Ispravljen je sigunosni propust vezan uz HP Network Node Manager za operacijske sustave HP-UX, Linux, Solaris i Windows. Udaljenji napadač mogao je iskoristiti spomenuti nedostatak za izvođenje XSS napada (eng. cross site scripting).
Paket:
HP Network Node Manager i (NNMi) 8.x, HP Network Node Manager i (NNMi) 9.x
Operacijski sustavi:
Debian Linux 6.0 (squeeze), Debian Linux sid (unstable), Debian Linux wheezy (testing), Fedora 16, Fedora 17, HP-UX 10.x, HP-UX 11.x, Mandriva Linux 2010.1, Mandriva Linux 2010.2, Mandriva Linux 2011, Mandriva Linux Enterprise Server 5.0, Microsoft Windows XP, Microsoft Windows Server 2003, Microsoft Windows Vista, Microsoft Windows Server 2008, Microsoft Windows 7, Red Hat Enterprise Linux 5, Red Hat Enterprise Linux 6, Sun Solaris 7, Sun Solaris 8, Sun Solaris 9, Sun Solaris 10, Sun Solaris 11, SUSE Linux Enterprise Desktop 10, SUSE Linux Enterprise Desktop 11, SUSE Linux Enterprise Server (SLES) 10, SUSE Linux Enterprise Server (SLES) 11, Ubuntu Linux 11.0, Ubuntu Linux 11.04, Ubuntu Linux 11.10, Ubuntu Linux 12.04
Kritičnost:
4.3
Problem:
XSS
Iskorištavanje:
udaljeno
Posljedica:
proizvoljno izvršavanje programskog koda
Rješenje:
programska zakrpa proizvođača
CVE:
CVE-2012-2018
Izvorni ID preporuke:
HPSBMU02783
Izvor:
Hewlett Packard
Problem:
Problem je posljedica ranjivosti na XSS napade.
Posljedica:
Udaljeni zlonamjerni korisnik može iskoristiti navedeni propust za izvođenje XSS napada.
Rješenje:
Kako bi se zaštitili, korisnicima se savjetuje korištenje odgovarajuće programske nadogradnje.
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c03343724
Version: 1
HPSBMU02783 SSRT100806 rev.1 - HP Network Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows, Remote Cross Site Scripting (XSS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2012-07-02
Last Updated: 2012-07-02
Potential Security Impact: Remote cross site scripting (XSS)
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP Network Node Manager I (NNMi) for HP-UX, Linux, Solaris, and Windows. The vulnerabilities could be remotely exploited resulting in cross site scripting (XSS).
References: CVE-2012-2018
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Network Node Manager I (NNMi) v8.x, v9.0x, v9.1x for HP-UX, Linux, Solaris, and Windows
BACKGROUND
For a PGP signed version of this security bulletin please write to: Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
CVSS 2.0 Base Metrics
Reference
Base Vector
Base Score
CVE-2012-2018
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
4.3
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
RESOLUTION
HP has made hotfixes available to resolve these vulnerabilities for NNMi v9.0x and v9.1x. The hotfixes can be obtained by contacting the normal HP Services support channel. Customers should open a support case to request the following hotfixes. Customers using NNMi v8.x should upgrade to v9.0x or v9.1x and apply the required patch and the hotfix.
For NNMi v9.0x and v9.1x
NNMi Version
Required Patch
Hotfix
9.0x
Patch 5
Hotfix-NNMi-9.0xP5-UI-Security-20120515.zip
9.1x
Patch 3 or 4
Hotfix-NNMi-9.1xP3-P4-UI-Security-20120515.zip
Note: The hotfix must be installed after the required patch. The hotfix must be reinstalled if the required patch is reinstalled.
For NNMi v8.x
Upgrade to v9.0x or v9.1x and apply the required patch and the hotfix listed in the table above.
MANUAL ACTIONS: Yes - Update
Install the applicable patch and hotfix.
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
For HP-UX NNMi v9.0x
HP-UX B.11.31
HP-UX B.11.23 (IA)
=============
HPOvNNM.HPOVNNMUI
action: install Hotfix-NNMi-9.0xP5-UI-Security-20120515.zip
For HP-UX NNMi v9.1x
HP-UX B.11.31
HP-UX B.11.23 (IA)
=============
HPOvNNM.HPOVNNMUI
action: install Hotfix-NNMi-9.1xP3-P4-UI-Security-20120515.zip
For HP-UX NNMi v8.x
HP-UX B.11.31
HP-UX B.11.23 (IA)
=============
HPOvNNM.HPOVNNMUI
action: upgrade to v9.0x or v9.1x and apply the required patch and hotfix
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) - 2 July 2012 Initial release
Posljednje sigurnosne preporuke