U radu programskog paketa HP Network Node Manager uočena su dva sigurnosna propusta. Udaljeni napadač ih može iskoristiti za proizvoljno pokretanje skriptnog i HTML koda.
Paket:
HP Network Node Manager i (NNMi) 9.x
Operacijski sustavi:
HP-UX 10.x, HP-UX 11.x, Microsoft Windows XP, Microsoft Windows Server 2003, Microsoft Windows Vista, Microsoft Windows Server 2008, Microsoft Windows 7, Sun Solaris 7, Sun Solaris 8, Sun Solaris 9, Sun Solaris 10, Ubuntu Linux 11.10, Ubuntu Linux 5.04, Ubuntu Linux 5.10, Ubuntu Linux 6.06, Ubuntu Linux 6.10, Ubuntu Linux 7.04, Ubuntu Linux 7.10, Ubuntu Linux 8.04, Ubuntu Linux 8.10, Ubuntu Linux 9.04, Ubuntu Linux 9.10, Ubuntu Linux 10.04, Ubuntu Linux 10.10, Ubuntu Linux 11.04
Kritičnost:
4.3
Problem:
XSS
Iskorištavanje:
udaljeno
Posljedica:
umetanje HTML i skriptnog koda
Rješenje:
programska zakrpa proizvođača
CVE:
CVE-2011-4155, CVE-2011-4156
Izvorni ID preporuke:
HPSBMU02708
Izvor:
Hewlett Packard
Problem:
Sigurnosni propusti se javljaju zbog XSS (eng. Cross Site Scripting) ranjivosti.
Posljedica:
Udaljeni napadač navedenu ranjivost može iskoristiti za proizvoljno pokretanje HTML i skriptnog koda.
Rješenje:
Svim se korisnicima navedenog programskog paketa savjetuje korištenje dostupnih nadogradnji.
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c03035744
Version: 1
HPSBMU02708 SSRT100633 rev.1 - HP Network Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows, Remote Cross Site Scripting (XSS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2011-11-10
Last Updated: 2011-11-10
Potential Security Impact: Remote cross site scripting (XSS)
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP Network Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows. The vulnerabilities could be remotely exploited resulting in cross site scripting (XSS).
References: CVE-2011-4155, CVE-2011-4156
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Network Node Manager i (NNMi) v9.0x, v9.1x for HP-UX, Linux, Solaris, and Windows
BACKGROUND
For a PGP signed version of this security bulletin please write to: Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
CVSS 2.0 Base Metrics
Reference
Base Vector
Base Score
CVE-2011-4155
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
4.3
CVE-2011-4156
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
4.3
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
RESOLUTION
HP has made a patches available to resolve these vulnerabilities for NNMi 9.0x. HP has made hotfixes available to resolve these vulnerabilities for NNMi 9.1x. The patches are available here: http://support.openview.hp.com/selfsolve/patches The hotfixes can be obtained by contacting the normal HP Services support channel.
For NNMi 9.0x
Operating System
Patch
HP-UX
PHSS_42328
Linux
NNM900L_00005
Solaris
NNM900S_00005
Windows
NNM900W_00005
For NNMi 9.1x
Operating System
Hotfix Identifier
HP-UX
QCCR1B94799
Linux
QCCR1B94799
Solaris
QCCR1B94799
Windows
QCCR1B94799
NNMi v9.1x Required Patches
QCCR1B94799 can be applied to the unpatched NNMi v9.1x or to NNMi v9.1x with patch 1 or patch 2.
MANUAL ACTIONS: Yes - NonUpdate
For NNMi 9.1x, install the QCCR1B94799 hotfix.
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS (for HP-UX)
For HP-UX NNMi v9.0x
HP-UX B.11.31
HP-UX B.11.23 (IA)
=============
HPOvNNM.HPOVNNMUI
action: install PHSS_42328
For HP-UX NNMi v9.1x
HP-UX B.11.31
HP-UX B.11.23 (IA)
=============
HPOvNNM.HPOVNNMUI
action: install hotfix QCCR1B94799
END AFFECTED VERSIONS (for HP-UX)
HISTORY
Version:1 (rev.1) - 10 November 2011 Initial release
Posljednje sigurnosne preporuke