lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201507310314.t6V3EHwp009512@sf01web3.securityfocus.com>
Date: Fri, 31 Jul 2015 03:14:17 GMT
From: roberto@...sat.com
To: bugtraq@...urityfocus.com
Subject: HP ArcSight Logger provides incorrect/invalid/incomplete results
 for queries with boolean operators

HP ArcSight Logger is a log management software used to collect and analyze logs from multiple sources to aid in investigations and audit. 

There are several flaws in the search capabilities in the software that cause it to provide invalid search results for any query that uses boolean expressions. This means that ANY query to search thru data in the logs ArcSight collected is potentially incorrect if the query contains more than one search term. 

The impact of these bugs are huge. Any court case where forensics evidence was provided via HP ArcSight Logger is compromised as the resulting data is potentially incorrect and not forensically valid. Intrusions and attacks can go undetected as log data relative to the attack can be missing from searches performed by ArcSight Logger. 

The above are just some examples. The main problem is that the user/investigator is unaware that the results are incorrect as usually such searches result in millions of returned records that need to be filtered by applying conditions to remove non-relevant data. The bugs present in ArcSight result in incorrect filtering thus preventing the display of relevant records that should have been returned but have not. This will prevent such data fro ever being seen by an investigator/administrator thus missing the attack/intrusion, or even missing exculpatory evidence in case someone is unjustly accused. 

HP has confirmed several of the bugs affecting their product, and identified them as bugs with the following identifiers: 

LOG-14814 - deals with ArcSight Logger providing incorrect results when using the boolean operators "AND" "OR" "NOT" to find records 

LOG-14897 - deals with ArcSight Logger incorrectly allowing users to use the GUI to drill down record results by clicking on some result fields, when in fact those fields are not searchable. This results in incorrect results since the user is not informed that the boolean expression will not yield the data being looked for. 

LOG-14896 - deals with the GUI not distinguishing between CEF vs non-searachable columns, again as in LOG-14897 resulting in incorrect results. 

LOG-14895 - In full text searches some fields should not be available to click on and add to the search terms 

The bugs affect ArcSight Logger v5 and v6. It is unknown if previous versions or if other ArcSight products are affected.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ