Micro Focus Email

Send E-mail

 

   Micro Focus Enterprise Software Vulnerability Alerts

 

Micro Focus incorporates IT industry best practices during the product development lifecycle to ensure a strong focus on security. Micro Focus engineering and manufacturing practices are designed to meet product security requirements, protect Micro Focus intellectual property, and support Micro Focus product warranty requirements.

When a new industry-wide security vulnerability is released, Micro Focus investigates its product line to determine the impact. For impacted products, Security Bulletins will be published. These bulletins will contain impacted product versions and the resolution (patch, upgrade, or configuration change).

You may subscribe to receive real-time notifications on future Micro Focus Security Bulletins and advisories for your products - Subscribe to alerts for your products.

Recent Documents

1. KM03556426 - Operations Agent XXE attack vulnerability - CVE-2019-17085 KM03556426
 
a potential vulnerability has been identified in operations agent version 12.0 and higher. the vulnerability could be exploited to do an xxe attack on operations agent. a potential vulnerability has been identified in operations agent version 12.0 and higher. the vulnerability could be exploited to do an xxe attack on operations agent.
operations agent 12.00 12.01 12.02 12.03 12.04 12.05 12.06 12.10 12.11 ; security bulletins any;
security bulletins
Created:Mon Nov 18 00:00:00 GMT 2019
public
Modified:Mon Nov 18 00:00:00 GMT 2019
published
2. KM03544106 - AccuRev for LDAP Integration, version 2017.1, access may be granted without a password - CVE-2019-17082 KM03544106
 
vulnerability summary a vulnerability has been identified in the accurev for ldap integration, version 2017.1. if the accurev server and the accurev for ldap integration version 2017.1 are installed on a linux or solaris system, anyone who knows a valid accurev username can use the accurev client to login and gain access to accurev source control without knowing the user's password. vulnerability summary a vulnerability has been identified in the accurev for ldap integration, version 2017.1. if the accurev server and the accurev for ldap integration version 2017.1 are installed on a linux or solaris system, anyone who knows a valid accurev username can use the accurev client to login and gain access to accurev source control without knowing the user's password.
accurev ; security bulletins any;
security bulletins
Created:Thu Oct 31 00:00:00 GMT 2019
public
Modified:Thu Oct 31 00:00:00 GMT 2019
published
3. KM03518316 - Service Manager vulnerabilities - CVE-2019-11661, CVE-2019-11662, CVE-2019-11663, CVE-2019-11664, CVE-2019-11665, CVE-2019-11666, CVE-2018-0732, CVE-2018-0737. KM03518316
 
potential vulnerabilities have been identified in service manager: * can be exploited to allow unauthorized access and modification of data. * can be exploited in some special cases to allow information exposure through an error message. * can be exploited to allow sensitive data exposure. * the vulnerability could be exploited to allow a denial of service and sensitive data exposure. * the vulnerability could be exploited to allow insecure deserialization of untrusted data. potential vulnerabilities have been identified in service manager: * can be exploited to allow unauthorized access and modification of data. * can be exploited in some special cases to allow information exposure through an error message. * can be exploited to allow sensitive data exposure. * the vulnerability could be exploited to allow a denial of service and sensitive data exposure. * the vulnerability could be exploited to allow insecure deserialization of untrusted data.
security bulletins any; service manager 9.30 9.31 9.32 9.33 9.34 9.35 9.40 9.41 9.50 9.51 9.52 9.60 9.61 9.62 ;
security bulletins
Created:Mon Sep 09 00:00:00 GMT 2019
public
Modified:Fri Oct 18 00:00:00 GMT 2019
published
4. KM03532232 - Micro Focus Enterprise Developer and Enterprise Server Reflected XSS vulnerability - CVE-2019-11651 KM03532232
 
a potential vulnerability has been identified in micro focus enterprise server (including the enterprise server component of enterprise developer). the reflected xss vulnerability could be exploited to redirect a user to a malicious page or forge certain types of web requests. the vulnerability is in a testing feature which is not enabled by default, and the affected feature does not itself have a web session to be hijacked or other vulnerable aspects. a potential vulnerability has been identified in micro focus enterprise server (including the enterprise server component of enterprise developer). the reflected xss vulnerability could be exploited to redirect a user to a malicious page or forge certain types of web requests. the vulnerability is in a testing feature which is not enabled by default, and the affected feature does not itself have a web session to be hijacked or other vulnerable aspects.
enterprise developer/enterprise server ; security bulletins any;
security bulletins
Created:Wed Oct 02 00:00:00 GMT 2019
public
Modified:Wed Oct 02 00:00:00 GMT 2019
published
5. KM03525630 - Data Protector Local privilege escalation via omniresolve - CVE-2019-11660. KM03525630
 
a potential vulnerability has been identified in micro focus data protector. the vulnerability could be exploited by a low-privileged user to execute a custom binary with higher privileges. a potential vulnerability has been identified in micro focus data protector. the vulnerability could be exploited by a low-privileged user to execute a custom binary with higher privileges.
data protector 10.00 10.01 10.02 10.03 10.04 10.10 10.20 10.30 10.40 ; security bulletins any;
security bulletins
Created:Fri Sep 13 00:00:00 GMT 2019
public
Modified:Fri Sep 13 00:00:00 GMT 2019
published
6. KM03518793 - Service Manager verification of Windows .EXE product files - CVE-2019-11670. KM03518793
 
vulnerability summary a potential vulnerability has been identified in service manager. the vulnerability could be exploited to prevent the verification of windows .exe product files provided by micro focus. vulnerability summary a potential vulnerability has been identified in service manager. the vulnerability could be exploited to prevent the verification of windows .exe product files provided by micro focus.
security bulletins any; service manager 9.62;
security bulletins
Created:Tue Sep 10 00:00:00 GMT 2019
public
Modified:Tue Sep 10 00:00:00 GMT 2019
published
7. KM03517334 - Service Manager Modifiable read only check box in FF - CVE-2019-11669. KM03517334
 
a potential vulnerability has been identified in service manager. the vulnerability could be exploited to allow unauthorized modification of data. a potential vulnerability has been identified in service manager. the vulnerability could be exploited to allow unauthorized modification of data.
security bulletins any; service manager 9.60 9.61 9.62 ;
security bulletins
Created:Fri Sep 06 00:00:00 GMT 2019
public
Modified:Fri Sep 06 00:00:00 GMT 2019
published
8. KM03517335 - Service Manager HTTP cookie vulnerability - CVE-2019-11668. KM03517335
 
a potential vulnerability has been identified in service manager. the vulnerability could be exploited to allow access to sensitive data in client-side. a potential vulnerability has been identified in service manager. the vulnerability could be exploited to allow access to sensitive data in client-side.
security bulletins any; service manager 9.30 9.31 9.32 9.33 9.34 9.35 9.40 9.41 9.50 9.51 9.52 9.60 9.61 9.62 ;
security bulletins
Created:Fri Sep 06 00:00:00 GMT 2019
public
Modified:Fri Sep 06 00:00:00 GMT 2019
published
9. KM03517346 - Service Manager unauthorized access to contact information - CVE-2019-11667. KM03517346
 
a potential vulnerability has been identified in service manager. the vulnerability could be exploited to allow unauthorized access to private data. a potential vulnerability has been identified in service manager. the vulnerability could be exploited to allow unauthorized access to private data.
security bulletins any; service manager 9.41 9.50 9.51 9.52 9.60 9.61 9.62 ;
security bulletins
Created:Fri Sep 06 00:00:00 GMT 2019
public
Modified:Fri Sep 06 00:00:00 GMT 2019
published
10. KM03515374 - Service Management Automation SMA - kubectl creates world-writeable schemas - CVE-2019-11244. KM03515374
 
a vulnerability in a kubernetes component used by micro focus cdf platform was addressed by micro focus service management automation (sma). the vulnerability which originates from the kubernetes component, could be exploited to allow unauthorized modification of data and denial of service. however, after analysis, micro focus r&d teams have determined that the shipping out-of-the-box configuration of the kubernetes component that supports sma is actually not vulnerable; that is the kubectl command is not run in such a way to cause the vulnerability out-of-box. however, because customers may run custom commands with the affected kubectl after the product is installed and deployed, micro focus has issued this security bulletin for customers to take action. a vulnerability in a kubernetes component used by micro focus cdf platform was addressed by micro focus service management automation (sma). the vulnerability which originates from the kubernetes component, could be exploited to allow unauthorized modification of data and denial of service. however, after analysis, micro focus r&d teams have determined that the shipping out-of-the-box configuration of the kubernetes component that supports sma is actually not vulnerable; that is the kubectl command is not run in such a way to cause the vulnerability out-of-box. however, because customers may run custom commands with the affected kubectl after the product is installed and deployed, micro focus has issued this security bulletin for customers to take action.
security bulletins any; service management automation ; sm automation containerized 2018.02 2018.05 2018.08 2018.11 2019.02 2019.05 2019.08 ;
security bulletins
Created:Thu Sep 05 00:00:00 GMT 2019
public
Modified:Thu Sep 05 00:00:00 GMT 2019
published
11. KM03496282 - Information exposure vulnerability in Content Manager CVE-2019-11658. KM03496282
 
an information exposure vulnerability in content manager 9.1 prior to 9.1 patch 6 hotfix 6, 9.2 prior to 9.2 patch 3 hotfix 2 and 9.3 prior to 9.3 patch 2 hotfix 3, when configured to use an oracle database, allows valid system users to gain access to a limited subset of records they would not normally be able to access when the system is in an undisclosed abnormal state. an information exposure vulnerability in content manager 9.1 prior to 9.1 patch 6 hotfix 6, 9.2 prior to 9.2 patch 3 hotfix 2 and 9.3 prior to 9.3 patch 2 hotfix 3, when configured to use an oracle database, allows valid system users to gain access to a limited subset of records they would not normally be able to access when the system is in an undisclosed abnormal state.
content manager 9.10 9.20 9.30 ; security bulletins any;
security bulletins
Created:Fri Aug 23 00:00:00 GMT 2019
public
Modified:Fri Aug 23 00:00:00 GMT 2019
published
12. KM03459854 - Micro Focus Service Manager, CVE-2017-7525, CVE-2017-15095, CVE-2018-7489 KM03459854
 
a potential security vulnerability has been identified with service manager. the vulnerability could be exploited to allow unauthenticated remote code execution against the service manager web tier. a potential security vulnerability has been identified with service manager. the vulnerability could be exploited to allow unauthenticated remote code execution against the service manager web tier.
security bulletins any; service manager 9.50 9.51 9.52 9.60 ;
security bulletins
Created:Thu Jun 13 00:00:00 GMT 2019
public
Modified:Tue Aug 13 00:00:00 GMT 2019
published
13. KM03489552 Micro Focus content manager, CVE-2019-11653. KM03489552
 
an access control bypass vulnerability has been identified in the web client component of content manager, affecting version 9.1 prior to 9.1.6.6, 9.2 prior to 9.2.3.2 and 9.3 prior to 9.3.2.3. the vulnerability could be exploited to manipulate data stored during another user's checkin request. existing mitigation information: to successfully exploit the vulnerability requires the attacker to have access to generally protected or inaccessible information, including having an active user account themselves, knowledge of internal identifiers of targeted user(s), and the name of files other users are actively operating against. in addition, the attacker has a limited time window to exploit the vulnerability during concurrent user activity, which can be further minimized by the system administrator via configuration an access control bypass vulnerability has been identified in the web client component of content manager, affecting version 9.1 prior to 9.1.6.6, 9.2 prior to 9.2.3.2 and 9.3 prior to 9.3.2.3. the vulnerability could be exploited to manipulate data stored during another user's checkin request. existing mitigation information: to successfully exploit the vulnerability requires the attacker to have access to generally protected or inaccessible information, including having an active user account themselves, knowledge of internal identifiers of targeted user(s), and the name of files other users are actively operating against. in addition, the attacker has a limited time window to exploit the vulnerability during concurrent user activity, which can be further minimized by the system administrator via configuration
content manager 9.10 9.20 9.30 ; security bulletins any;
security bulletins
Created:Tue Aug 06 00:00:00 GMT 2019
public
Modified:Tue Aug 13 00:00:00 GMT 2019
published
14. KM03461174 Micro Focus Fortify Software Security Center Server, CVE-2019-11649 KM03461174
 
a potential cross-site scripting vulnerability has been identified in micro focus fortify software security center server. the vulnerability could be exploited to execute javascript code in user's browser. a potential cross-site scripting vulnerability has been identified in micro focus fortify software security center server. the vulnerability could be exploited to execute javascript code in user's browser.
fortify software security center server 17.20 18.10 18.20 ; security bulletins any;
security bulletins
Created:Mon Jun 17 00:00:00 GMT 2019
public
Modified:Thu Jun 20 00:00:00 GMT 2019
published
15. KM03459924 - Micro Focus Service Manager, CVE-2016-5000 KM03459924
 
a potential security vulnerability has been identified with service manager. the vulnerability could be exploited to allow remote attackers to read arbitrary files via a crafted openxml document containing an external entity declaration in conjunction with an entity reference against the service manager server and web tier. a potential security vulnerability has been identified with service manager. the vulnerability could be exploited to allow remote attackers to read arbitrary files via a crafted openxml document containing an external entity declaration in conjunction with an entity reference against the service manager server and web tier.
security bulletins any; service manager 9.30 9.31 9.32 9.33 9.34 9.35 9.40 9.41 9.50 9.51 9.52 9.60 9.61 ;
security bulletins
Created:Thu Jun 13 00:00:00 GMT 2019
public
Modified:Thu Jun 13 00:00:00 GMT 2019
published
16. KM03452977 - Micro Focus Service Manager, CVE-2019-11646 KM03452977
 
a potential security vulnerability has been identified with service manager. this vulnerability may result in unauthorized command execution and unauthorized disclosure of information. a potential security vulnerability has been identified with service manager. this vulnerability may result in unauthorized command execution and unauthorized disclosure of information.
security bulletins any; service manager 9.30 9.31 9.32 9.33 9.34 9.35 9.40 9.41 9.50 9.51 9.52 9.60 9.61 ;
security bulletins
Created:Mon Jun 03 00:00:00 GMT 2019
public
Modified:Mon Jun 03 00:00:00 GMT 2019
published
17. MFSBGN03846 rev.1 - Micro Focus Service Management Automation (SMA), CVE-2019-5736 KM03410944
 
a vulnerability in docker-runc was addressed by micro focus service management automation (sma). the vulnerability could be exploited to local unauthorized disclosure of information, local unauthorized modification and local disruption of service. a vulnerability in docker-runc was addressed by micro focus service management automation (sma). the vulnerability could be exploited to local unauthorized disclosure of information, local unauthorized modification and local disruption of service.
security bulletins any; sm automation containerized 2018.02 2018.05 2018.08 2018.11 ;
security bulletins
Created:Sun May 05 00:00:00 GMT 2019
public
Modified:Sun May 05 00:00:00 GMT 2019
published
18. HPESBGN03740 rev.1 - HPE Network Automation, Multiple Remote Vulnerabilities KM02994342
 
potential security vulnerabilities have been identified in hpe network automation. the vulnerabilities could be remotely exploited to allow sql injection, code execution, information disclosure, authentication bypass, elevated privilege execution, and invalid session management. potential security vulnerabilities have been identified in hpe network automation. the vulnerabilities could be remotely exploited to allow sql injection, code execution, information disclosure, authentication bypass, elevated privilege execution, and invalid session management.
network automation ; security bulletins any;
security bulletins
Created:Fri Oct 20 00:00:00 GMT 2017
public
Modified:Fri May 03 00:00:00 GMT 2019
published
19. MFSBGN03845 rev.1 - Micro Focus Network Automation and Micro Focus Network Operations Management (NOM), Remote Code Execution KM03407763
 
a potential security vulnerability has been identified in micro focus network automation and micro focus network operations management (nom). the vulnerability could be remotely exploited to remote code execution. a potential security vulnerability has been identified in micro focus network automation and micro focus network operations management (nom). the vulnerability could be remotely exploited to remote code execution.
network automation 10.00 10.10 10.20 10.30 10.40 10.50 2018.05 2018.08 2018.11 9.20 9.21 ; network operations management all ; security bulletins any;
security bulletins
Created:Sun Apr 28 00:00:00 GMT 2019
public
Modified:Sun Apr 28 00:00:00 GMT 2019
published
20. MFSBGN03843 rev.1 - Micro Focus Content Manager, Remote upload content to arbitrary locations KM03359911
 
an unauthenticated file upload vulnerability has been identified in the web client component of content manager when configured to use the adfs authentication method. the vulnerability could be exploited by an unauthenticated remote attacker to upload content to arbitrary locations on the content manager server. an unauthenticated file upload vulnerability has been identified in the web client component of content manager when configured to use the adfs authentication method. the vulnerability could be exploited by an unauthenticated remote attacker to upload content to arbitrary locations on the content manager server.
content manager 9.10 9.20 9.30 ; security bulletins any;
security bulletins
Created:Sun Mar 17 00:00:00 GMT 2019
public
Modified:Thu Mar 28 00:00:00 GMT 2019
published