[guru] HP biztonsagi frissitesek
DATE: Tue, 03 Mar 2009 23:56:02 +0100
HP-UX termékcsalád:
-------------------
Az IPv6 Neighbor Discovery Protocol (NDP) implementációja hibás, a
rendszer egy megfelelően preparált csomag segítségével DoS-olható.
Kihozták az apache/php/tomcat szoftverek javításait, amik különböző
DoS, XSS, kód futtatási és CSRF (cross-site request forgery) hibákat
javítanak.
A HP-UX-on futó NFS szerver segítségével a rendszer DoS-olható.
HP OpenView termékcsalád:
-------------------------
Több stack buffer overflow hibát is találtak a HP OpenView Network Node
Manager (OV NNM) szoftverben.
Részletesebben nem dokumentált, távolról kihasználható kód futtatási hibát
találtak a HP OpenView Network Node Manager (OV NNM) termékben.
Shell metakarakter kezelési hibát találtak a HP OpenView Network Node
Manager CGI alkalmazásaiban.
Információ szivárgási hibákat találtak a HP OpenView Network Node Manager
CGI alkalmazásaiban.
Két buffer overflow hibát is találtak a HP-UX WBEM szolgáltatásának
PAM azonosítási rendszerében.
Egyéb:
------
XSS hibát találtak a HP Select Access termék HP-UX, Linux, Solaris és
Windows verzióiban.
Az MPE/iX rendszereken futó BIND/iX -et is érinti a tavalyról már jól
ismert Kaminsky hiba.
Directory traversal hibát találtak a HP JetDirect hálózati nyomtató
adminisztrációs felületén, ez több normál és színes LaserJet nyomtatót,
valamint hasonló eszközt érint.
A HP Virtual Rooms Client Windows-os verziójának hibája távoli kód
futtatást tesz lehetővé.
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01646081
Version: 1
HPSBMA02400 SSRT080144 rev.1 - HP OpenView Network Node Manager (OV NNM), Remote Execution of Arbitrary Code
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-01-20
Last Updated: 2009-01-20
Potential Security Impact: Remote execution of arbitrary code
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP OpenView Network Node Manager (OV NNM). These vulnerabilities could be exploited remotely to allow execution of arbitrary code.
References: CVE-2008-0067
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP OpenView Network Node Manager (OV NNM) v7.01, v7.51, v7.53 running on HP-UX, Linux, Solaris, and Windows
BACKGROUND
CVSS 2.0 Base Metrics
===============================================
Reference Base Vector Base Score
CVE-2008-0067 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4
===============================================
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
The Hewlett-Packard Company thanks JJ Reyes, Secunia Research for reporting this vulnerability to security-alert@hp.com.
RESOLUTION
HP has made patches available to resolve the vulnerabilities.
The patches are available from http://support.openview.hp.com/selfsolve/patches
Note: The patches are not available from the HP IT Resource Center (ITRC).
OV NNM v7.53
Operating_System - HP-UX (IA)
Resolved in Patch - PHSS_38489 or subsequent
Operating_System - HP-UX (PA)
Resolved in Patch - PHSS_38488 or subsequent
Operating_System - Linux RedHatAS2.1
Resolved in Patch - LXOV_00087 or subsequent
Operating_System - Linux RedHat4AS-x86_64
Resolved in Patch - LXOV_00088 or subsequent
Operating_System - Solaris
Resolved in Patch - PSOV_03515 or subsequent
Operating_System - Windows
Resolved in Patch - NNM_01193 or subsequent
OV NNM v7.51
Upgrade to NNM v7.53 and install the patches listed above.
Patch bundles for upgrading from NNM v7.51 to NNM v5.53 are available here: ftp://nnm_753:update@hprc.external.hp.com/
OV NNM v7.01
Operating_System - HP-UX (PA)
Resolved in Patch - PHSS_38761 or subsequent
Operating_System - Solaris
Resolved in Patch - PSOV_03516 or subsequent
Operating_System - Windows
Resolved in Patch - NNM_01194 or subsequent
MANUAL ACTIONS: Yes - NonUpdate
Install the patches listed in the Resolution
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS (for HP-UX)
For HP-UX OV NNM 7.51 and 7.53
HP-UX B.11.31
HP-UX B.11.23 (IA)
HP-UX B.11.23 (PA)
HP-UX B.11.11
=============
OVNNMgr.OVNNM-RUN,fr=B.07.50.00
action: install the patches listed in the Resolution
URL: http://support.openview.hp.com/selfsolve/patches
For HP-UX OV NNM 7.01
HP-UX B.11.11
=============
OVNNMgr.OVNNM-RUN,fr=B.07.01.00
action: install the patches listed in the Resolution
URL: http://support.openview.hp.com/selfsolve/patches
END AFFECTED VERSIONS (for HP-UX)
HISTORY
Version:1 (rev.1) - 20 January 2009 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
- check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
- verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
©Copyright 2009 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBSXXb4eAfOvwtKn1ZEQIG3QCeNut0nSLFg1VipnZBq4n/gyZl4pAAoKQ+
Hft2wH0X3WL9UQLzdH68qh/h
=i+3+
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01658614
Version: 1
HPSBMA02403 SSRT090007 rev.1 - HP Select Access Running on HP-UX, Linux, Solaris, and Windows, Remote Cross Site Scripting (XSS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-01-28
Last Updated: 2009-01-28
Potential Security Impact: Remote cross site scripting (XSS)
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP Select Access running on HP-UX, Linux, Solaris, and Windows. The vulnerability could be exploited remotely to allow cross site scripting (XSS).
References: CVE-2009-0204
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Select Access v6.1 and v6.2 running on HP-UX, Linux, Solaris, and Windows
BACKGROUND
CVSS 2.0 Base Metrics
===============================================
Reference Base Vector Base Score
CVE-2009-0204 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4
===============================================
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
RESOLUTION
HP has made hotfixes available to resolve the vulnerability.
The hotfixes and patches are available from http://support.openview.hp.com/selfsolve/patches
First, install one of these patches
Select Access v6.1 Patch 4
Select Access v6.2 Patch 2
Select Access v6.2 Patch 3
Next, install the hotfix
HPSACC 6.1 P4 Hotfix1 (HPSACC_00004) for Select Access v6.1 Patch 4
HPSACC 6.2 P2 Hotfix1 (HPSACC_00005) for Select Access v6.2 Patch 2
HPSACC 6.2 P3 Hotfix1 (HPSACC_00003) for Select Access v6.2 Patch 3
MANUAL ACTIONS: Yes - NonUpdate
Apply the appropriate hotfix as described in the Resolution.
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS (for HP-UX)
HP-UX B.11.31
HP-UX B.11.23
HP-UX B.11.11
=============
action: if running HP Select Access, apply hotfix listed in Resolution
URL: http://support.openview.hp.com/selfsolve/patches
END AFFECTED VERSIONS (for HP-UX)
HISTORY
Version:1 (rev.1) - 28 January 2009 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
- check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
- verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
©Copyright 2009 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBSYCGgOAfOvwtKn1ZEQKK8ACgs972+/D14ErttfsvCuEuYKTytZIAn1sS
7gn8WZVUmtC5J40P4yHLBNtJ
=45h+
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01660723
Version: 1
HPSBMP02404 SSRT090014 rev.1 - MPE/iX Running BIND/iX, Remote DNS Cache Poisoning
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-01-28
Last Updated: 2009-01-28
Potential Security Impact: DNS cache poisoning
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential security vulnerability has been identified with MPE/iX running BIND/iX. The vulnerability could be exploited remotely to cause DNS cache poisoning.
References: CVE-2008-1447
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
MPE/iX v6.5, v7.0 and v7.5 running BIND/ix v9.3.0
BACKGROUND
CVSS 2.0 Base Metrics
===============================================
Reference Base Vector Base Score
CVE-2008-1447 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
===============================================
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
RESOLUTION
The resolution is to discontinue the use of BIND/iX and migrate DNS services to another platform.
HISTORY
Version:1 (rev.1) - 28 January 2009 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
- check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
- verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
©Copyright 2009 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBSYC/geAfOvwtKn1ZEQLwdQCdFHNp73y8BymCYXFCVVyXxGD/KtkAn0Y1
6LkUhoT9A26WUfYJ4yznX0wW
=dYIx
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01662367
Version: 1
HPSBUX02407 SSRT080107 rev.1 - HP-UX Running IPv6, Remote Denial of Service (DoS) and Unauthorized Access
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-02-02
Last Updated: 2009-02-02
Potential Security Impact: Remote Denial of Service (DoS) and unauthorized access
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP-UX running IPv6. This vulnerability could be exploited remotely resulting in a Denial of Service (DoS) and unauthorized access.
References: CVE-2008-2476, CVE-2008-4404
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.11, B.11.23, B.11.31 running IPv6
BACKGROUND
CVSS 2.0 Base Metrics
===============================================
Reference Base Vector Base Score
CVE-2008-2476 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3
CVE-2008-4404 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
===============================================
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
RESOLUTION
HP has provided the following software patches to resolve the vulnerabilities.
The patches are available for download from: http://itrc.hp.com
HP-UX Release - B.11.11 (11i v1)
Patch ID - PHNE_37898
HP-UX Release - B.11.23 (11i v2)
Patch ID - PHNE_37897
HP-UX Release - B.11.31 (11i v3)
Patch ID - PHNE_38680
MANUAL ACTIONS: No
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
HP-UX B.11.11
=============
Networking.NET-KRN
Networking.NET-PRG
Networking.NET-RUN
Networking.NET-RUN-64
OS-Core.CORE-KRN
ProgSupport.C-INC
Networking.NET2-KRN
Networking.NMS2-KRN
OS-Core.CORE2-KRN
OS-Core.SYS-ADMIN
Networking.NET2-KRN
Networking.NMS2-KRN
OS-Core.CORE2-KRN
OS-Core.SYS-ADMIN
action: install patch PHNE_37898 or subsequent
URL: http://itrc.hp.com
HP-UX B.11.23
=============
Networking.NET-PRG
Networking.NET-RUN
ProgSupport.C-INC
Networking.NET-RUN-64
Networking.NET2-KRN
Networking.NET2-RUN
Networking.NMS2-KRN
OS-Core.CORE2-KRN
OS-Core.SYS2-ADMIN
Networking.NET-RUN-64
Networking.NET2-KRN
Networking.NET2-RUN
Networking.NMS2-KRN
OS-Core.CORE2-KRN
OS-Core.SYS2-ADMIN
action: install patch PHNE_37897 or subsequent
URL: http://itrc.hp.com
HP-UX B.11.31
=============
Networking.NET-RUN
ProgSupport.C-INC
Networking.NET-RUN-64
Networking.NET2-KRN
Networking.NET2-RUN
Networking.NMS2-KRN
OS-Core.CORE2-KRN
OS-Core.SYS2-ADMIN
Networking.NET-RUN-64
Networking.NET2-KRN
Networking.NET2-RUN
Networking.NMS2-KRN
OS-Core.CORE2-KRN
OS-Core.SYS2-ADMIN
action: install patch PHNE_38680 or subsequent
URL: http://itrc.hp.com
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) - 2 February 2009 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
- check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
- verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
©Copyright 2009 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBSYdFsuAfOvwtKn1ZEQK0VACeIKetdQfBDsssaZYXnerHz8AEwzEAn2iy
saLPK+/sw3/02JA+b0HuzPfv
=HTAW
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01650939
Version: 1
HPSBUX02401 SSRT090005 rev.1 - HP-UX Running Apache Web Server Suite, Remote Denial of Service (DoS), Cross-site Scripting (XSS), Execution of Arbitrary Code, Cross-Site Request Forgery (CSRF)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-02-02
Last Updated: 2009-02-02
Potential Security Impact: Remote Denial of Service (DoS), cross-site scripting (XSS), execution of arbitrary code, cross-site request forgery (CSRF)
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP-UX running Apache-based Web Server or Tomcat-based Servelet Engine. The vulnerabilities could be exploited remotely to cause a Denial of Service (DoS), cross-site scripting (XSS), execution of arbitrary code, or cross-site request forgery (CSRF). Apache-based Web Server and Tomcat-based Servelet Engine are contained in the Apache Web Server Suite.
References: CVE-2007-6420, CVE-2008-1232, CVE-2008-1947, CVE-2008-2364, CVE-2008-2370, CVE-2008-2938, CVE-2008-2939, CVE-2008-3658
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.23 and B.11.31 running Apache-based Web Server v2.2.8.01.01 or earlier or Tomcat-based Servelet Engine v5.5.27.01.01 or earlier
HP-UX B.11.11 running Apache-based Web Server v2.2.8.01.01 or earlier
BACKGROUND
CVSS 2.0 Base Metrics
===============================================
Reference Base Vector Base Score
CVE-2007-6420 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2008-1232 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2008-1947 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2008-2364 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 5.0
CVE-2008-2370 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 5.0
CVE-2008-2938 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2008-2939 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2008-3658 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 7.5
===============================================
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
RESOLUTION
HP has provided the following upgrades to resolve these vulnerabilities.
The upgrades are available from the following location:
URL: http://software.hp.com
Note: HP-UX Web Server Suite v.3.02 contains HP-UX Apache-based Web Server v.2.2.8.01.02
and HP-UX Tomcat-based Servlet Engine 5.5.27.01.01
HP-UX Release - B.11.23 and B.11.31 PA-32
Apache Depot name - HPUXWSATW-B302-32.depot
HP-UX Release - B.11.23 and B.11.31 IA-64
Apache Depot name - HPUXWSATW-B302-64.depot
HP-UX Release - B.11.11 PA-32
Apache Depot name - HPUXWSATW-B222-1111.depot
MANUAL ACTIONS: Yes - Update
Install Apache-based Web Server or Tomcat-based Servelet Engine from the Apache Web Server Suite v3.02 or subsequent
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
HP-UX B.11.11
==================
hpuxwsAPACHE.APACHE
hpuxwsAPACHE.APACHE2
hpuxwsAPACHE.AUTH_LDAP
hpuxwsAPACHE.AUTH_LDAP2
hpuxwsAPACHE.MOD_JK
hpuxwsAPACHE.MOD_JK2
hpuxwsAPACHE.MOD_PERL
hpuxwsAPACHE.MOD_PERL2
hpuxwsAPACHE.PHP
hpuxwsAPACHE.PHP2
hpuxwsAPACHE.WEBPROXY
hpuxwsTOMCAT.TOMCAT
hpuxwsWEBMIN.WEBMIN
action: install revision B.2.2.8.01.02 or subsequent
URL: http://software.hp.com
HP-UX B.11.23
==================
hpuxws22APCH32.APACHE
hpuxws22APCH32.APACHE2
hpuxws22APCH32.AUTH_LDAP
hpuxws22APCH32.AUTH_LDAP2
hpuxws22APCH32.MOD_JK
hpuxws22APCH32.MOD_JK2
hpuxws22APCH32.MOD_PERL
hpuxws22APCH32.MOD_PERL2
hpuxws22APCH32.PHP
hpuxws22APCH32.PHP2
hpuxws22APCH32.WEBPROXY
hpuxws22APCH32.WEBPROXY2
hpuxws22TOMCAT.TOMCAT
hpuxws22WEBMIN.WEBMIN
action: install revision B.2.2.8.01.02 or subsequent
URL: http://software.hp.com
HP-UX B.11.31
==================
hpuxws22APACHE.APACHE
hpuxws22APACHE.APACHE2
hpuxws22APACHE.AUTH_LDAP
hpuxws22APACHE.AUTH_LDAP2
hpuxws22APACHE.MOD_JK
hpuxws22APACHE.MOD_JK2
hpuxws22APACHE.MOD_PERL
hpuxws22APACHE.MOD_PERL2
hpuxws22APACHE.PHP
hpuxws22APACHE.PHP2
hpuxws22APACHE.WEBPROXY
hpuxws22APACHE.WEBPROXY2
hpuxws22TOMCAT.TOMCAT
hpuxws22WEBMIN.WEBMIN
action: install revision B.2.2.8.01.02 or subsequent
URL: http://software.hp.com
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) 2 February 2009 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
- check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
- verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
©Copyright 2009 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBSYhX8+AfOvwtKn1ZEQJxcACeJa8lt5TkhV5qnaGRTaBh4kqHutgAoJbH
XCe08aGCzEZj/q4n91JQnhq6
=XImF
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01623905
Version: 1
HPSBPI02398 SSRT080166 rev.1 - Certain HP LaserJet Printers, HP Color LaserJet Printers, and HP Digital Senders, Remote Unauthorized Access to Files
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-02-04
Last Updated: 2009-02-04
Potential Security Impact: Remote unauthorized access to files
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential security vulnerability has been identified with certain HP LaserJet printers, HP Color LaserJet printers and HP Digital Senders. The vulnerability could be exploited remotely to gain unauthorized access to files.
References: CVE-2008-4419
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP LaserJet 2410 with firmware prior to 20080819 SPCL112A
HP LaserJet 2420 with firmware prior to 20080819 SPCL112A
HP LaserJet 2430 with firmware prior to 20080819 SPCL112A
HP LaserJet 4250 with firmware prior to 20080819 SPCL015A
HP LaserJet 4350 with firmware prior to 20080819 SPCL015A
HP LaserJet 9040 with firmware prior to 20080819 SPCL110A
HP LaserJet 9050 with firmware prior to 20080819 SPCL110A
HP LaserJet 4345mfp with firmware prior to 09.120.9
HP Color LaserJet 4730mfp with firmware prior to 46.200.9
HP LaserJet 9040mfp with firmware prior to 08.110.9
HP LaserJet 9050mfp with firmware prior to 08.110.9
HP 9200C Digital Sender with firmware prior to 09.120.9
HP Color LaserJet 9500mfp with firmware prior to 08.110.9
BACKGROUND
CVSS 2.0 Base Metrics
===============================================
Reference Base Vector Base Score
CVE-2008-4419 (AV:N/AC:L/Au:N/C:C/I:N/A:N) 7.8
===============================================
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
The Hewlett-Packard Company thanks the Digital Defense, Inc. (DDI) Vulnerability Research Team (VRT) for reporting this vulnerability to security-alert@hp.com.
RESOLUTION
HP has provided firmware updates and preliminary firmware updates to resolve this vulnerability. The firmware updates and preliminary firmware updates are available as described below.
Note: Each firmware update has instructions for finding the firmware version installed on the product.
Product - HP LaserJet 4345mfp
Resolved in Firmware Version - 09.120.9 or subsequent
Product - HP Color LaserJet 4730mfp
Resolved in Firmware Version - 46.200.9 or subsequent
Product - HP LaserJet 9040mfp
Resolved in Firmware Version - 08.110.9 or subsequent
Product - HP LaserJet 9050mfp
Resolved in Firmware Version - 08.110.9 or subsequent
Product - HP 9200C Digital Sender
Resolved in Firmware Version - 09.120.9 or subsequent
Product - HP Color LaserJet 9500mfp
Resolved in Firmware Version - 08.110.9 or subsequent
Product
Resolved in Preliminary Firmware Version -
Product - HP LaserJet 2410
Resolved in Preliminary Firmware Version - 20080819 SPCL112A
Product - HP LaserJet 2420
Resolved in Preliminary Firmware Version - 20080819 SPCL112A
Product - HP LaserJet 2430
Resolved in Preliminary Firmware Version - 20080819 SPCL112A
Product - HP LaserJet 4250
Resolved in Preliminary Firmware Version - 20080819 SPCL015A
Product - HP LaserJet 4350
Resolved in Preliminary Firmware Version - 20080819 SPCL015A
Product - HP LaserJet 9040
Resolved in Preliminary Firmware Version - 20080819 SPCL110A
Product - HP LaserJet 9050
Resolved in Preliminary Firmware Version - 20080819 SPCL110A
To Locate the Firmware Update
Browse to http://www.hp.com and do the following:
Select "Support & Drivers"
In Step 1 select "Download drivers and software (and firmware)"
In Step 2 enter one of the following:
HP LaserJet 4345 Multifunction Printer series
HP Color LaserJet 4730 Multifunction Printer series
HP LaserJet 9040/9050 Multifunction Printer series
HP 9200C Digital Sender
HP Color LaserJet 9500 Multifunction Printer series
Click on "Go"
Click on the desired product if necessary
Click on the desired operating system
Click on "Firmware"
To Download and Install the Preliminary Firmware Update for the HP LaserJet 2410, 2420, 2430, 4250, 4350, 9040, 9050
Download the file listed in the table below and the InstallationInstructions.rtf file
from ftp://ss080166:ss080166@hprc.external.hp.com/
Product - HP LaserJet 2410
Resolved in Preliminary Firmware Version - lj24x0fw_08_112_spcl112A.rfu
Product - HP LaserJet 2420
Resolved in Preliminary Firmware Version - lj24x0fw_08_112_spcl112A.rfu
Product - HP LaserJet 2430
Resolved in Preliminary Firmware Version - lj24x0fw_08_112_spcl112A.rfu
Product - HP LaserJet 4250
Resolved in Preliminary Firmware Version - lj4x50fw_08_015_spcl015A.rfu
Product - HP LaserJet 4350
Resolved in Preliminary Firmware Version - lj4x50fw_08_015_spcl015A.rfu
Product - HP LaserJet 9040
Resolved in Preliminary Firmware Version - lj9050-50fw_08_110_spcl110A.rfu
Product - HP LaserJet 9050
Resolved in Preliminary Firmware Version - lj9050-50fw_08_110_spcl110A.rfu
Optionally, verify the MD5 sums.
File - lj24x0fw_08_112_spcl112A.rfu
MD5 Sum - b3dbcc8d6d465b0a264b662b13a19685
File - lj4x50fw_08_015_spcl015A.rfu
MD5 Sum - 1acfd981cad26e002f655332b1ba5954
File - lj9050-50fw_08_110_spcl110A.rfu
MD5 Sum - ed2ded960ba70e563b58e506fbe1faae
File - InstallationInstructions.rtf
MD5 Sum - 1feb8410771d698ea9599d2fcc462a2d
Install the preliminary firmware update as described in the InstallationInstructions.rtf file.
PRODUCT SPECIFIC INFORMATION
None
HISTORY
Version:1 (rev.1) - 4 February 2009 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
- check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
- verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
©Copyright 2009 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBSYmjW+AfOvwtKn1ZEQJvsQCgpPvSzv5fsmj0X5VKefFVqoVNDA4Anjjo
4sKcDkXGzBXY6VTVHHBnLQ6d
=GiEL
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01661610
Version: 1
HPSBMA02406 SSRT080100 rev.1 - HP OpenView Network Node Manager (OV NNM), Remote Execution of Arbitrary Code
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-02-04
Last Updated: 2009-02-04
Potential Security Impact: Remote execution of arbitrary code
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP OpenView Network Node Manager (OV NNM). The vulnerability could be exploited remotely to allow execution of arbitrary code.
References: CVE-2009-0205
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP OpenView Network Node Manager (OV NNM) v7.01, v7.51, v7.53 running on HP-UX, Linux, Solaris, and Windows
BACKGROUND
CVSS 2.0 Base Metrics
===============================================
Reference Base Vector Base Score
CVE-2009-0205 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
===============================================
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
RESOLUTION
HP has made patches available to resolve the vulnerability.
The patches are available from http://support.openview.hp.com/selfsolve/patches
Note: The patches are not available from the HP IT Resource Center (ITRC).
OV NNM v7.53
Operating System - HP-UX (IA)
Resolved in Patch - PHSS_38783 or subsequent
Operating System - HP-UX (PA)
Resolved in Patch - PHSS_38782 or subsequent
Operating System - Linux RedHatAS2.1
Resolved in Patch - LXOV_00089 or subsequent
Operating System - Linux RedHat4AS-x86_64
Resolved in Patch - LXOV_00090 or subsequent
Operating System - Solaris
Resolved in Patch - PSOV_03517 or subsequent
Operating System - Windows
Resolved in Patch - NNM_01195 or subsequent
OV NNM v7.51
Upgrade to NNM v7.53 and install the patches listed above. Patch bundles for upgrading from NNM v7.51 to NNM v5.53 are available here: ftp://nnm_753:update@hprc.external.hp.com/
OV NNM v7.01
Operating System - HP-UX (PA)
Resolved in Patch - PHSS_38761 or subsequent
Operating System - Solaris
Resolved in Patch - PSOV_03516 or subsequent
Operating System - Windows
Resolved in Patch - NNM_01194 or subsequent
MANUAL ACTIONS: Yes - NonUpdate
Install the patches listed in the Resolution
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS (for HP-UX)
For HP-UX OV NNM 7.51 and 7.53
HP-UX B.11.31
HP-UX B.11.23 (IA)
HP-UX B.11.23 (PA)
HP-UX B.11.11
=============
OVNNMgr.OVNNM-RUN,fr=B.07.50.00
action: install the patches listed in the Resolution
URL: http://support.openview.hp.com/selfsolve/patches
For HP-UX OV NNM 7.01
HP-UX B.11.11
=============
OVNNMgr.OVNNM-RUN,fr=B.07.01.00
action: install the patches listed in the Resolution
URL: http://support.openview.hp.com/selfsolve/patches
END AFFECTED VERSIONS (for HP-UX)
HISTORY
Version:1 (rev.1) - 4 February 2009 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
- check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
- verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
©Copyright 2009 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBSYmqReAfOvwtKn1ZEQLdWQCgx+xZDhRBTjj128NwDyqLon9ma90AnRlT
gw+fH3o2yJMY18D18Sv/QqYE
=4a3y
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01666473
Version: 1
HPSBUX02408 SSRT080182 rev.1 - HP-UX Running NFS, Local Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-02-04
Last Updated: 2009-02-04
Potential Security Impact: Local Denial of Service (DoS)
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP-UX running NFS. This vulnerability could be exploited locally resulting in a Denial of Service (DoS).
References: CVE-2009-0206
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.31 only running ONCplus B.11.31.05 and earlier
BACKGROUND
CVSS 2.0 Base Metrics
===============================================
Reference Base Vector Base Score
CVE-2009-0206 (AV:L/AC:L/Au:N/C:N/I:N/A:C) 4.9
===============================================
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
RESOLUTION
HP has provided the following software upgrade to resolve the vulnerability.
The upgrade is available for download from: http://software.hp.com
HP-UX Release - B.11.31 (11i v3)
Depot Name - ONCplus B.11.31.06
MANUAL ACTIONS: No
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
HP-UX B.11.31
=============
NFS.KEY-CORE
NFS.NFS-64ALIB
NFS.NFS-64SLIB
NFS.NFS-CLIENT
NFS.NFS-CORE
NFS.NFS-KRN
NFS.NFS-PRG
NFS.NFS-SERVER
NFS.NFS-SHLIBS
NFS.NFS2-CLIENT
NFS.NFS2-CORE
NFS.NFS2-PRG
NFS.NFS2-SERVER
NFS.NIS-CLIENT
NFS.NIS-CORE
NFS.NIS-SERVER
NFS.NIS2-CLIENT
NFS.NIS2-CORE
NFS.NIS2-SERVER
action: install upgrade B.11.31.06 or subsequent
URL: http://software.hp.com
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) - 4 February 2009 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
- check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
- verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
©Copyright 2009 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBSYoPjeAfOvwtKn1ZEQKvRgCg6wqdrCLqFOkV+zloeoD25yup1sAAoPIt
u7NL26ErEbSHR5rSigx39FSj
=fP5Z
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
iDefense Security Advisory 02.06.09
http://labs.idefense.com/intelligence/vulnerabilities/
Feb 06, 2009
I. BACKGROUND
HP Network Node Manager (NNM) is an application suite that is used to
map out and manage network topography. NNM runs on a variety of
platforms, including Linux and multiple versions of Windows. For more
information, see the vendor's site found at the following link.
http://www.openview.hp.com/products/nnm/index.html
II. DESCRIPTION
Remote exploitation of multiple command injection vulnerabilities in
Hewlett-Packard Development Co. LP (HP)'s Network Node Manager, could
allow an attacker to execute arbitrary code with the privileges of the
affected service.
Multiple command injection vulnerabilities are present in NNM CGI
applications.
The vulnerabilities are very similar and occur in the webappmon.exe and
OpenView5.exe program. Part of the functionality of these applications
is to start other programs and collect their output. In order to
perform this, they each execute external programs along with any
attacker controllable arguments for the application. The arguments may
contain shell meta-characters. This allows an attacker to run arbitrary
shell commands. The arguments are not filtered before being passed to
the external program. This results in attacker supplied commands being
run on the host.
III. ANALYSIS
Exploitation of these vulnerabilities results in the execution of
arbitrary code with the privileges of the affected service. On RedHat
Enterprise 4, the application is started as the user 'bin'. All that is
required for exploitation is the ability to create a TCP connection to
port 80 on the targeted host.
IV. DETECTION
iDefense has confirmed the existence of these vulnerabilities in Network
Node Manager version 7.53 for Linux. Previous versions, as well as
versions for other Unix based operating systems, may also be affected.
V. WORKAROUND
By default, the NNM CGI applications do not require a user to be
authenticated. By changing the session.conf file and setting UserLogin
to ON, it is possible to require valid credentials in order to run. The
'ovhtpasswd' application can then be used to add valid credentials to
the password file.
VI. VENDOR RESPONSE
HP has released a patch which addresses this issue. For more
information, consult their advisory at the following URL.
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01661610
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-4559 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
06/19/2008 Initial Contact
06/19/2008 Vendor Case numbers set
07/10/2008 PoC sent
01/22/2009 Vendor says patch is ready
02/05/2009 Requested CVE from vendor
02/05/2009 Requested date coordination
02/06/2009 Coordinated Public Disclosure
IX. CREDIT
The discoverer of this vulnerability wishes to remain anonymous.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright © 2009 iDefense, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFJjJsnbjs6HoxIfBkRAtdEAKD0ZM7MTAY0CC5mWXCotzVG8wUKcgCfSGQc
hHbbBHyuDQTBkUKzc48cDw0=
=Re4N
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
iDefense Security Advisory 02.06.09
http://labs.idefense.com/intelligence/vulnerabilities/
Feb 06, 2009
I. BACKGROUND
HP Network Node Manager (NNM) is an application suite that is used to
map out and manage network topography. NNM runs on a variety of
platforms, including Linux and multiple versions of Windows. For more
information, see the vendor's site found at the following link.
http://www.openview.hp.com/products/nnm/index.html
II. DESCRIPTION
Remote exploitation of multiple information disclosure vulnerabilities
in Hewlett-Packard Development Co. LP (HP)'s Network Node Manager could
allow an attacker to gain access to sensitive information.
Two vulnerabilities exist within the CGI applications distributed with
NNM.
The first vulnerability exists in the nnmRptConfig.exe CGI application.
When responding to specifically crafted requests, the CGI will disclose
the location of log directories.
The second vulnerability exists within the ovlaunch.exe CGI. If a
parameter is incorrectly set in a specific request, the application
will return various configuration details.
III. ANALYSIS
Exploitation of these vulnerabilities results in the disclosure of
sensitive information. While the direct effects of these
vulnerabilities are minimal, they may be useful to an attacker
attempting to exploit other vulnerabilities.
IV. DETECTION
iDefense has confirmed the existence of these vulnerabilities in Network
Node Manager version 7.53 for Linux and Windows. Previous versions may
also be affected.
V. WORKAROUND
iDefense is currently unaware of any workarounds for these issues.
VI. VENDOR RESPONSE
Hewlett-Packard has released a patch which addresses this issue. For
more information, consult their advisory at the following URL.
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01661610
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-4560 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
06/19/2008 Initial Contact
06/19/2008 Vendor Case # SSRT080095 set
07/10/2008 PoC sent
01/22/2009 Vendor says patch is ready
02/05/2009 Requested CVE from vendor
02/05/2009 Requested date coordination
02/06/2009 Coordinated Public Disclosure
IX. CREDIT
The discoverer of this vulnerability wishes to remain anonymous.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright © 2009 iDefense, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFJjKTTbjs6HoxIfBkRAn+nAJ0YusPTHicFnJpCKBIMwhEsg26p2wCdGZM3
12udAN07EiZpKlRihYGh0LA=
=z792
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01438409
Version: 3
HPSBMA02331 SSRT080000 rev.3 - HP-UX running WBEM Services, Remote Execution of Arbitrary Code, Gain Extended Privileges
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-04-29
Last Updated: 2009-02-10
Potential Security Impact: Remote execution of arbitrary code, gain extended privileges.
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP-UX running WBEM Services. These vulnerabilities could be exploited remotely to execute arbitrary code or to gain extended privileges.
References: CVE-2007-5360, CVE-2008-0003
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.11, B.11.23, B.11.31 running HP WBEM Services vA.02.07.01 or earlier
BACKGROUND
CVSS 2.0 Base Metrics
===============================================
Reference Base Vector Base Score
CVE-2007-5360 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 7.5
CVE-2008-0003 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
===============================================
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
RESOLUTION
HP has provided the following software patches to resolve the vulnerabilities.
The patches are available for download from:
http://itrc.hp.com
OS Release - B.11.11
Affected WBEM Services Revision - A.02.07.01
Patch ID - PHSS_37700
OS Release - B.11.23
Affected WBEM Services Revision - A.02.07
Patch ID - PHSS_37701
OS Release - B.11.31
Affected WBEM Services Revision - A.02.07
Patch ID - PHSS_37891
OS Release - B.11.11
Affected WBEM Services Revision - A.02.05.08
Patch ID - PHSS_37702
OS Release - B.11.23
Affected WBEM Services Revision - A.02.05.08
Patch ID - PHSS_37703
OS Release - B.11.31
Affected WBEM Services Revision - A.02.05.08
Patch ID - PHSS_37704
OS Release - B.11.11
Affected WBEM Services Revision - A.02.00.11
Patch ID - PHSS_38747
OS Release - B.11.23
Affected WBEM Services Revision - A.02.00.11
Patch ID - PHSS_38748
MANUAL ACTIONS: Yes - NonUpdate
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
HP-UX B.11.11
=============
WBEMServices.WBEM-CORE
action: install PHSS_38747 or subsequent
http://itrc.hp.com
HP-UX B.11.23
=============
WBEMServices.WBEM-CORE
action: install PHSS_38748 or subsequent
http://itrc.hp.com
HP-UX B.11.11
HP-UX B.11.23
HP-UX B.11.31
=============
WBEMServices.WBEM-CORE-COM
WBEMServices.WBEM-MAN
WBEMServices.WBEM-CORE
action: install revision A.02.00.11 or subsequent
HP-UX B.11.11
=============
WBEMServices.WBEM-CORE-COM
WBEMServices.WBEM-MAN
WBEMServices.WBEM-CORE
action: install PHSS_37700 or subsequent
URL: http://itrc.hp.com
HP-UX B.11.23
=============
WBEMServices.WBEM-CORE-COM
WBEMServices.WBEM-MAN
WBEMServices.WBEM-CORE
action: install PHSS_37701 or subsequent
URL: http://itrc.hp.com
HP-UX B.11.31
=============
WBEMServices.WBEM-CORE-COM
WBEMServices.WBEM-MAN
WBEMServices.WBEM-CORE
action: install PHSS_37891 or subsequent
URL: http://itrc.hp.com
HP-UX B.11.11
=============
WBEMServices.WBEM-CORE-COM
WBEMServices.WBEM-CORE-MAN
WBEMServices.WBEM-CORE
action: install PHSS_37702 or subsequent
URL: http://itrc.hp.com
HP-UX B.11.23
=============
WBEMServices.WBEM-CORE-COM
WBEMServices.WBEM-CORE-MAN
WBEMServices.WBEM-CORE
action: install PHSS_37703 or subsequent
URL: http://itrc.hp.com
HP-UX B.11.31
=============
WBEMServices.WBEM-CORE-COM
WBEMServices.WBEM-CORE-MAN
WBEMServices.WBEM-CORE
action: install PHSS_37704 or subsequent
URL: http://itrc.hp.com
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) - 29 April 2008 Initial release
Version:2 (rev.2) - 05 May 2008 Modified affected versions
Version:3 (rev.3) - 10 February 2009 Added A.02.00.11 patches
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
- check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
- verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
©Copyright 2009 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBSZLZEeAfOvwtKn1ZEQKXVACffWGa5xAbvfzzGKU6ZMsukP1JLX0AoLza
rupPE/zjJRCQsBQXId9DuiW0
=CxQb
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01650939
Version: 1
HPSBUX02401 SSRT090005 rev.2 - HP-UX Running Apache Web Server Suite, Remote Denial of Service (DoS), Cross-site Scripting (XSS), Execution of Arbitrary Code, Cross-Site Request Forgery (CSRF)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-02-02
Last Updated: 2009-02-12
Potential Security Impact: Remote Denial of Service (DoS), cross-site scripting (XSS), execution of arbitrary code, cross-site request forgery (CSRF)
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP-UX running Apache-based Web Server or Tomcat-based Servelet Engine. The vulnerabilities could be exploited remotely to cause a Denial of Service (DoS), cross-site scripting (XSS), execution of arbitrary code, or cross-site request forgery (CSRF). Apache-based Web Server and Tomcat-based Servelet Engine are contained in the Apache Web Server Suite.
References: CVE-2007-6420, CVE-2008-1232, CVE-2008-1947, CVE-2008-2364, CVE-2008-2370, CVE-2008-2938, CVE-2008-2939, CVE-2008-3658
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.23 and B.11.31 running Apache-based Web Server v2.2.8.01.01 or v2.0.59.07.02 or earlier or Tomcat-based Servelet Engine v5.5.27.01.01 or earlier
HP-UX B.11.11 running Apache-based Web Server v2.0.59.07.02 or earlier
BACKGROUND
CVSS 2.0 Base Metrics
===============================================
Reference Base Vector Base Score
CVE-2007-6420 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2008-1232 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2008-1947 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2008-2364 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 5.0
CVE-2008-2370 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 5.0
CVE-2008-2938 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2008-2939 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2008-3658 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 7.5
===============================================
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
RESOLUTION
HP has provided the following upgrades to resolve these vulnerabilities.
The upgrades are available from the following location:
URL: http://software.hp.com
Note: HP-UX Web Server Suite v3.02 contains HP-UX Apache-based Web Server v2.2.8.01.02 and HP-UX Tomcat-based Servlet Engine 5.5.27.01.01
Note: HP-UX Web Server Suite v2.22 contains HP-UX Apache-based Web Server v2.0.59.07.03 and HP-UX Tomcat-based Servlet Engine 5.5.27.01.01
Web Server Suite Version
HP-UX Release Apache Depot name
==============================================
Web Server Suite Version - Web Server v.3.02
B.11.11 PA-32 HPUXWSATW-B302-32.depot
B.11.23 and B.11.31 PA-32 HPUXWSATW-B302-32.depot
B.11.23 and B.11.31 IA-64 HPUXWSATW-B302-64.depot
Web Server Suite Version - Web Server v.2.22
B.11.11 PA-32 HPUXWSATW-B222-1111.depot
B.11.23 PA-32 HPUXWSATW-B222-1123-32.depot
B.11.23 IA-64 HPUXWSATW-B222-1123-64.depot
B.11.31 IA-32 HPUXWSATW-B222-1131-32.depot
B.11.31 IA-64 HPUXWSATW-B222-1131-64.depot
===============================================
MANUAL ACTIONS: Yes - Update
Install Apache-based Web Server or Tomcat-based Servelet Engine from the Apache Web Server Suite v2.22 or v3.02 or subsequent
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
For Web Server v.3.02
HP-UX B.11.11
==================
hpuxwsAPACHE.APACHE
hpuxwsAPACHE.APACHE2
hpuxwsAPACHE.AUTH_LDAP
hpuxwsAPACHE.AUTH_LDAP2
hpuxwsAPACHE.MOD_JK
hpuxwsAPACHE.MOD_JK2
hpuxwsAPACHE.MOD_PERL
hpuxwsAPACHE.MOD_PERL2
hpuxwsAPACHE.PHP
hpuxwsAPACHE.PHP2
hpuxwsAPACHE.WEBPROXY
hpuxwsTOMCAT.TOMCAT
hpuxwsWEBMIN.WEBMIN
action: install revision B.2.2.8.01.02 or subsequent
URL: http://software.hp.com
HP-UX B.11.23
==================
hpuxws22APCH32.APACHE
hpuxws22APCH32.APACHE2
hpuxws22APCH32.AUTH_LDAP
hpuxws22APCH32.AUTH_LDAP2
hpuxws22APCH32.MOD_JK
hpuxws22APCH32.MOD_JK2
hpuxws22APCH32.MOD_PERL
hpuxws22APCH32.MOD_PERL2
hpuxws22APCH32.PHP
hpuxws22APCH32.PHP2
hpuxws22APCH32.WEBPROXY
hpuxws22APCH32.WEBPROXY2
hpuxws22TOMCAT.TOMCAT
hpuxws22WEBMIN.WEBMIN
action: install revision B.2.2.8.01.02 or subsequent
URL: http://software.hp.com
HP-UX B.11.31
==================
hpuxws22APACHE.APACHE
hpuxws22APACHE.APACHE2
hpuxws22APACHE.AUTH_LDAP
hpuxws22APACHE.AUTH_LDAP2
hpuxws22APACHE.MOD_JK
hpuxws22APACHE.MOD_JK2
hpuxws22APACHE.MOD_PERL
hpuxws22APACHE.MOD_PERL2
hpuxws22APACHE.PHP
hpuxws22APACHE.PHP2
hpuxws22APACHE.WEBPROXY
hpuxws22APACHE.WEBPROXY2
hpuxws22TOMCAT.TOMCAT
hpuxws22WEBMIN.WEBMIN
action: install revision B.2.2.8.01.02 or subsequent
URL: http://software.hp.com
Web Server v.2.22
HP-UX B.11.11
==================
hpuxwsAPACHE.APACHE
hpuxwsAPACHE.APACHE2
hpuxwsAPACHE.AUTH_LDAP
hpuxwsAPACHE.AUTH_LDAP2
hpuxwsAPACHE.MOD_JK
hpuxwsAPACHE.MOD_JK2
hpuxwsAPACHE.MOD_PERL
hpuxwsAPACHE.MOD_PERL2
hpuxwsAPACHE.PHP
hpuxwsAPACHE.PHP2
hpuxwsAPACHE.WEBPROXY
hpuxwsTOMCAT.TOMCAT
hpuxwsWEBMIN.WEBMIN
action: install revision B.2.0.59.07.03 or subsequent
URL: http://software.hp.com
HP-UX B.11.23
==================
hpuxwsAPCH32.APACHE
hpuxwsAPCH32.APACHE2
hpuxwsAPCH32.AUTH_LDAP
hpuxwsAPCH32.AUTH_LDAP2
hpuxwsAPCH32.MOD_JK
hpuxwsAPCH32.MOD_JK2
hpuxwsAPCH32.MOD_PERL
hpuxwsAPCH32.MOD_PERL2
hpuxwsAPCH32.PHP
hpuxwsAPCH32 .PHP2
hpuxwsAPCH32.WEBPROXY
hpuxwsTOMCAT.TOMCAT
hpuxwsWEBMIN.HPDOCS
hpuxwsWEBMIN.WEBMIN
action: install revision B.2.0.59.07.03 or subsequent
URL: http://software.hp.com
HP-UX B.11.31
==================
hpuxwsAPCH32.APACHE
hpuxwsAPCH32.APACHE2
hpuxwsAPCH32.AUTH_LDAP
hpuxwsAPCH32.AUTH_LDAP2
hpuxwsAPCH32.MOD_JK
hpuxwsAPCH32.MOD_JK2
hpuxwsAPCH32.MOD_PERL
hpuxwsAPCH32.MOD_PERL2
hpuxwsAPCH32.PHP
hpuxwsAPCH32.PHP2
hpuxwsAPCH32.WEBPROXY
hpuxwsTOMCAT.TOMCAT
hpuxwsWEBMIN.HPDOCS
hpuxwsWEBMIN.WEBMIN
action: install revision B.2.0.59.07.03 or subsequent
URL: http://software.hp.com
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) 2 February 2009 Initial release
Version:2 (rev.2) 12 February 2009 Corrected Affected Versions, clarified Resolution table.
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
- check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
- verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
©Copyright 2009 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBSZV6JeAfOvwtKn1ZEQI0NACeL5V/0jZJEH3cWXBIRPrHWRcJfAsAoNtx
HHbnT1AsTUHtckEKArrUCgPE
=1kR6
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01623905
Version: 2
HPSBPI02398 SSRT080166 rev.2 - Certain HP LaserJet Printers, HP Color LaserJet Printers, and HP Digital Senders, Remote Unauthorized Access to Files
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-02-04
Last Updated: 2009-02-13
Potential Security Impact: Remote unauthorized access to files
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential security vulnerability has been identified with certain HP LaserJet printers, HP Color LaserJet printers and HP Digital Senders. The vulnerability could be exploited remotely to gain unauthorized access to files.
References: CVE-2008-4419
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP LaserJet 2410 with firmware prior to 20080819 SPCL112A
HP LaserJet 2420 with firmware prior to 20080819 SPCL112A
HP LaserJet 2430 with firmware prior to 20080819 SPCL112A
HP LaserJet 4250 with firmware prior to 20080819 SPCL015A
HP LaserJet 4350 with firmware prior to 20080819 SPCL015A
HP LaserJet 9040 with firmware prior to 20080819 SPCL110A
HP LaserJet 9050 with firmware prior to 20080819 SPCL110A
HP LaserJet 4345mfp with firmware prior to 09.120.9
HP Color LaserJet 4730mfp with firmware prior to 46.200.9
HP LaserJet 9040mfp with firmware prior to 08.110.9
HP LaserJet 9050mfp with firmware prior to 08.110.9
HP 9200C Digital Sender with firmware prior to 09.120.9
HP Color LaserJet 9500mfp with firmware prior to 08.110.9
BACKGROUND
CVSS 2.0 Base Metrics
===============================================
Reference Base Vector Base Score
CVE-2008-4419 (AV:N/AC:L/Au:N/C:C/I:N/A:N) 7.8
===============================================
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
The Hewlett-Packard Company thanks the Digital Defense, Inc. (DDI) Vulnerability Research Team (VRT) for reporting this vulnerability to security-alert@hp.com.
RESOLUTION
HP has provided firmware updates and preliminary firmware updates to resolve this vulnerability. The firmware updates and preliminary firmware updates are available as described below.
Note: Each firmware update has instructions for finding the firmware version installed on the product.
Product
Resolved in Firmware Version
HP LaserJet 4345mfp
09.120.9 or subsequent
HP Color LaserJet 4730mfp
46.200.9 or subsequent
HP LaserJet 9040mfp
08.110.9 or subsequent
HP LaserJet 9050mfp
08.110.9 or subsequent
HP 9200C Digital Sender
09.120.9 or subsequent
HP Color LaserJet 9500mfp
08.110.9 or subsequent
Product
Resolved in Preliminary Firmware Version
HP LaserJet 2410
20080819 SPCL112A
HP LaserJet 2420
20080819 SPCL112A
HP LaserJet 2430
20080819 SPCL112A
HP LaserJet 4250
20080819 SPCL015A
HP LaserJet 4350
20080819 SPCL015A
HP LaserJet 9040
20080819 SPCL110A
HP LaserJet 9050
20080819 SPCL110A
To Locate the Firmware Update
Browse to http://www.hp.com and do the following:
Select "Support & Drivers"
In Step 1 select "Download drivers and software (and firmware)"
In Step 2 enter one of the following:
HP LaserJet 4345 Multifunction Printer series
HP Color LaserJet 4730 Multifunction Printer series
HP LaserJet 9040/9050 Multifunction Printer series
HP 9200C Digital Sender
HP Color LaserJet 9500 Multifunction Printer series
Click on "Go"
Click on the desired product if necessary
Click on the desired operating system
Click on "Firmware"
To Download and Install the Preliminary Firmware Update for the HP LaserJet 2410, 2420, 2430, 4250, 4350, 9040, 9050
Download the file listed in the table below and the InstallationInstructions.rtf file from ftp://ss080166:ss080166@hprc.external.hp.com/
Note: Two of the files listed below are new in rev.2 of this Security Bulletin:
lj24x0fw_08_112_spcl112A-1.rfu replaces lj24x0fw_08_112_spcl112A.rfu
lj9040-50fw_08_110_spcl110A-1.rfu replaces lj9040-50fw_08_110_spcl110A.rfu
lj24x0fw_08_112_spcl112A.rfu does resolve the vulnerability.
However, the file was incompatible with HP Webjet Admin.
lj24x0fw_08_112_spcl112A-1.rfu works properly with HP Webjet Admin.
lj9040-50fw_08_110_spcl110A.rfu could not be installed by any means.
lj9040-50fw_08_110_spcl110A-1.rfu can be installed properly.
Product
Resolved in Preliminary Firmware Version
HP LaserJet 2410
lj24x0fw_08_112_spcl112A-1.rfu
HP LaserJet 2420
lj24x0fw_08_112_spcl112A-1.rfu
HP LaserJet 2430
lj24x0fw_08_112_spcl112A-1.rfu
HP LaserJet 4250
lj4x50fw_08_015_spcl015A.rfu
HP LaserJet 4350
lj4x50fw_08_015_spcl015A.rfu
HP LaserJet 9040
lj9040-50fw_08_110_spcl110A-1.rfu
HP LaserJet 9050
lj9040-50fw_08_110_spcl110A-1.rfu
Optionally, verify the MD5 sums.
File
MD5 Sum
lj24x0fw_08_112_spcl112A-1.rfu
22a4e38319ea259a7acd6e3f2adb3659
lj4x50fw_08_015_spcl015A.rfu
1acfd981cad26e002f655332b1ba5954
lj9040-50fw_08_110_spcl110A-1.rfu
4768936d7073206317568497d2374a3e
InstallationInstructions.rtf
1feb8410771d698ea9599d2fcc462a2d
Install the preliminary firmware update as described in the InstallationInstructions.rtf file.
PRODUCT SPECIFIC INFORMATION
None
HISTORY
Version:1 (rev.1) - 4 February 2009 Initial release
Version:2 (rev.2) - 13 February 2009 New files available
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
- check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
- verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
©Copyright 2009 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBSZX+FeAfOvwtKn1ZEQKd5gCcDC0gTl2ah4SUP2M6FG/HgNtnQNEAoOMc
eBGcRd+v/sZzaWkV0ex7Q33i
=1cHN
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01661610
Version: 2
HPSBMA02406 SSRT080100 rev.2 - HP OpenView Network Node Manager (OV NNM), Remote Execution of Arbitrary Code, Unauthorized Access to Data
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-02-04
Last Updated: 2009-02-17
Potential Security Impact: Remote execution of arbitrary code, unauthorized access to data.
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP OpenView Network Node Manager (OV NNM). The vulnerabilities could be exploited remotely to allow execution of arbitrary code or unauthorized access to data.
References: CVE-2008-4559, CVE-2008-4560, CVE-2008-4561, CVE-2008-4562, CVE-2009-0205
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP OpenView Network Node Manager (OV NNM) v7.01, v7.51, v7.53 running on HP-UX, Linux, Solaris, and Windows
BACKGROUND
CVSS 2.0 Base Metrics
===============================================
Reference Base Vector Base Score
CVE-2008-4559 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2008-4560 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2008-4561 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2008-4562 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2009-0205 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
===============================================
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
The Hewlett-Packard Company thanks an anonymous researcher working with the iDefense VCP for reporting these vulnerabilities to security-alert@hp.com.
RESOLUTION
HP has made patches available to resolve these vulnerabilities.
The patches are available from http://support.openview.hp.com/selfsolve/patches
Note: The patches are not available from the HP IT Resource Center (ITRC).
OV NNM v7.53
Operating System - HP-UX (IA)
Resolved in Patch - PHSS_38783 or subsequent
Operating System - HP-UX (PA)
Resolved in Patch - PHSS_38782 or subsequent
Operating System - Linux RedHatAS2.1
Resolved in Patch - LXOV_00089 or subsequent
Operating System - Linux RedHat4AS-x86_64
Resolved in Patch - LXOV_00090 or subsequent
Operating System - Solaris
Resolved in Patch - PSOV_03517 or subsequent
Operating System - Windows
Resolved in Patch - NNM_01195 or subsequent
OV NNM v7.51
Upgrade to NNM v7.53 and install the patches listed above. Patch bundles for upgrading from NNM v7.51 to NNM v7.53 are available here: ftp://nnm_753:update@hprc.external.hp.com/
OV NNM v7.01
Operating System - HP-UX (PA)
Resolved in Patch - PHSS_38761 or subsequent
Operating System - Solaris
Resolved in Patch - PSOV_03516 or subsequent
Operating System - Windows
Resolved in Patch - NNM_01194 or subsequent
MANUAL ACTIONS: Yes - NonUpdate
Install the patches listed in the Resolution
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS (for HP-UX)
For HP-UX OV NNM 7.51 and 7.53
HP-UX B.11.31
HP-UX B.11.23 (IA)
HP-UX B.11.23 (PA)
HP-UX B.11.11
=============
OVNNMgr.OVNNM-RUN,fr=B.07.50.00
action: install the patches listed in the Resolution
URL: http://support.openview.hp.com/selfsolve/patches
For HP-UX OV NNM 7.01
HP-UX B.11.11
=============
OVNNMgr.OVNNM-RUN,fr=B.07.01.00
action: install the patches listed in the Resolution
URL: http://support.openview.hp.com/selfsolve/patches
END AFFECTED VERSIONS (for HP-UX)
HISTORY
Version:1 (rev.1) - 4 February 2009 Initial release
Version:2 (rev.2) - 17 February 2009 Added CVE-2008-4559, CVE-2008-4560, CVE-2008-4561, CVE-2008-4562
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
- check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
- verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
©Copyright 2009 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBSZrL1OAfOvwtKn1ZEQI1IQCdEjKOt1Dtj/RFSKbKoADFYLol2A0An18I
Q5d3WgAWystmeTIsMjmUDIel
=QhKH
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01601492
Version: 1
HPSBMA02384 SSRT071465 rev.1 - HP OpenView Network Node Manager (OV NNM), Remote Unauthorized Access, Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-02-23
Last Updated: 2009-02-23
Potential Security Impact: Remote unauthorized access, Denial of Service (DoS)
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP OpenView Network Node Manager (OV NNM). The vulnerabilities could be exploited remotely to gain unauthorized access or to create a Denial of Service (DoS).
References: CVE-2007-3698, CVE-2007-3922, SUN Alert 102995, 102997
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP OpenView Network Node Manager (OV NNM) v7.01, v7.51, v7.53 running on HP-UX, Linux, Solaris, and Windows
BACKGROUND
CVSS 2.0 Base Metrics
===============================================
Reference Base Vector Base Score
CVE-2007-3698 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3
CVE-2007-3922 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8
===============================================
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
RESOLUTION
HP has made patches available to resolve these vulnerabilities.
The patches are available from http://support.openview.hp.com/selfsolve/patches
Note: The patches are not available from the HP IT Resource Center (ITRC).
OV NNM v7.53
===========
Operating System - HP-UX (IA)
Resolved in Patch - PHSS_38148 or subsequent
Operating System - HP-UX (PA)
Resolved in Patch - PHSS_38147 or subsequent
Operating System - Linux RedHatAS2.1
Resolved in Patch - LXOV_00085 or subsequent
Operating System - Linux RedHat4AS-x86_64
Resolved in Patch - LXOV_00086 or subsequent
Operating System - Solaris
Resolved in Patch - PSOV_03514 or subsequent
Operating System - Windows
Resolved in Patch - NNM_01192 or subsequent
OV NNM v7.51
===========
Upgrade to NNM v7.53 and install the patches listed above. Patch bundles for upgrading from NNM v7.51 to NNM v7.53 are available here: ftp://nnm_753:update@hprc.external.hp.com/
OV NNM v7.01
===========
Operating System - HP-UX (PA)
Resolved in Patch - PHSS_38761 or subsequent
Operating System - Solaris
Resolved in Patch - PSOV_03516 or subsequent
Operating System - Windows
Resolved in Patch - NNM_01194 or subsequent
MANUAL ACTIONS: Yes - NonUpdate
Install the patches listed in the Resolution
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS (for HP-UX)
For HP-UX OV NNM 7.51 and 7.53
HP-UX B.11.31
HP-UX B.11.23 (IA)
HP-UX B.11.23 (PA)
HP-UX B.11.11
=============
OVNNMgr.OVNNM-RUN,fr=B.07.50.00
action: install the patches listed in the Resolution
URL: http://support.openview.hp.com/selfsolve/patches
For HP-UX OV NNM 7.01
HP-UX B.11.11
=============
OVNNMgr.OVNNM-RUN,fr=B.07.01.00
action: install the patches listed in the Resolution
URL: http://support.openview.hp.com/selfsolve/patches
END AFFECTED VERSIONS (for HP-UX)
HISTORY
Version:1 (rev.1) - 23 February 2009 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
- check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
- verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
©Copyright 2009 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBSaKsWOAfOvwtKn1ZEQLQjwCeJ42sQ7P+cZe2G0X9VihBH34dyt4AoIoQ
Sc2BzXulD3QoPIouX5GkgjUs
=8Q8S
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01678405
Version: 1
HPSBGN02410 SSRT080135 rev.1 - HP Virtual Rooms Client Running on Windows, Remote Execution of Arbitrary Code
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-02-24
Last Updated: 2009-02-24
Potential Security Impact: Remote execution of arbitrary code
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP Virtual Rooms client running on Windows. The vulnerability could be exploited to allow remote execution of arbitrary code.
References: CVE-2009-0208
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Virtual Rooms client v7.0 and earlier running on Windows
BACKGROUND
CVSS 2.0 Base Metrics
===============================================
Reference Base Vector Base Score
CVE-2009-0208 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
===============================================
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
The Hewlett-Packard Company thanks Will Dormann of CERT/CC for reporting this vulnerability to security-alert@hp.com
RESOLUTION
HP has provided HP Virtual Rooms client v7.0.1 or later to resolve this vulnerability. The upgrade is available from:
https://www.rooms.hp.com
HP Virtual Rooms client v7.0.1 can be installed by using the "Test your setup" link at https://www.rooms.hp.com . Select "Test your setup" from the right navigation bar and follow the instructions.
Note: Installing this new release will also apply the Windows registry ?kill bit? for CLSID {00000032-9593-4264-8B29-930B3E4EDCCD}. The kill bit is explained in Microsoft article KB240797 or subsequent. http://support.microsoft.com/kb/240797 .
To completely remove HP Virtual rooms (HPVR) from your system:
Use the HPVR cleaner to remove HP Virtual Rooms from your system. The HPVR Cleaner will remove all HPVR executables and clear all registry entries ? without the need to install the new version. Follow the instructions under "Removing HPVR components" here: https://www.rooms.hp.com/resources/ .
PRODUCT SPECIFIC INFORMATION
None
HISTORY
Version:1 (rev.1) - 24 February 2009 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
- check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
- verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
©Copyright 2009 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBSaQ0Q+AfOvwtKn1ZEQK9xACfVtumzdHHGBNb5vlhzRJ1RNV0coAAn33y
UMZnc77Jquc/HS2bkPpRV5dx
=+xqy
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01650939
Version: 3
HPSBUX02401 SSRT090005 rev.3 - HP-UX Running Apache Web Server Suite, Remote Denial of Service (DoS), Cross-site Scripting (XSS), Execution of Arbitrary Code, Cross-Site Request Forgery (CSRF)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-02-02
Last Updated: 2009-02-25
Potential Security Impact: Remote Denial of Service (DoS), cross-site scripting (XSS), execution of arbitrary code, cross-site request forgery (CSRF)
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP-UX running Apache-based Web Server or Tomcat-based Servelet Engine. The vulnerabilities could be exploited remotely to cause a Denial of Service (DoS), cross-site scripting (XSS), execution of arbitrary code, or cross-site request forgery (CSRF). Apache-based Web Server and Tomcat-based Servelet Engine are contained in the Apache Web Server Suite.
References: CVE-2007-6420, CVE-2008-1232, CVE-2008-1947, CVE-2008-2364, CVE-2008-2370, CVE-2008-2938, CVE-2008-2939, CVE-2008-3658
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.23 and B.11.31 running Apache-based Web Server v2.2.8.01.01 or v2.0.59.07.02 or earlier or Tomcat-based Servelet Engine v5.5.27.01 or earlier
HP-UX B.11.11 running Apache-based Web Server v2.0.59.07.02 or earlier or Tomcat-based Servelet Engine v5.5.27.01 or earlier
BACKGROUND
CVSS 2.0 Base Metrics
===============================================
Reference Base Vector Base Score
CVE-2007-6420 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2008-1232 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2008-1947 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2008-2364 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 5.0
CVE-2008-2370 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 5.0
CVE-2008-2938 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2008-2939 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2008-3658 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 7.5
===============================================
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
RESOLUTION
HP has provided the following upgrades to resolve these vulnerabilities.
The upgrades are available from the following location:
URL: http://software.hp.com
Note: HP-UX Web Server Suite v3.02 contains HP-UX Apache-based Web Server v2.2.8.01.02 and HP-UX Tomcat-based Servlet Engine 5.5.27.01.01
Note: HP-UX Web Server Suite v2.22 contains HP-UX Apache-based Web Server v2.0.59.07.03 and HP-UX Tomcat-based Servlet Engine 5.5.27.01.01
Web Server Suite Version
HP-UX Release Apache Depot name
==============================================
Web Server Suite Version - Web Server v.3.02
B.11.23 and B.11.31 PA-32 HPUXWSATW-B302-32.depot
B.11.23 and B.11.31 IA-64 HPUXWSATW-B302-64.depot
Web Server Suite Version - Web Server v.2.22
B.11.11 PA-32 HPUXWSATW-B222-1111.depot
B.11.23 PA-32 HPUXWSATW-B222-1123-32.depot
B.11.23 IA-64 HPUXWSATW-B222-1123-64.depot
B.11.31 IA-32 HPUXWSATW-B222-1131-32.depot
B.11.31 IA-64 HPUXWSATW-B222-1131-64.depot
===============================================
MANUAL ACTIONS: Yes - Update
Install Apache-based Web Server with Tomcat-based Servelet Engine from the Apache Web Server Suite v2.22 or v3.02 or subsequent
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
For Web Server v3.02
HP-UX B.11.23
==================
hpuxws22APCH32.APACHE
hpuxws22APCH32.APACHE2
hpuxws22TOMCAT.TOMCAT
action: install revision B.2.2.8.01.02 or subsequent
URL: http://software.hp.com
HP-UX B.11.31
==================
hpuxws22APACHE.APACHE
hpuxws22APACHE.APACHE2
hpuxws22TOMCAT.TOMCAT
action: install revision B.2.2.8.01.02 or subsequent
URL: http://software.hp.com
Web Server v2.22
HP-UX B.11.11
==================
hpuxwsAPACHE.APACHE
hpuxwsAPACHE.APACHE2
hpuxwsTOMCAT.TOMCAT
action: install revision B.2.0.59.07.03 or subsequent
URL: http://software.hp.com
HP-UX B.11.23
==================
hpuxwsAPCH32.APACHE
hpuxwsAPCH32.APACHE2
hpuxwsTOMCAT.TOMCAT
action: install revision B.2.0.59.07.03 or subsequent
URL: http://software.hp.com
HP-UX B.11.31
==================
hpuxwsAPCH32.APACHE
hpuxwsAPCH32.APACHE2
hpuxwsTOMCAT.TOMCAT
action: install revision B.2.0.59.07.03 or subsequent
URL: http://software.hp.com
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) 2 February 2009 Initial release
Version:2 (rev.2) 12 February 2009 Corrected Affected Versions, clarified Resolution Table
Version:3 (rev.3) 25 February 2009 Revised Affected Versions and Resolution Table
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
- check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
- verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
©Copyright 2009 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBSaWkj+AfOvwtKn1ZEQK+LACgogWmdChtPV+4O9K4J7WDdglISscAn1qg
POKzCLkSUXsHmb+efsMAXtBN
=NzUB
-----END PGP SIGNATURE-----
--- End Message ---