U radu programskog paketa HP Web Jetadmin, za operacijske sustave Microsoft Windows, otkrivena je sigurnosna ranjivost. HP Web Jetadmin se koristi za nadzor i upravljanje pisačima (eng. printer). Detalji oko uzroka spomenute ranjivosti za sada nisu poznati, no objavljeno je da ju lokalni napadač može iskoristiti za zaobilaženje postavljenih sigurnosnih ograničenja te pristup određenim resursima. Budući da su izdana nova programska rješenja za otklanjanje problema, svim se korisnicima savjetuje njihova instalacija kako bi zaštitili svoja računala od potencijalnih napada.

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c02714670

Version: 1
HPSBPI02635 SSRT100391 rev.1 - HP Web Jetadmin Running on Windows, Local Unauthorized Access to Managed Resources
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2011-02-22

Last Updated: 2011-02-22

Potential Security Impact: Local unauthorized access to managed resources

Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY

A potential security vulnerability has been identified with HP Web Jetadmin running on Windows. The vulnerability could be exploited by a local user to gain unauthorized access to resources managed by Web Jetadmin.

References: CVE-2011-0278
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

HP Web Jetadmin v10.2 Service Release 3 and Service Release 4
BACKGROUND

For a PGP signed version of this security bulletin please write to: Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.

CVSS 2.0 Base Metrics
Reference
	
Base Vector
	
Base Score
CVE-2011-0278
	
(AV:L/AC:L/Au:S/C:P/I:P/A:P)
	
4.3

Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
RESOLUTION

HP has provided HP Web Jetadmin v10.2 Service Release 5 or subsequent to resolve the vulnerability.

HP Web Jetadmin v10.2 Service Release 5 is available here: http://www.hp.com/go/wja

Note: Until HP Web Jetadmin v10.2 Service Release 5 or subsequent is installed the following recommendations can work around the vulnerability. These recommendations are worthwhile even after the update is installed.
Administrators should ensure that

    * HP Web Jetadmin application features are secured from unauthorized access
    * the server hosting HP Web Jetadmin is secured from unauthorized access

HISTORY
Version:1 (rev.1) - 22 February 2011 Initial release

Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
  To: Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
  Subject: get key

Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
    -check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
    -verify your operating system selections are checked and save.

To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.

To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do