[guru] HP biztonsagi frissitesek
DATE: Tue, 09 Mar 2010 00:56:47 +0100
HP-UX termékcsalád:
-------------------
A HP Enterprise Cluster Master Toolkit (ECMT) biztonsági hibát tartalmaz,
a helyi támadó plusz jogokat szerezhet.
Kihozták a HP CIFS Server csomag (samba) javítását, mivel a home directory
nélküli felhasználók segítségével hozzá lehetett férni a teljes rendszerhez.
Kihozták a JRE és JDK csomagok javítását.
OpenVMS termékcsalád:
---------------------
Az RMS (Record Management Services) hibája miatt a lokális támadó plusz
jogokat szerezhet.
HP OpenView termékcsalád:
-------------------------
A HP Operations Agent Solaris 10 verziója a támadó számára távoli hozzáférést
tesz lehetővé.
A HP Network Node Manager (NNM) a támadó számára távoli hozzáférést tesz
lehetővé.
A HP OpenView Network Node Manager (OV NNM) termékhez is kihozták a JRE és
JDK csomagok javítását.
Egyéb:
------
A HP StorageWorks 1/8 G2 Tape Autoloader webes felületén a támadó admin
jogokat szerezhet.
XSS hibát találtak a HP System Management Homepage (SMH) Linux és Windows
verzióiban.
Kihozták a HP DreamScreen információ szivárgási hibájának javítását.
A HP ProLiant Support Pack 8.30 Windows-os verziója távoli kód futtatási
lehetőséget és információ szivárgási hibát tartalmaz.
--- Begin Message ---
Unauthorized Access
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01894850
Version: 1
HPSBUX02464 SSRT090210 rev.1 - HP Enterprise Cluster Master Toolkit (ECMT) running on HP-UX, Local
Unauthorized Access
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-10-05
Last Updated: 2010-02-01
Potential Security Impact: Local unauthorized access
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential security vulnerability has been identified on HP Enterprise Cluster Master Toolkit (ECMT) version
B.05.00 running on HP-UX. This vulnerability could be exploited by local users to gain unauthorized access.
References: CVE-2009-4184
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
ECMT B.05.00 running on HP-UX B.11.23 (11i v2) or HP-UX B.11.31 (11i v3).
Note: ECMT B.05.00 is available for Serviceguard A.11.18 and A.11.19 only. The exploit could allow unauthorized
access to a database managed by Oracle 9i, 10gR1, 10gR2, 11gR1 or Sybase AES 15.0.2 or later.
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2009-4184 (AV:L/AC:L/Au:S/C:C/I:C/A:N) 6.2
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has provided the following patches to resolve the vulnerability.
The patches are available from the following location.
http://itrc.hp.com
HP-UX Release / Patch ID
B.11.23 (11i v2) / PHSS_40229 or subsequent
B.11.31 (11i v3) / PHSS_40230 or subsequent
MANUAL ACTIONS: No
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security
Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a
specific HP-UX system. It can also download patches and create a depot automatically. For more information
see: https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
HP-UX B.11.23
==================
SG-Oracle-Tool.CM-ORACLE
SG-Sybase-Tool.CM-SYBASE
action: install PHSS_40229 or subsequent
HP-UX B.11.31
==================
SG-Oracle-Tool.CM-ORACLE
SG-Sybase-Tool.CM-SYBASE
action: install PHSS_40230 or subsequent
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) 1 February 2010 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
-check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
-verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters
of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
Copyright 2009 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAktnPv0ACgkQ4B86/C0qfVnkuQCg/jOlzXmDe/w4rMlkfhq8C74b
h/UAoOJyMOU0De+xj6ud/VXWih8Vw3ov
=ORQJ
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01940841
Version: 1
HPSBUX02479 SSRT090212 rev.1 - HP-UX running HP CIFS Server (Samba), Remote Unauthorized Access
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-01-27
Last Updated: 2010-01-27
Potential Security Impact: Remote unauthorized access
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP-UX running HP CIFS Server (Samba).
The vulnerability could be exploited to gain remote unauthorized access.
References: CVE-2009-2813
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP CIFS Server vA.02.03.04 and vA.02.04 running on HP-UX B.11.11, B.11.23, or B.11.31.
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2009-2813 (AV:N/AC:M/Au:S/C:P/I:P/A:P) 6.0
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has provided the following software updates to resolve this vulnerabilities.
HP CIFS Server (Samba) vA.02.04.01 for HP-UX B.11.11, B.11.23, B.11.31
HP CIFS Server (Samba) vA.02.03.05 for HP-UX B.11.11, B.11.23, B.11.31
The updates are available for download from
http://www.hp.com/go/softwaredepot/
MANUAL ACTIONS: Yes - Update
Install vA.02.04.01 or subsequent or vA.02.03.05 or subsequent.
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security
Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a
specific HP-UX system. It can also download patches and create a depot automatically. For more information
see: https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
HP-UX B.11.11
HP-UX B.11.23
HP-UX B.11.31
=============
CIFS-Server.CIFS-ADMIN
CIFS-Server.CIFS-DOC
CIFS-Server.CIFS-LIB
CIFS-Server.CIFS-MAN
CIFS-Server.CIFS-RUN
CIFS-Server.CIFS-UTIL
action: install revision A.02.04.01 or subsequent
HP-UX B.11.11
HP-UX B.11.23
=============
CIFS-Server.CIFS-ADMIN
CIFS-Server.CIFS-DOC
CIFS-Server.CIFS-LIB
CIFS-Server.CIFS-RUN
CIFS-Server.CIFS-UTIL
action: install revision A.02.03.05 or subsequent
HP-UX B.11.31
=============
CIFS-Server.CIFS-ADMIN
CIFS-Server.CIFS-DOC
CIFS-Server.CIFS-LIB
CIFS-Server.CIFS-RUN
CIFS-Server.CIFS-UTIL
CIFS-CFSM.CFSM-KRN
CIFS-CFSM.CFSM-RUN
action: install revision A.02.03.05 or subsequent
END AFFECTED VERSIONS
HISTORY
Version: 1 (rev.1) - 27 January 2010 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
-check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
-verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters
of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
Copyright 2009 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAktgtfEACgkQ4B86/C0qfVk3SgCg/I7jRRQW0jkc2WXM108QT0XR
llkAnjxHuSYpssrim1YGCoccpVfKuTAb
=G8eS
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02001423
Version: 1
HPSBOV02505 SSRT100023 rev.1 - HP OpenVMS RMS, Local Escalation of Privilege
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-02-02
Last Updated: 2010-02-02
Potential Security Impact: Local escalation of privilege
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential security vulnerability has been identified with certain RMS (Record Management Services) patch kits for HP OpenVMS running on ALPHA platforms. The vulnerability could be locally exploited resulting in an escalation of privilege.
References: CVE-2010-0443
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
RMS patch kit VMS83A_RMS-V1000 dated September 2009 and update kit VMS83A_UPDATE-V1100 dated November 2009.
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2010-0443 (AV:L/AC:L/Au:S/C:C/I:C/A:C) 6.8
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has made the following patch kits available to resolve the vulnerability.
The patch kits are available from the following location:
URL: http://itrc.hp.com
Install patch kit VMS83A_RMS-V1100 if either RMS_V1000 or UPDATE_V1100 are installed.
The resolution is also included in VMS83A_UPDATE-V1200.
PRODUCT SPECIFIC INFORMATION
None
HISTORY
Version:1 (rev.1) - 2 February 2010 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
-check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
-verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters
of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
Copyright 2009 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAktoU+IACgkQ4B86/C0qfVk7lgCdGpFUP+cR//O18r0+gUtYg0S1
Rt8AnR6XipZGWaVx2O5X0CrLsVNtMK2F
=FpJ9
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-011
Application: HP StorageWorks 1/8 G2 Tape Autoloader
Versions Affected: firmware v 2.30 and earlier
Vendor URL: http://hp.com/
Bug: Privilege escalation
Exploits: YES
Reported: 30.09.2008
Vendor Response: 30.09.2008
Date of Public Advisory: 10.01.2010
Solution: yes
CVE: CVE-2009-2680
CVSS 2.0: 8.5
Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)
Description
***********
Vulnerability found in Web Administration Interface of device HP StorageWorks 1/8 G2 Tape Autoloader.
Default unprivileged user can escalate privileges to administrator.
Details
*******
http://dsecrg.com/pages/vul/show.php?id=111
About
*****
Digital Security is one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.
Contact: research [at] dsecrg [dot] com
http://www.dsecrg.com
Polyakov Alexandr. PCI QSA.
Head of security audit department
Head of Digital Security Research Group
______________________
DIGITAL SECURITY
phone: +7 812 703 1547
+7 812 430 9130
e-mail: a.polyakov@dsec.ru
www.dsec.ru
www.dsecrg.com
www.pcidss.ru
-----------------------------------
This message and any attachment are confidential and may be privileged or otherwise protected
from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure
is strictly prohibited. If you have received this message in error, please notify the sender immediately
either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence
via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding
statements by e-mail unless otherwise agreed.
-----------------------------------
---------- Конец пересылаемого письма ----------
--
Polyakov Alexandr
Head of security audit department
Head of Digital Security Research Group
______________________
DIGITAL SECURITY
phone: +7 812 703 1547
+7 812 430 9130
e-mail: a.polyakov@dsec.ru
www.dsec.ru
-----------------------------------
This message and any attachment are confidential and may be privileged or otherwise protected
from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure
is strictly prohibited. If you have received this message in error, please notify the sender immediately
either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence
via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding
statements by e-mail unless otherwise agreed.
-----------------------------------
--- Begin Message ---
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-011
Application: HP StorageWorks 1/8 G2 Tape Autoloader
Versions Affected: firmware v 2.30 and earlier
Vendor URL: http://hp.com/
Bug: Privilege escalation
Exploits: YES
Reported: 30.09.2008
Vendor Response: 30.09.2008
Date of Public Advisory: 10.01.2010
Solution: yes
CVE: CVE-2009-2680
CVSS 2.0: 8.5
Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)
Description
***********
Vulnerability found in Web Administration Interface of device HP StorageWorks 1/8 G2 Tape Autoloader.
Default unprivileged user can escalate privileges to administrator.
Details
*******
http://dsecrg.com/pages/vul/show.php?id=111
About
*****
Digital Security is one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.
Contact: research [at] dsecrg [dot] com
http://www.dsecrg.com
Polyakov Alexandr. PCI QSA.
Head of security audit department
Head of Digital Security Research Group
______________________
DIGITAL SECURITY
phone: +7 812 703 1547
+7 812 430 9130
e-mail: a.polyakov@dsec.ru
www.dsec.ru
www.dsecrg.com
www.pcidss.ru
-----------------------------------
This message and any attachment are confidential and may be privileged or otherwise protected
from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure
is strictly prohibited. If you have received this message in error, please notify the sender immediately
either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence
via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding
statements by e-mail unless otherwise agreed.
-----------------------------------
--- End Message ---
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02000727
Version: 1
HPSBMA02504 SSRT090220 rev.1 - HP System Management Homepage (SMH) for Linux and Windows, Remote Cross Site Scripting (XSS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-02-03
Last Updated: 2010-02-03
Potential Security Impact: Remote cross site scripting (XSS)
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP System Management Homepage (SMH) for Linux and Windows. This vulnerability could be exploited remotely to allow cross site scripting (XSS) and unauthorized access.
References: CVE-2009-4185, ProCheckUp PR09-15
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP System Management Homepage for Windows all versions prior to 6.0
HP System Management Homepage for Linux (x86) all versions prior to 6.0
HP System Management Homepage for Linux (AMD64/EM64T) all versions prior to 6.0
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2009-4185 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
The Hewlett Packard Company thanks Richard Brain of ProCheckUp Ltd ( http://www.procheckup.com ) for reporting this vulnerability to security-alert@hp.com
RESOLUTION
HP has provided the following resolutions.
HP System Management Homepage for Windows v6.0.0.96 (or subsequent)
HP System Management Homepage for Linux (x86) v6.0.0-95 (or subsequent)
HP System Management Homepage for Linux (AMD64/EM64T) v6.0.0-95 (or subsequent)
Downloads are available from the following locations:
HP System Management Homepage v6.0.0.96 for Windows can be downloaded from
http://h20000.www2.hp.com/bizsupport/TechSupport/SoftwareDescription.jsp?lang=en&cc=us&prodTypeId=15351&prodSeriesId=1121486&prodNameId=3288144&swEnvOID=4064&swLang=8&mode=2&taskId=135&swItem=MTX-24b3c024ec034eee9a16c3cb3c
HP System Management Homepage for Linux (x86), v6.0.0-95 for Linux X86 OS can be downloaded from
http://h20000.www2.hp.com/bizsupport/TechSupport/SoftwareDescription.jsp?lang=en&cc=us&prodTypeId=15351&prodSeriesId=1121486&prodNameId=3288144&swEnvOID=4048&swLang=8&mode=2&taskId=135&swItem=MTX-07a54b93a826424faf044ba986
HP System Management Homepage for Linux (AMD64/EM64T), v6.0.0-95 for Linux 64-bit OS can be downloaded from
http://h20000.www2.hp.com/bizsupport/TechSupport/SoftwareDescription.jsp?lang=en&cc=us&prodTypeId=15351&prodSeriesId=1121486&prodNameId=3288144&swEnvOID=4049&swLang=8&mode=2&taskId=135&swItem=MTX-0ac5d5c51abe472da22373a2f5
Note: The updates can be also be located with the following procedure:
1. Browse to http://h20000.www2.hp.com/bizsupport
2. Search for: HP System Management Homepage for Windows Version 6.0.0.96 or HP System Management Homepage for Linux Version 6.0.0-95
PRODUCT SPECIFIC INFORMATION
None
HISTORY
Version:1 (rev.1) - 03 February 2010 Initial Release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
-check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
-verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters
of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
Copyright 2009 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAktpsoMACgkQ4B86/C0qfVm63wCfc9U/zJL3DfM279OTG3/LCYij
cOYAn2aUYBz9AhjXU/GdTalhAMDlKG4T
=/iPO
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02002298
Version: 1
HPSBMA02487 SSRT100024 rev.1 - HP Operations Agent Running on Solaris 10, Remote Unauthorized Access
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-02-08
Last Updated: 2010-02-08
Potential Security Impact: Remote unauthorized access
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential vulnerability has been identified with HP Operations Agent running on Solaris 10. The vulnerability could be exploited remotely to gain unauthorized access.
References: CVE-2010-0444
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Operations Agent 8.51, 8.52, 8.53, 8.60 running on Solaris 10 (sparc/x86/x64)
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2010-0444 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
The vulnerability can be resolved by the following procedure.
Run the following command to identify a vulnerable configuration
/usr/bin/passwd -s opc_op
A vulnerable configuration will return this
opc_op NP
If the configuration is vulnerable run the following command
/usr/bin/passwd -N opc_op
The command in step 1 should now return this
opc_op NL
PRODUCT SPECIFIC INFORMATION
HISTORY
Version:1 (rev.1) - 8 February 2010 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
-check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
-verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters
of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
Copyright 2009 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAktwKBMACgkQ4B86/C0qfVlzwgCgrq29CA3DylcPyJEC2o8gv8u1
tfIAn2O2T6DmoqvmmfvJe6SR1NNfX/u+
=K6jZ
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01997760
Version: 1
HPSBUX02503 SSRT100019 rev.1 - HP-UX Running Java, Remote Increase in Privilege, Denial of Service and Other
Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-02-08
Last Updated: 2010-02-08
Potential Security Impact: Remote Increase in privilege, Denial of Service and other vulnerabilities
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified in Java Runtime Environment (JRE) and Java Developer
Kit (JDK) running on HP-UX. These vulnerabilities could allow remote unauthorized access, privilege escalation,
and Denial of Service (DoS)
References: SUN ALERT ID: 270474 (CVE-2009-3867, CVE-2009-3868, CVE-2009-3869, CVE-2009-3871,
CVE-2009-3872, CVE-2009-3873, CVE-2009-3874), 270475 (CVE-2009-3875), 270476 (CVE-2009-3876,
CVE-2009-3877)
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.11, B.11.23, B.11.31 running HP JDK and JRE 6.0.05 or earlier
HP-UX B.11.11, B.11.23, B.11.31 running HP JDK and JRE 5.0.18 or earlier
HP-UX B.11.11, B.11.23, B.11.31 running HP Java SDK and RTE 1.4.2.23 or earlier
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2009-3867 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3
CVE-2009-3868 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3
CVE-2009-3869 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3
CVE-2009-3871 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3
CVE-2009-3872 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3
CVE-2009-3873 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3
CVE-2009-3874 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3
CVE-2009-3875 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2009-3876 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2009-3877 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has provided the following upgrades to resolve these vulnerabilities
The upgrades are available from the following location
http://www.hp.com/go/java
HP-UX B.11.31
JDK and JRE v6.0.06 or subsequent
JDK and JRE v5.0.19 or subsequent
SDK and JRE v1.4.2.24 or subsequent
HP-UX B.11.23
JDK and JRE v6.0.06 or subsequent
JDK and JRE v5.0.19 or subsequent
SDK and JRE v1.4.2.24 or subsequent
HP-UX B.11.11
JDK and JRE v6.0.06 or subsequent
JDK and JRE v5.0.19 or subsequent
SDK and JRE v1.4.2.24 or subsequent
MANUAL ACTIONS: Yes - Update
For Java v6.0.05 and earlier, update to Java v6.0.06 or subsequent
For Java v5.0.18 and earlier, update to Java v5.0.19 or subsequent
For Java v1.4.2.23 and earlier, update to Java v1.4.2.24 or subsequent
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security
Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a
specific HP-UX system. It can also download patches and create a depot automatically. For more information
see: https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
HP-UX B.11.11
HP-UX B.11.23
HP-UX B.11.31
===========
Jre14.JRE14-COM
Jre14.JRE14-PA11
Jre14.JRE14-PA11-HS
Jre14.JRE14-PA20
Jre14.JRE14-PA20-HS
Jre14.JRE14-PA20W
Jre14.JRE14-PA20W-HS
Jre14.JRE14-IPF32
Jre14.JRE14-IPF32-HS
Jre14.JRE14-IPF64
Jre14.JRE14-IPF64-HS
Jdk14.JDK14-COM
Jdk14.JDK14-IPF32
Jdk14.JDK14-IPF64
Jdk14.JDK14-PA11
Jdk14.JDK14-PA20
Jdk14.JDK14-PA20W
action: install revision 1.4.2.24.00 or subsequent
Jre15.JRE15-COM
Jre15.JRE15-PA20
Jre15.JRE15-PA20-HS
Jre15.JRE15-PA20W
Jre15.JRE15-PA20W-HS
Jre15.JRE15-IPF32
Jre15.JRE15-IPF32-HS
Jre15.JRE15-IPF64
Jre15.JRE15-IPF64-HS
Jdk15.JDK15-PA20
Jdk15.JDK15-PA20W
Jdk15.JDK15-COM
Jdk15.JDK15-IPF32
Jdk15.JDK15-IPF64
action: install revision 1.5.0.19.00 or subsequent
Jre60.JRE60-COM
Jre60.JRE60-IPF32
Jre60.JRE60-IPF32-HS
Jre60.JRE60-IPF64
Jre60.JRE60-IPF64-HS
Jre60.JRE60-PA20
Jre60.JRE60-PA20-HS
Jre60.JRE60-PA20W
Jre60.JRE60-PA20W-HS
Jdk60.JDK60-COM
Jdk60.JDK60-IPF32
Jdk60.JDK60-IPF64
Jdk60.JDK60-PA20
Jdk60.JDK60-PA20W
action: install revision 1.6.0.06.00 or subsequent
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) 8 February 2010 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
-check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
-verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters
of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
Copyright 2009 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAktwcwsACgkQ4B86/C0qfVlT3QCfXlKwGcs2EazY3WBGKJA8+mB9
KfEAn1Yajm5oydMuBwRfqIFwAdVH+M3y
=5Obh
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01954593
Version: 1
HPSBMA02484 SSRT090076 rev.1 - HP Network Node Manager (NNM), Remote Execution of Arbitrary Commands
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-02-09
Last Updated: 2010-02-09
Potential Security Impact: Remote execution of arbitrary commands
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP Network Node Manager (NNM). The vulnerability could be exploited remotely to execute arbitrary commands.
References: CVE-2010-0445
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Network Node Manager v8.10, v8.11, v8.12, v8.13 running on HP-UX, Linux, Solaris, and Windows
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2010-0445 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has made patches available to resolve the vulnerability.
The patches are available from http://support.openview.hp.com/selfsolve/patches
Note: The patches are not available from the HP IT Resource Center (ITRC).
Network Node Manager v8.10, v8.11, v8.12, v8.13
Operating System
Required Patch
HP-UX (IA)
PHSS_40368 or subsequent
Linux RedHat4AS
NNM810L_00006 or subsequent
Solaris
NNM810S_00006 or subsequent
Windows
NNM810W_00006 or subsequent
MANUAL ACTIONS: No
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS (for HP-UX)
For HP-UX NNM v8.10, v8.11, v8.12, v8.13
HP-UX B.11.31
HP-UX B.11.23 (IA)
=============
HPOvNNM.HPNMSJBOSS
action: install PHSS_40368 or subsequent
END AFFECTED VERSIONS (for HP-UX)
HISTORY
Version:1 (rev.1) - 9 February 2010 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
-check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
-verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters
of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
Copyright 2009 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAktxf5oACgkQ4B86/C0qfVnOOgCghYpUyNJhKtiNlptjuPtObtcz
Y9kAoI2uVhE2A8JZFVKt1YDk23PvcuOi
=GZyP
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02000725
Version: 1
HPSBMA02486 SSRT090049 rev.1 - HP OpenView Network Node Manager (OV NNM) Java Runtime Environment (JRE) and Java Developer Kit (JDK), Remote Execution of Arbitrary Code and Other Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-02-09
Last Updated: 2010-02-09
Potential Security Impact: Remote execution of arbitrary code and other vulnerabilities
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with the Java Runtime Environment (JRE) and Java Developer Kit (JDK) delivered with HP OpenView Network Node Manager (OV NNM). These vulnerabilities may allow remote unauthorized access, privilege escalation, execution of arbitrary code, and creation of a Denial of Service (DoS) .
References: CVE-2008-2086, CVE-2008-5339, CVE-2008-5340, CVE-2008-5341, CVE-2008-5342, CVE-2008-5343, CVE-2008-5344, CVE-2008-5345, CVE-2008-5347, CVE-2008-5348, CVE-2008-5350, CVE-2008-5351, CVE-2008-5353, CVE-2008-5354, CVE-2008-5356, CVE-2008-5357, CVE-2008-5358, CVE-2008-5359, CVE-2008-5360
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP OpenView Network Node Manager (OV NNM) v7.51, v7.53 running on HP-UX, Linux, Solaris, and Windows
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2008-2086 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3
CVE-2008-5339 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2008-5341 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2008-5342 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2008-5343 (AV:N/AC:L/Au:N/C:C/I:P/A:P) 9.0
CVE-2008-5344 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2008-5345 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2008-5347 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2008-5348 (AV:N/AC:M/Au:N/C:N/I:N/A:C) 7.1
CVE-2008-5350 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2008-5351 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2008-5353 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2008-5354 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3
CVE-2008-5356 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3
CVE-2008-5357 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3
CVE-2008-5358 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3
CVE-2008-5359 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3
CVE-2008-5360 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has made patches available to resolve the vulnerabilities for NNM v7.53.
The patches are available from http://support.openview.hp.com/selfsolve/patches
Note: The patches are not available from the HP IT Resource Center (ITRC).
OV NNM v7.53
Operating_System
Patch
HP-UX (IA)
PHSS_40374 or subsequent
HP-UX (PA)
PHSS_40375 or subsequent
Linux RedHatAS2.1
LXOV_00101 or subsequent
Linux RedHat4AS-x86_64
LXOV_00102 or subsequent
Solaris
PSOV_03525 or subsequent
Windows
NNM_01201 or subsequent
OV NNM v7.51
Upgrade to NNM v7.53 and apply the NNM v7.53 resolution listed above.
Patch bundles for upgrading from NNM v7.51 to NNM v7.53 are available using ftp:
Host
Account
Password
ftp.usa.hp.com
nnm_753
Update53
MANUAL ACTIONS: No
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS (for HP-UX)
For HP-UX OV NNM 7.51 and 7.53
HP-UX B.11.31
HP-UX B.11.23 (IA)
HP-UX B.11.23 (PA)
HP-UX B.11.11
=============
OVNNMgr.OVNNM-RUN,fr=B.07.50.00
action: install the patches listed in the Resolution
END AFFECTED VERSIONS (for HP-UX)
HISTORY
Version:1 (rev.1) - 9 February 2010 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
-check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
-verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters
of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
Copyright 2009 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAktxeKQACgkQ4B86/C0qfVlWBQCeP7TClFAUdBpZKRj8v/gieEfY
73YAoIWby3CP9+BIchYYbZIN9yXsxBmX
=5EV8
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02009377
Version: 1
HPSBPI02507 SSRT100012 rev.2 - HP DreamScreen, Remote Disclosure of Information
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-02-11
Last Updated: 2010-02-11
Potential Security Impact: Remote disclosure of information
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential security vulnerability has been identified with web-connected HP DreamScreen . This vulnerability could be exploited remotely to allow disclosure of information.
References: CVE-2010-0446
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP DreamScreen 100 firmware earlier than v1.6.0.0
HP DreamScreen 130 firmware earlier than v1.6.0.0
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2010-0446 (AV:N/AC:L/Au:N/C:C/I:N/A:N) 7.8
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has provided the following software update, DreamScreen firmware v1.6.0.0 or subsequent. The update is available to a internet connected DreamScreen via the built-in automatic update method or by following the steps below:
1. Ensure the device is connected to the Internet
2. From the Home menu, select Setup
3. Highlight and select the Info tab
4. Highlight and select the Software Update button to start the update process
Note: Support Information is available here:
HP DreamScreen 100: http://h10025.www1.hp.com/ewfrf/wc/product?product=3935830&lc=en&cc=us&dlc=en&lang=en&cc=us
HP DreamScreen 130: http://h10025.www1.hp.com/ewfrf/wc/product?product=3935831&lc=en&cc=us&dlc=en&lang=en&cc=us
PRODUCT SPECIFIC INFORMATION:
none
HISTORY
Version:1 (rev.1) - 10 February 2010 Initial Release
Version:2 (rev.2) - 11 February 2010 Added CVE reference
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
-check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
-verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters
of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
Copyright 2009 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkt0La8ACgkQ4B86/C0qfVnpBgCghCoXrZeoUhY1PUwLKKd6aYUG
zJcAn08Hpk9WuapIbQF/fvYqsI0B5LC6
=5B7g
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01997644
Version: 1
HPSBMA02488 SSRT100013 rev.1 - HP ProLiant Support Pack 8.30 for Windows, Remote Code Execution, Information Disclosure
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-02-10
Last Updated: 2010-02-10
Potential Security Impact: Remote code execution, information disclosure
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP ProLiant Support Pack 8.30 for Windows. The vulnerabilities could be exploited remotely to execute code and to gain unauthorized access to information.
References: CVE-2009-0901, CVE-2009-2493, 2009-2495, MS09-035
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP ProLiant Support Pack 8.30 for Windows.
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2009-0901 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3
CVE-2009-2493 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3
CVE-2009-2495 (AV:N/AC:L/Au:N/C:C/I:N/A:N) 7.8
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
The HP ProLiant Support Pack 8.30 for Windows installs versions of Microsoft Visual C++ that require security updates.
To resolve the vulnerabilities:
After installing HP ProLiant Support Pack 8.30 for Windows install the updates recommended by Microsoft in KB973923 and KB973924.
PRODUCT SPECIFIC INFORMATION
None
HISTORY
Version:1 (rev.1) - 10 February 2010 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
-check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
-verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters
of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
Copyright 2009 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAktzCOwACgkQ4B86/C0qfVk+PwCghIKI6lieAia+RQQhw89LmnZ9
uh0An35CItncXdnhTUcoSsnTaaLcHfcP
=7ig3
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02000725
Version: 2
HPSBMA02486 SSRT090049 rev.2 - HP OpenView Network Node Manager (OV NNM) Java Runtime Environment (JRE) and Java Developer Kit (JDK), Remote Execution of Arbitrary Code and Other Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-02-09
Last Updated: 2010-02-12
Potential Security Impact: Remote execution of arbitrary code and other vulnerabilities
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with the Java Runtime Environment (JRE) and Java Developer Kit (JDK) delivered with HP OpenView Network Node Manager (OV NNM). These vulnerabilities may allow remote unauthorized access, privilege escalation, execution of arbitrary code, and creation of a Denial of Service (DoS) .
References: CVE-2008-2086, CVE-2008-5339, CVE-2008-5340, CVE-2008-5341, CVE-2008-5342, CVE-2008-5343, CVE-2008-5344, CVE-2008-5345, CVE-2008-5347, CVE-2008-5348, CVE-2008-5350, CVE-2008-5351, CVE-2008-5353, CVE-2008-5354, CVE-2008-5356, CVE-2008-5357, CVE-2008-5358, CVE-2008-5359, CVE-2008-5360
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP OpenView Network Node Manager (OV NNM) v7.51, v7.53 running on HP-UX, Linux, Solaris, and Windows
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2008-2086 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3
CVE-2008-5339 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2008-5341 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2008-5342 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2008-5343 (AV:N/AC:L/Au:N/C:C/I:P/A:P) 9.0
CVE-2008-5344 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2008-5345 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2008-5347 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2008-5348 (AV:N/AC:M/Au:N/C:N/I:N/A:C) 7.1
CVE-2008-5350 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2008-5351 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2008-5353 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2008-5354 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3
CVE-2008-5356 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3
CVE-2008-5357 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3
CVE-2008-5358 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3
CVE-2008-5359 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3
CVE-2008-5360 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has made patches available to resolve the vulnerabilities for NNM v7.53.
The patches are available from http://support.openview.hp.com/selfsolve/patches
Note: The patches are not available from the HP IT Resource Center (ITRC).
OV NNM v7.53
Operating_System
Patch
HP-UX (IA)
PHSS_40375 or subsequent
HP-UX (PA)
PHSS_40374 or subsequent
Linux RedHatAS2.1
LXOV_00101 or subsequent
Linux RedHat4AS-x86_64
LXOV_00102 or subsequent
Solaris
PSOV_03525 or subsequent
Windows
NNM_01201 or subsequent
OV NNM v7.51
Upgrade to NNM v7.53 and apply the NNM v7.53 resolution listed above.
Patch bundles for upgrading from NNM v7.51 to NNM v7.53 are available using ftp:
Host
Account
Password
ftp.usa.hp.com
nnm_753
Update53
MANUAL ACTIONS: No
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS (for HP-UX)
For HP-UX OV NNM 7.51 and 7.53
HP-UX B.11.31
HP-UX B.11.23 (IA)
HP-UX B.11.23 (PA)
HP-UX B.11.11
=============
OVNNMgr.OVNNM-RUN,fr=B.07.50.00
action: install the patches listed in the Resolution
END AFFECTED VERSIONS (for HP-UX)
HISTORY
Version:1 (rev.1) - 9 February 2010 Initial release
Version:2 (rev.2) - 12 February 2010 PHSS_40375 is for HP-UX (IA), PHSS_40374 is for HP-UX (PA)
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
-check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
-verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters
of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
Copyright 2009 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkt1YcMACgkQ4B86/C0qfVkH3gCcD/nzjntISJEOhx+E3mOrVJON
vkMAn0bUrhZ2gWx1OSIX2rttpXX9yuc7
=lcJF
-----END PGP SIGNATURE-----
--- End Message ---