CVE-2023-24470
📋 TL;DR
CVE-2023-24470 is an XML External Entity (XXE) injection vulnerability in ArcSight Logger versions before 7.3.0. This allows attackers to read arbitrary files from the server filesystem, potentially leading to sensitive data exposure. Organizations using ArcSight Logger versions below 7.3.0 are affected.
💻 Affected Systems
- Micro Focus ArcSight Logger
📦 What is this software?
Arcsight Logger by Microfocus
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through file disclosure, credential theft, and potential lateral movement within the network.
Likely Case
Unauthorized access to sensitive files including configuration files, logs, and potentially credentials stored on the server.
If Mitigated
Limited impact with proper network segmentation and file system permissions restricting access to critical files.
🎯 Exploit Status
XXE vulnerabilities typically have low exploitation complexity. No public exploit code has been identified, but the vulnerability type is well-understood.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.3.0
Vendor Advisory: https://portal.microfocus.com/s/article/KM000018224?language=en_US
Restart Required: Yes
Instructions:
1. Download ArcSight Logger 7.3.0 from Micro Focus support portal. 2. Backup current configuration and data. 3. Install the 7.3.0 update following vendor documentation. 4. Restart the Logger service.
🔧 Temporary Workarounds
XML Parser Hardening
allConfigure XML parsers to disable external entity processing and DTD resolution
Specific configuration depends on XML parser implementation. Consult ArcSight documentation for XML parser settings.
Network Segmentation
allRestrict network access to ArcSight Logger instances
Configure firewall rules to limit access to trusted IP addresses only
🧯 If You Can't Patch
- Implement strict network access controls to limit exposure
- Monitor for unusual file access patterns and XML parsing errors in logs
🔍 How to Verify
Check if Vulnerable:
Check ArcSight Logger version via web interface or configuration files. Versions below 7.3.0 are vulnerable.Check Version:
Check web interface or consult ArcSight Logger documentation for version checking methodsVerify Fix Applied:
Verify version is 7.3.0 or higher. Test XML parsing functionality to ensure external entities are disabled.📡 Detection & Monitoring
Log Indicators:
- Unusual XML parsing errors
- Unexpected file access attempts in system logs
- Large XML payloads in web server logs
Network Indicators:
- HTTP requests containing XML with external entity references
- Outbound connections to unexpected external systems
SIEM Query:
Search for web requests containing 'DOCTYPE', 'ENTITY', or 'SYSTEM' keywords to ArcSight Logger endpoints🔗 References
- https://portal.microfocus.com/s/article/KM000018224?language=en_US
- https://www.microfocus.com/documentation/arcsight/logger-7.3/logger-7.3-release-notes/
- https://www.microfocus.com/support/downloads/%2C
- https://portal.microfocus.com/s/article/KM000018224?language=en_US
- https://www.microfocus.com/documentation/arcsight/logger-7.3/logger-7.3-release-notes/
- https://www.microfocus.com/support/downloads/%2C
