Pronađen je sigurnosni propust vezan uz HP Network Node Manager i (NNMi) koji zlonamjernom napadaču omogućava proizvoljno izvođenje skripti, poznatije kao XSS napad.

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c03405705

Version: 1
HPSBMU02798 SSRT100908 rev.1 - HP Network Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows, Remote Cross Site Scripting (XSS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2012-08-02

Last Updated: 2012-08-02

Potential Security Impact: Remote cross site scripting (XSS)

Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY

Potential security vulnerabilities have been identified with HP Network Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows. The vulnerabilities could be remotely exploited resulting in cross site scripting (XSS).

References: CVE-2012-2022
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

HP Network Node Manager I (NNMi) v8.x, v9.0x, v9.1x, v9.20 for HP-UX, Linux, Solaris, and Windows
BACKGROUND

For a PGP signed version of this security bulletin please write to: Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.

CVSS 2.0 Base Metrics
Reference
	
Base Vector
	
Base Score
CVE-2012-2022
	
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
	
4.3

Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
RESOLUTION

HP has made hotfixes available to resolve these vulnerabilities for NNMi v9.0x, v9.1x, and v9.20. The hotfixes can be obtained by contacting the normal HP Services support channel. Customers should open a support case to request the following hotfixes. Customers using NNMi v8.x should upgrade to v9.0x, v9.1x, or 9.20 and apply the required patch and the hotfix.

For NNMi v9.0x and v9.1x
NNMi Version
	
Required Patch
	
Hotfix
9.0x
	
Patch 5
	
Hotfix-NNMi-9.0xP5-UI-Security-20120801
9.1x
	
Patch 3 or 4
	
Hotfix-NNMi-9.1xP4-UI-Security-20120801
9.20
	
no patch required
	
Hotfix-NNMi-9.20-NmsAsShared-20120801

Note: The hotfix must be installed after the required patch. The hotfix must be reinstalled if the required patch is reinstalled.

For NNMi v8.x

Upgrade to v9.0x, v9.1x, or v9.20 and apply the required patch and the hotfix listed in the table above.

MANUAL ACTIONS: Yes - Update

Install the applicable patch and hotfix.

PRODUCT SPECIFIC INFORMATION

HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa

The following text is for use by the HP-UX Software Assistant.

AFFECTED VERSIONS

For HP-UX NNMi v9.0x

HP-UX B.11.31
HP-UX B.11.23 (IA)
=============
HPOvNNM.HPOVNNMUI
action: install Hotfix-NNMi-9.0xP5-UI-Security-20120801

For HP-UX NNMi v9.1x

HP-UX B.11.31
HP-UX B.11.23 (IA)
=============
HPOvNNM.HPOVNNMUI
action: install Hotfix-NNMi-9.1xP4-UI-Security-20120801

For HP-UX NNMi v9.20

HP-UX B.11.31
HP-UX B.11.23 (IA)
=============
HPOvNNM.HPOVNMSASSHARED
action: install Hotfix-NNMi-9.20-NmsAsShared-20120801

For HP-UX NNMi v8.x

HP-UX B.11.31
HP-UX B.11.23 (IA)
=============
HPOvNNM.HPOVNNMUI
action: upgrade to v9.0x or v9.1x and apply the required patch and hotfix

END AFFECTED VERSIONS

HISTORY
Version:1 (rev.1) - 2 August 2012 Initial release