[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201507310314.t6V3EHwp009512@sf01web3.securityfocus.com>
Date: Fri, 31 Jul 2015 03:14:17 GMT
From: roberto@...sat.com
To: bugtraq@...urityfocus.com
Subject: HP ArcSight Logger provides incorrect/invalid/incomplete results
for queries with boolean operators
HP ArcSight Logger is a log management software used to collect and analyze logs from multiple sources to aid in investigations and audit.
There are several flaws in the search capabilities in the software that cause it to provide invalid search results for any query that uses boolean expressions. This means that ANY query to search thru data in the logs ArcSight collected is potentially incorrect if the query contains more than one search term.
The impact of these bugs are huge. Any court case where forensics evidence was provided via HP ArcSight Logger is compromised as the resulting data is potentially incorrect and not forensically valid. Intrusions and attacks can go undetected as log data relative to the attack can be missing from searches performed by ArcSight Logger.
The above are just some examples. The main problem is that the user/investigator is unaware that the results are incorrect as usually such searches result in millions of returned records that need to be filtered by applying conditions to remove non-relevant data. The bugs present in ArcSight result in incorrect filtering thus preventing the display of relevant records that should have been returned but have not. This will prevent such data fro ever being seen by an investigator/administrator thus missing the attack/intrusion, or even missing exculpatory evidence in case someone is unjustly accused.
HP has confirmed several of the bugs affecting their product, and identified them as bugs with the following identifiers:
LOG-14814 - deals with ArcSight Logger providing incorrect results when using the boolean operators "AND" "OR" "NOT" to find records
LOG-14897 - deals with ArcSight Logger incorrectly allowing users to use the GUI to drill down record results by clicking on some result fields, when in fact those fields are not searchable. This results in incorrect results since the user is not informed that the boolean expression will not yield the data being looked for.
LOG-14896 - deals with the GUI not distinguishing between CEF vs non-searachable columns, again as in LOG-14897 resulting in incorrect results.
LOG-14895 - In full text searches some fields should not be available to click on and add to the search terms
The bugs affect ArcSight Logger v5 and v6. It is unknown if previous versions or if other ArcSight products are affected.
Powered by blists - more mailing lists