PVElDRTog
VGhlIGluZm9ybWF0aW9uIGluIHRoaXMgU2VjdXJpdHkgQnVsbGV0aW4gc2hvdWxkIGJlIGFjdGVk
IHVwb24gYXMgc29vbiBhcyBwb3NzaWJsZS4NCg0KUmVsZWFzZSBEYXRlOiAyMDE3LTA2LTI5DQpM
YXN0IFVwZGF0ZWQ6IDIwMTctMDYtMjgNCg0KUG90ZW50aWFsIFNlY3VyaXR5IEltcGFjdDogUmVt
b3RlOiBBcmJpdHJhcnkgRmlsZSBEb3dubG9hZCwgQ29kZSBFeGVjdXRpb24sIERlbmlhbCBvZiBT
ZXJ2aWNlIChEb1MpDQoNClNvdXJjZTogSGV3bGV0dCBQYWNrYXJkIEVudGVycHJpc2UsIFByb2R1
Y3QgU2VjdXJpdHkgUmVzcG9uc2UgVGVhbQ0KDQpWVUxORVJBQklMSVRZIFNVTU1BUlkNCkEgcG90
ZW50aWFsIHNlY3VyaXR5IHZ1bG5lcmFiaWxpdHkgaGFzIGJlZW4gaWRlbnRpZmllZCB3aXRoIEhQ
RSBTaXRlU2NvcGUncyBsb2FkRmlsZUNvbnRlbnRzIFNPQVAgZmVhdHVyZXMuIFRoZSB2dWxuZXJh
YmlsaXRpZXMgY291bGQgYmUgZXhwbG9pdGVkIHRvIGFsbG93IHJlbW90ZSBjb2RlIGV4ZWN1dGlv
biwgYXJiaXRyYXJ5IGZpbGUgZG93bmxvYWQgYW5kIERlbmlhbCBvZiBTZXJ2aWNlIChEb1MpLg0K
DQpSZWZlcmVuY2VzOg0KDQogIC0gQ1ZFLTIwMTMtNDgzNQ0KICAtIENWRS0yMDEzLTYyMDcNCg0K
U1VQUE9SVEVEIFNPRlRXQVJFIFZFUlNJT05TKjogT05MWSBpbXBhY3RlZCB2ZXJzaW9ucyBhcmUg
bGlzdGVkLg0KDQogIC0gSFAgU2l0ZVNjb3BlIE1vbml0b3JzIFNvZnR3YXJlIFNlcmllcyAtIHYx
MC4xeCwgdjExLjF4LCB2MTEuMjENCg0KQkFDS0dST1VORA0KDQogIENWU1MgQmFzZSBNZXRyaWNz
DQogID09PT09PT09PT09PT09PT09DQogIFJlZmVyZW5jZSwgQ1ZTUyBWMyBTY29yZS9WZWN0b3Is
IENWU1MgVjIgU2NvcmUvVmVjdG9yDQoNCiAgICBDVkUtMjAxMy00ODM1DQogICAgICA5LjggQ1ZT
UzozLjAvQVY6Ti9BQzpML1BSOk4vVUk6Ti9TOlUvQzpIL0k6SC9BOkgNCiAgICAgIDEwLjAgKEFW
Ok4vQUM6TC9BdTpOL0M6Qy9JOkMvQTpDKQ0KDQogICAgQ1ZFLTIwMTMtNjIwNw0KICAgICAgOS44
IENWU1M6My4wL0FWOk4vQUM6TC9QUjpOL1VJOk4vUzpVL0M6SC9JOkgvQTpIDQogICAgICA5LjQg
KEFWOk4vQUM6TC9BdTpOL0M6Qy9JOk4vQTpDKQ0KDQogICAgSW5mb3JtYXRpb24gb24gQ1ZTUyBp
cyBkb2N1bWVudGVkIGluDQogICAgSFBFIEN1c3RvbWVyIE5vdGljZSBIUFNOLTIwMDgtMDAyIGhl
cmU6DQoNCmh0dHBzOi8vaDIwNTY0Lnd3dzIuaHBlLmNvbS9ocHNjL2RvYy9wdWJsaWMvZGlzcGxh
eT9kb2NJZD1lbXJfbmEtYzAxMzQ1NDk5DQoNClRoZSBIZXdsZXR0IFBhY2thcmQgRW50ZXJwcmlz
ZSB0aGFua3MgQW5kcmVhIE1pY2FsaXp6aSBha2EgcmdvZCBmb3Igd29ya2luZyB3aXRoIEhQRSdz
IFplcm8gRGF5IEluaXRpYXRpdmUgdG8gcmVwb3J0IENWRS0yMDEzLTQ4MzUgdG8gc2VjdXJpdHkt
YWxlcnRAaHAuY29tLiANCg0KVGhlIEhld2xldHQgUGFja2FyZCBFbnRlcnByaXNlIHRoYW5rcyBN
aWtlIEFybm9sZCAoQnJ1azB1dCkgZm9yIHdvcmtpbmcgd2l0aCBIUEUncyBaZXJvIERheSBJbml0
aWF0aXZlIHRvIHJlcG9ydCBDVkUtMjAxMy02MjA3IHRvIHNlY3VyaXR5LWFsZXJ0QGhwLmNvbS4N
Cg0KUkVTT0xVVElPTg0KDQpIUEUgaGFzIHByb3ZpZGVkIFNpdGVTY29wZSB0aGUgcmVzb2x1dGlv
biBpbiB2MTEuMjIgU2VydmljZSBQYWNrIGFuZCBpbiBDdW11bGF0aXZlIEZpeGVzIHBhdGNoZXMg
b24gdG9wIG9mMTEuMTMsIGFuZCB2MTAuMTQgdG8gcmVzb2x2ZSB0aGlzIGlzc3VlLg0KRG93bmxv
YWQgdGhlIHVwZGF0ZSBmcm9tIEhQRSBTb2Z0d2FyZSBTdXBwb3J0IE9ubGluZSAoU1NPKSBhdA0K
W2h0dHBzOi8vc29mdHdhcmVzdXBwb3J0LmhwZS5jb20vXShodHRwczovL3NvZnR3YXJlc3VwcG9y
dC5ocGUuY29tLykgIGFuZCBwZXJmb3JtIHRoZSBjb25maWd1cmF0aW9uIHN0ZXAgaW4gdGhlIG5v
dGUgYmVsb3cuDQoNCiogKipTaXRlU2NvcGUgdjEwLjE0KiogICAgDQogICAgKiAqKldpbmRvd3Mq
KiAtIFVwZGF0ZSBTSVNfMDAyNzgsIFNpdGVTY29wZSAxMC4xNCBDdW11bGF0aXZlIEZpeGVzDQpT
UzEwMTQxMzEyMTEgDQogICAgDQogICAgKiAqKkxpbnV4KiogLSBVcGRhdGUgU0lTXzAwMjc5LCBT
aXRlU2NvcGUgMTAuMTQgQ3VtdWxhdGl2ZSBGaXhlcw0KU1MxMDE0MTMxMjExICANCiAgICANCiAg
ICAqICoqU29sYXJpcyoqIC0gVXBkYXRlIFNJU18wMDI4MCwgU2l0ZVNjb3BlIDEwLjE0IEN1bXVs
YXRpdmUgRml4ZXMNClNTMTAxNDEzMTIxMQ0KICAgICAgDQoqICoqU2l0ZVNjb3BlIHYxMS4xMyoq
ICAgIA0KICAgICogKipXaW4gMzIqKiAtIFVwZGF0ZSBTSVNfMDAyODEsIFNpUyAxMS4xMyAzMi1i
aXQgQ3VtdWxhdGl2ZSBGaXhlcw0KU1MxMTEzMTMxMjENCiAgICANCiAgICAqICoqTGludXggMzIq
KiAgLSBVcGRhdGUgU0lTXzAwMjgyLCBTaVMgMTEuMTMgMzItYml0IEN1bXVsYXRpdmUgRml4ZXMN
ClNTMTExMzEzMTIxMSANCiAgICANCiAgICAqICoqU29sYXJpcyAzMioqIC0gVXBkYXRlIFNJU18w
MDI4MywgU2lTIDExLjEzIDMyLWJpdCBDdW11bGF0aXZlIEZpeGVzDQpTUzExMTMxMzEyMTENCiAg
ICANCiAgICAqICoqV2luIDY0KiogLSBVcGRhdGUgU0lTXzAwMjg0LCBTaVMgMTEuMTMgNjQtYml0
IEN1bXVsYXRpdmUgRml4ZXMNClNTMTExMzEzMTIxMQ0KICAgIA0KICAgICogKipMaW51eCA2NCoq
ICAtIFVwZGF0ZSBTSVNfMDAyODUsIFNpUyAxMS4xMyA2NC1iaXQgQ3VtdWxhdGl2ZSBGaXhlcw0K
U1MxMTEzMTMxMjExDQogICAgDQogICAgKiAqKlNvbGFyaXMgNjQqKiAtIFVwZGF0ZSBTSVNfMDAy
ODYsIFNpUyAxMS4xMyA2NC1iaXQgQ3VtdWxhdGl2ZSBGaXhlcw0KU1MxMTEzMTMxMjExICANCg0K
DQoqKk5vdGU6KiogVG8gcHJldmVudCB0aGUgdnVsbmVyYWJpbGl0eSBhZnRlciBhcHBseWluZyB0
aGUgdXBkYXRlIGFuIGFkbWluaXN0cmF0b3IgbXVzdCBkaXNhYmxlIHRoZSB2dWxuZXJhYmxlIFNP
QVAgQVBJIGJ5IGFkZGluZyB0aGUgIl9kaXNhYmxlT2xkQVBJcz10cnVlIiBwcm9wZXJ0eSB0byB0
aGUgbWFzdGVyLmNvbmZpZyBmaWxlLiBGb3IgYXBwbGljYXRpb24gY29tcGF0aWJpbGl0eSBwdXJw
b3NlcywgdGhlIGRlZmF1bHQgcHJvcGVydHkgaXMgc2V0IHRvICJmYWxzZSIgdG8gc3VwcG9ydCBp
bnRlZ3JhdGlvbnMgd2l0aCBvbGQgdmVyc2lvbnMgb2YgQlNNL0JBQy4NCg0KSElTVE9SWQ0KDQpW
ZXJzaW9uOjEgKHJldi4xKSAtIDMwIE9jdG9iZXIgMjAxMyBJbml0aWFsIHJlbGVhc2UNCg0KVmVy
c2lvbjoyIChyZXYuMikgLSA0IE1hcmNoIDIwMTQgYWRkZWQgdjEwLjE0LCB2MTEuMTMgdXBkYXRl
cywgYWRkZWQNCkNWRS0yMDEzLTYyMDcvWkRJLUNBTi0yMDg0IGFzIGJlaW5nIGFkZHJlc3NlZCBi
eSB0aGVzZSBwcm9kdWN0IHVwZGF0ZXMgYW5kIGNvbmZpZ3VyYXRpb24gY2hhbmdlcy4gQWRkZWQg
dG8gdGl0bGUsIGFkZGVkIHZ1bG5lcmFiaWxpdHkgZGVzY3JpcHRpb25zIGFuZCBjbGFyaWZpZWQg
SFAgU29mdHdhcmUgU3VwcG9ydCBPbmxpbmUgZGVzY3JpcHRpb24NCg0KVmVyc2lvbjozIChyZXYu
MykgLSAyOCBKdW5lIDIwMTcgVmVyc2lvbiAzICAxNSBKdW5lIDIwMTc6IFVwZGF0ZWQgdGhlIFNT
TyBwb3J0YWwgbGluayBhbmQgdGhlIHByb3BlcnR5IGZpbGUgbG9jYXRpb24gd2hlcmUgdGhlIHNw
ZWNpZmllZCBmbGFnIHNob3VsZCBiZSBhZGRlZCB0byBjb21wbGV0ZSB0aGUgbWl0aWdhdGlvbiBh
Y3Rpb24uDQoNCg0KVGhpcmQgUGFydHkgU2VjdXJpdHkgUGF0Y2hlczogVGhpcmQgcGFydHkgc2Vj
dXJpdHkgcGF0Y2hlcyB0aGF0IGFyZSB0byBiZSBpbnN0YWxsZWQgb24gc3lzdGVtcyBydW5uaW5n
IEhld2xldHQgUGFja2FyZCBFbnRlcnByaXNlIChIUEUpIHNvZnR3YXJlIHByb2R1Y3RzIHNob3Vs
ZCBiZSBhcHBsaWVkIGluIGFjY29yZGFuY2Ugd2l0aCB0aGUgY3VzdG9tZXIncyBwYXRjaCBtYW5h
Z2VtZW50IHBvbGljeS4NCg0KU3VwcG9ydDogRm9yIGlzc3VlcyBhYm91dCBpbXBsZW1lbnRpbmcg
dGhlIHJlY29tbWVuZGF0aW9ucyBvZiB0aGlzIFNlY3VyaXR5IEJ1bGxldGluLCBjb250YWN0IG5v
cm1hbCBIUEUgU2VydmljZXMgc3VwcG9ydCBjaGFubmVsLiBGb3Igb3RoZXIgaXNzdWVzIGFib3V0
IHRoZSBjb250ZW50IG9mIHRoaXMgU2VjdXJpdHkgQnVsbGV0aW4sIHNlbmQgZS1tYWlsIHRvIHNl
Y3VyaXR5LWFsZXJ0QGhwZS5jb20uDQoNClJlcG9ydDogVG8gcmVwb3J0IGEgcG90ZW50aWFsIHNl
Y3VyaXR5IHZ1bG5lcmFiaWxpdHkgZm9yIGFueSBIUEUgc3VwcG9ydGVkDQpwcm9kdWN0Og0KICBX
ZWIgZm9ybTogaHR0cHM6Ly93d3cuaHBlLmNvbS9pbmZvL3JlcG9ydC1zZWN1cml0eS12dWxuZXJh
YmlsaXR5DQogIEVtYWlsOiBzZWN1cml0eS1hbGVydEBocGUuY29tDQoNClN1YnNjcmliZTogVG8g
aW5pdGlhdGUgYSBzdWJzY3JpcHRpb24gdG8gcmVjZWl2ZSBmdXR1cmUgSFBFIFNlY3VyaXR5IEJ1
bGxldGluIGFsZXJ0cyB2aWEgRW1haWw6IGh0dHA6Ly93d3cuaHBlLmNvbS9zdXBwb3J0L1N1YnNj
cmliZXJfQ2hvaWNlDQoNClNlY3VyaXR5IEJ1bGxldGluIEFyY2hpdmU6IEEgbGlzdCBvZiByZWNl
bnRseSByZWxlYXNlZCBTZWN1cml0eSBCdWxsZXRpbnMgaXMgYXZhaWxhYmxlIGhlcmU6IGh0dHA6
Ly93d3cuaHBlLmNvbS9zdXBwb3J0L1NlY3VyaXR5X0J1bGxldGluX0FyY2hpdmUNCg0KU29mdHdh
cmUgUHJvZHVjdCBDYXRlZ29yeTogVGhlIFNvZnR3YXJlIFByb2R1Y3QgQ2F0ZWdvcnkgaXMgcmVw
cmVzZW50ZWQgaW4gdGhlIHRpdGxlIGJ5IHRoZSB0d28gY2hhcmFjdGVycyBmb2xsb3dpbmcgSFBT
Qi4NCg0KM0MgPSAzQ09NDQozUCA9IDNyZCBQYXJ0eSBTb2Z0d2FyZQ0KR04gPSBIUEUgR2VuZXJh
bCBTb2Z0d2FyZQ0KSEYgPSBIUEUgSGFyZHdhcmUgYW5kIEZpcm13YXJlDQpNVSA9IE11bHRpLVBs
YXRmb3JtIFNvZnR3YXJlDQpOUyA9IE5vblN0b3AgU2VydmVycw0KT1YgPSBPcGVuVk1TDQpQViA9
IFByb0N1cnZlDQpTVCA9IFN0b3JhZ2UgU29mdHdhcmUNClVYID0gSFAtVVgNCg0KQ29weXJpZ2h0
IDIwMTYgSGV3bGV0dCBQYWNrYXJkIEVudGVycHJpc2UNCg0KSGV3bGV0dCBQYWNrYXJkIEVudGVy
cHJpc2Ugc2hhbGwgbm90IGJlIGxpYWJsZSBmb3IgdGVjaG5pY2FsIG9yIGVkaXRvcmlhbCBlcnJv
cnMgb3Igb21pc3Npb25zIGNvbnRhaW5lZCBoZXJlaW4uIFRoZSBpbmZvcm1hdGlvbiBwcm92aWRl
ZCBpcyBwcm92aWRlZCAiYXMgaXMiIHdpdGhvdXQgd2FycmFudHkgb2YgYW55IGtpbmQuIFRvIHRo
ZSBleHRlbnQgcGVybWl0dGVkIGJ5IGxhdywgbmVpdGhlciBIUCBvciBpdHMgYWZmaWxpYXRlcywg
c3ViY29udHJhY3RvcnMgb3Igc3VwcGxpZXJzIHdpbGwgYmUgbGlhYmxlIGZvciBpbmNpZGVudGFs
LHNwZWNpYWwgb3IgY29uc2VxdWVudGlhbCBkYW1hZ2VzIGluY2x1ZGluZyBkb3dudGltZSBjb3N0
OyBsb3N0IHByb2ZpdHM7IGRhbWFnZXMgcmVsYXRpbmcgdG8gdGhlIHByb2N1cmVtZW50IG9mIHN1
YnN0aXR1dGUgcHJvZHVjdHMgb3Igc2VydmljZXM7IG9yIGRhbWFnZXMgZm9yIGxvc3Mgb2YgZGF0
YSwgb3Igc29mdHdhcmUgcmVzdG9yYXRpb24uIFRoZSBpbmZvcm1hdGlvbiBpbiB0aGlzIGRvY3Vt
ZW50IGlzIHN1YmplY3QgdG8gY2hhbmdlIHdpdGhvdXQgbm90aWNlLiBIZXdsZXR0IFBhY2thcmQg
RW50ZXJwcmlzZSBhbmQgdGhlIG5hbWVzIG9mIEhld2xldHQgUGFja2FyZCBFbnRlcnByaXNlIHBy
b2R1Y3RzIHJlZmVyZW5jZWQgaGVyZWluIGFyZSB0cmFkZW1hcmtzIG9mIEhld2xldHQgUGFja2Fy
ZCBFbnRlcnByaXNlIGluIHRoZSBVbml0ZWQgU3RhdGVzIGFuZCBvdGhlciBjb3VudHJpZXMuIE90
aGVyIHByb2R1Y3QgYW5kIGNvbXBhbnkgbmFtZXMgbWVudGlvbmVkIGhlcmVpbiBtYXkgYmUgdHJh
ZGVtYXJrcyBvZiB0aGVpciByZXNwZWN0aXZlIG93bmVycy4NCi0tLS0tQkVHSU4gUEdQIFNJR05B
VFVSRS0tLS0tDQpWZXJzaW9uOiBHbnVQRyB2MQ0KDQppUUVjQkFFQkNBQUdCUUpaVkNscEFBb0pF
TFhoQXh0N1NaYWlKUW9JQUpnR2J3R2Z6eFBUNGlqVWdlZnlpaU10DQpoTy9MeWk4L21zTzRJMXA1
ZVFkeWRBZnZpWWl4WTZDakowY3h1djJmRVZnRFJSUWxYb2QrWnFOSG80K2VqWmFqDQp0MjZFempJ
eE5LVklXc1kyejQvR2dZQ0M1bEpkQjZqVFBUUmx6VUwySm1LQnpVY3MyTm1SYmpIVkpOSWQ2ZXZk
DQppMmp5emR6cEdmb1I5VTBKak1uK0I2WGd6MVBGNzQwT1lYZkF0UVBwbGV6UWorUjA4NmVYVGpp
L3RXNmdPUWNRDQpHVEh1RUNvY1gwSnU3NFlNRlkxWTZjU3lPbDJtT2Z1N2FGTkFEbjM0a0pUa2NC
U291cjJzM2F4RHprOTcxbXRzDQpFazkwL21WTjRnVGxqTlZqNEV4N1RGTkhGY0tlRDFnTEM5M2xY
bDNsTUlYM0U3dXA0b2NwcUlJbnFUUlg3em89DQo9ZFZOWQ0KLS0tLS1FTkQgUEdQIFNJR05BVFVS
RS0tLS0tDQo=