[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
HP ArcSight Logger provides incorrect/invalid/incomplete results for queries with boolean operators
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: HP ArcSight Logger provides incorrect/invalid/incomplete results for queries with boolean operators
- From: roberto@xxxxxxxxxx
- Date: Fri, 31 Jul 2015 03:14:17 GMT
HP ArcSight Logger is a log management software used to collect and analyze
logs from multiple sources to aid in investigations and audit.
There are several flaws in the search capabilities in the software that cause
it to provide invalid search results for any query that uses boolean
expressions. This means that ANY query to search thru data in the logs ArcSight
collected is potentially incorrect if the query contains more than one search
term.
The impact of these bugs are huge. Any court case where forensics evidence was
provided via HP ArcSight Logger is compromised as the resulting data is
potentially incorrect and not forensically valid. Intrusions and attacks can go
undetected as log data relative to the attack can be missing from searches
performed by ArcSight Logger.
The above are just some examples. The main problem is that the
user/investigator is unaware that the results are incorrect as usually such
searches result in millions of returned records that need to be filtered by
applying conditions to remove non-relevant data. The bugs present in ArcSight
result in incorrect filtering thus preventing the display of relevant records
that should have been returned but have not. This will prevent such data fro
ever being seen by an investigator/administrator thus missing the
attack/intrusion, or even missing exculpatory evidence in case someone is
unjustly accused.
HP has confirmed several of the bugs affecting their product, and identified
them as bugs with the following identifiers:
LOG-14814 - deals with ArcSight Logger providing incorrect results when using
the boolean operators "AND" "OR" "NOT" to find records
LOG-14897 - deals with ArcSight Logger incorrectly allowing users to use the
GUI to drill down record results by clicking on some result fields, when in
fact those fields are not searchable. This results in incorrect results since
the user is not informed that the boolean expression will not yield the data
being looked for.
LOG-14896 - deals with the GUI not distinguishing between CEF vs
non-searachable columns, again as in LOG-14897 resulting in incorrect results.
LOG-14895 - In full text searches some fields should not be available to click
on and add to the search terms
The bugs affect ArcSight Logger v5 and v6. It is unknown if previous versions
or if other ArcSight products are affected.