Otkriveno je više sigurnosnih propusta kod programskog paketa HP OV NNM (HP OpenView Network Node Manager). Napadačima omogućuju stjecanje većih ovlasti, izvođenje DoS (eng. Denial of Service) napada, pregled osjetljivih informacija i izmjenu podataka.
Paket:
HP OpenView Network Node Manager 7.x
Operacijski sustavi:
HP-UX 11.x
Kritičnost:
4
Problem:
cjelobrojno prepisivanje, pogreška u programskoj funkciji
Propusti su posljedica pogreške u modulu "mod_proxy", cjelobrojnog prepisivanja u funkciji "ap_pregsub", nepravilnosti u funkciji "log_cookie", itd. Za više informacija preporuča se čitanje izvorne preporuke.
Posljedica:
Napadači ih mogu iskoristiti za izvođenje DoS napada, povećanje ovlasti, otkrivanje i izmjenu podataka.
Rješenje:
Korisnicima se savjetuje instalacija novih programskih rješenja.
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c03231301
Version: 1
HPSBMU02748 SSRT100772 rev.1 - HP OpenView Network Node Manager (OV NNM) Running Apache HTTP Server, Remote Unauthorized Disclosure of Information, Unauthorized Modification, Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2012-03-27
Last Updated: 2012-03-27
Potential Security Impact: Remote unauthorized disclosure of information, unauthorized modification, Denial of Service (DoS)
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP OpenView Network Node Manager (OV NNM) running Apache HTTP Server. The vulnerabilities could be exploited remotely resulting in unauthorized disclosure of information, unauthorized modification, or Denial of Service (DoS).
References: CVE-2012-0053, CVE-2012-0031, CVE-2012-0021, CVE-2011-4317, CVE-2011-3607, CVE-2011-3368
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP OpenView Network Node Manager (OV NNM) v7.53 running on HP-UX, Linux, and Solaris.
BACKGROUND
For a PGP signed version of this security bulletin please write to: Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
CVSS 2.0 Base Metrics
Reference
Base Vector
Base Score
CVE-2012-0053
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
4.3
CVE-2012-0031
(AV:L/AC:L/Au:N/C:P/I:P/A:P)
4.6
CVE-2012-0021
(AV:N/AC:H/Au:N/C:N/I:N/A:P)
2.6
CVE-2011-4317
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
4.3
CVE-2011-3607
(AV:L/AC:M/Au:N/C:P/I:P/A:P)
4.4
CVE-2011-3368
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
5.0
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
RESOLUTION
HP has provided a hotfix to resolve the vulnerabilities. The SSRT100772 hotfix is available by contacting the normal HP Services support channel.
MANUAL ACTIONS: Yes - NonUpdate
Install the hotfix for SSRT100772.
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS (for HP-UX)
For HP-UX OV NNM 7.53
HP-UX B.11.31
HP-UX B.11.23 (IA)
HP-UX B.11.23 (PA)
HP-UX B.11.11
=============
OVNNMgr.OVNNM-RUN,fr=B.07.50.00
action: install the hotfix for SSRT100772
END AFFECTED VERSIONS (for HP-UX)
HISTORY
Version:1 (rev.1) - 27 March 2012 Initial release
Posljednje sigurnosne preporuke