Detalji

HP je objavio reviziju sigurnosnog upozorenja prvotno objavljenog 12. travnja 2011 s oznakom HPSBMA02643, a vezanog uz propuste paketa HP Network Node Manager i. Riječ je o paketu namijenjenom upravljanju složenim dinamičkim IP računalnim mrežama. Lokalni korisnik može iskoristiti propuste za stjecanje neovlaštenog pristupa dokumentima te za izvođenje XSS (eng. Cross Site Scripting) napada. Revizija je izdana zbog dodavanja CVE oznaka. Svi se korisnici ranjivog paketa upućuju na čitanje izvorne preporuke i potom na nadogradnju. 

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c02729035

Version: 2
HPSBMA02643 SSRT100416 rev.2 - HP Network Node Manager i (NNMi), Local Unauthorized Read Access to Files, Remote Cross Site Scripting (XSS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2011-04-12

Last Updated: 2011-04-12

Potential Security Impact: Local unauthorized read access to files, cross site scripting (XSS)

Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY

Potential security vulnerabilities have been identified with HP Network Node Manager i (NNMi). One vulnerability could be exploited by a local user to gain unauthorized access to files. The other vulnerability could result in remote cross site scripting (XSS).

References: CVE-2011-0897 (unauthorized read access), CVE-2011-0898 (XSS)
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

HP Network Node Manager i v9.00 running on HP-UX, Linux, Solaris, and Windows
BACKGROUND

For a PGP signed version of this security bulletin please write to: Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.

CVSS 2.0 Base Metrics
Reference
	
Base Vector
	
Base Vector
CVE-2011-0897
	
(AV:L/AC:L/Au:S/C:C/I:N/A:N)
	
4.6
CVE-2011-0898
	
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
	
4.3

Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
RESOLUTION

HP has made patches available to resolve the vulnerabilities.

The patches are available from http://support.openview.hp.com/selfsolve/patches

Network Node Manager v9.00
Operating System
	
Required Patch
HP-UX (IA)
	
PHSS_41540 or subsequent
Linux RedHat4AS
	
NNM900L_00003 or subsequent
Solaris
	
NNM900S_00003 or subsequent
Windows
	
NNM900W_00003 or subsequent

MANUAL ACTIONS: No

PRODUCT SPECIFIC INFORMATION

HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa

The following text is for use by the HP-UX Software Assistant.

AFFECTED VERSIONS (for HP-UX)

For HP-UX NNMi v9.00
HP-UX B.11.31
HP-UX B.11.23 (IA)
=============
HPOvNNM.HPOVNMSCOMMON
action: install PHSS_41540 or subsequent

END AFFECTED VERSIONS (for HP-UX)

HISTORY
Version:1 (rev.1) - 12 April 2011 Initial release
Version:2 (rev.2) - 12 April 2011 Added CVE numbers

Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

Idi na vrh