Otkriveni su i ispravljeni brojni nedostaci vezani uz HP Network Node Manager namijenjem operacijskim sustavima HP-UX, Linux, Solaris i Windows koji koriste PostgreSQL. Zlonamjerni korisnici mogu iskoristiti spomenute nepravilnosti za izvođenje DoS napada te pokretanje proizvoljnog programskog koda.
Paket:
HP Network Node Manager i (NNMi) 8.x, HP Network Node Manager i (NNMi) 9.x
Operacijski sustavi:
Debian Linux 6.0 (squeeze), Debian Linux sid (unstable), Debian Linux wheezy (testing), Fedora 15, Fedora 16, Fedora 17, HP-UX 10.x, HP-UX 11.x, Mandriva Linux 2010.1, Mandriva Linux 2010.2, Mandriva Linux 2011, Mandriva Linux Enterprise Server 5.0, Microsoft Windows XP, Microsoft Windows Server 2003, Microsoft Windows Vista, Microsoft Windows Server 2008, Microsoft Windows 7, Red Hat Enterprise Linux 5, Red Hat Enterprise Linux 6, Sun Solaris 7, Sun Solaris 8, Sun Solaris 9, Sun Solaris 10, Sun Solaris 11, SUSE Linux Enterprise Desktop 10, SUSE Linux Enterprise Desktop 11, SUSE Linux Enterprise Server (SLES) 10, SUSE Linux Enterprise Server (SLES) 11, Ubuntu Linux 10.10, Ubuntu Linux 11.0, Ubuntu Linux 11.04, Ubuntu Linux 11.10, Ubuntu Linux 12.04
Kritičnost:
6.3
Problem:
nepravilno rukovanje ovlastima, pogreška u programskoj funkciji, pogreška u programskoj komponenti
Propusti su posljedica pogrešaka u implementacijama PL/perl i PL/Tcl, preljeva međuspremnika u funkciji "gettoken", nepravilnog rukovanja znakom '\0' unutar domenskog imena u CN polju certifikata X.509 te nepravilnog rukovanja ovlastima pri operacijama RESET ALL, RESET ROLE i RESET SESSION AUTHORIZATION.
Posljedica:
Propuste je moguće iskoristiti za izvršavanje zlonamjernog programskog koda i izvođenje napada uskraćivanjem usluge.
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c03333585
Version: 1
HPSBMU02781 SSRT100617 rev.1 - HP Network Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows running PostgreSQL, Remote Execution of Arbitrary Code, Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2012-07-02
Last Updated: 2012-07-02
Potential Security Impact: Remote execution of arbitrary code, Denial of Service (DoS)
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP Network Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows running PostgreSQL. The vulnerabilities could be remotely exploited resulting in execution of arbitrary code and Denial of Service (DoS) .
References: CVE-2009-0922, CVE-2009-3229, CVE-2009-3230, CVE-2009-3231, CVE-2009-4034,
CVE-2009-4136, CVE-2010-1169, CVE-2010-1170, CVE-2010-1975, CVE-2010-3433, CVE-2010-4015
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Network Node Manager I (NNMi) v8.x, v9.0x, v9.1 for HP-UX, Linux, Solaris, and Windows
BACKGROUND
For a PGP signed version of this security bulletin please write to: Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
CVSS 2.0 Base Metrics
Reference
Base Vector
Base Score
CVE-2009-0922
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
4.0
CVE-2009-3229
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
4.0
CVE-2009-3230
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
6.5
CVE-2009-3231
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
6.8
CVE-2009-4034
(AV:N/AC:M/Au:N/C:N/I:P/A:P)
5.8
CVE-2009-4136
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
6.5
CVE-2010-1169
(AV:N/AC:M/Au:S/C:C/I:C/A:C)
8.5
CVE-2010-1170
(AV:N/AC:M/Au:S/C:P/I:P/A:P)
6.0
CVE-2010-1975
(AV:N/AC:L/Au:S/C:P/I:P/A:N)
5.5
CVE-2010-3433
(AV:N/AC:M/Au:S/C:P/I:P/A:P)
6.0
CVE-2010-4015
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
6.5
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002
Note: NNMi v9.1 is affected by only two of the listed CVE numbers: CVE-2010-4015 and CVE-2010-3433. All the listed CVE numbers affect NNMi v9.0x and v8.x.
RESOLUTION
HP has made a hotfixes available to resolve these vulnerabilities for NNMi v9.0x and NNMi v9.1x. Customers should open a support case with the normal HP Support channel to request the applicable hotfix.
NNMi Version
Hotfix
9.0x
Hotfix-NNMi-9.0xP5-Postgres-20120514
9.1x
Hotfix-NNMi-9.1xP3-Postgres-20120510
Customers running NNMi v8.x should upgrade to v9.0x or v9.1x and install the appropriate hotfix.
MANUAL ACTIONS: Yes - NonUpdate
Apply the appropriate hotfix.
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
For NNMi v9.1x
HP-UX B.11.31
HP-UX B.11.23
=============
HPOvNNM.HPOVNMSEMBDDB
action: apply Hotfix-NNMi-9.1xP3-Postgres-20120510
For NNMi v9.0x
HP-UX B.11.31
HP-UX B.11.23
=============
HPOvNNM.HPOVNMSEMBDDB
action: apply Hotfix-NNMi-9.0xP5-Postgres-20120514
For NNMi v8.x
HP-UX B.11.31
HP-UX B.11.23
=============
HPOvNNM.HPOVNMSEMBDDB
action: upgrade to NNMi v9.xx
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) - 2 July 2012 Initial release
Posljednje sigurnosne preporuke