Home > HP > HP Server software affected by HeartBleed: OA, SUM, SMH & iLO

HP Server software affected by HeartBleed: OA, SUM, SMH & iLO

Heartbleed Bug

UPDATE 29/04/2014

HP has released an updated HP Service Pack for Proliant which contains the Heartbleed fixes.

UPDATE: 22/04/2014

A new issue has been spotted where although iLO devices are not affected by Heartbleed, running a vulnerability scanner against iLO and iLO2 ports can cause the device to lock up which requires you to physically remove the power or reset the blade to get back iLO functionality.

HP has also updated its advisories to include fixes for SMH, SUM and partly for OA.

 

 


 

The world has been scrambling to understand and mitigate the effects of the HeartBleed SSL vulnerability.

HP has released information about which of its server management products are affected by HeartBleed.

The good news is that the following products are NOT affected.

  • Virtual Connect
  • Integrated Lights Out (iLO) 2, 3, 4
  • HP Insight Control Server Provisioning
  • System Management Homepage (SMH) HP-UX
  • HP OneView
  • Systems Insight Manager
  • NonStop SSL
  • iTP WebServer for NonStop Servers
  • Onboard Administrator for NonStop Integrity Platforms
  • HP-UX
  • OpenVMS

The following products ARE affected and as yet there are no fixes.

Check back with the linked security bulletins or sign up to get HP Security Bulletin alerts at http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

HP System Management Homepage (SMH) Linux and Windows

HP has updated the advisory below with new versions of SMH

HPSBMU02998

The following versions are affected: 7.1.2, 7.2, 7.2.1, 7.2.2, 7.3, 7.3.1

No fix as yet, no suggestion from HP as to what to do, best not to access it then unless on a secure and isolated private management network.

If you’ve deployed HP agents to all your servers and include the SMH as is the default, get ready, you’re going to have to update all of your servers, if you thought your impact was limited, think again!

HP Onboard Administrator (OA)

HP has released a new 4.12 version, if you have 4.20 you can downgrade to 4.12 or wait for an update to 4.20. See the advisory below for the updated information.

HPSBMU02994

Versions 4.11 and 4.20 are affected, there is no fix as yet, the only current option is to downgrade your version.

HP Smart Update Manager (HP SUM)

HPSUM 6.3.1 has been released although the advisory has not yet been updated 

HPSBMU02997

Versions 6.0.0 through to 6.3.0 are affected, HP recommend limiting HP SUM usage to a secure and isolated private management network

Integrated Lights Out (iLO)

Document: c04249852

Although iLO devices are not affected by Heartbleed, there is another software bug which means if you run a vulnerability scanner against iLO and iLO2 ports it can cause the device to lock up which requires you to physically remove the power or reset the blade to get back iLO functionality. iLO3 and iLO4 are not affected.

Categories: HP Tags:
  1. Casper42
  2. April 17th, 2014 at 09:57 | #2

    While ILO2 (and ILO1) is not affected by the original heartbleed memory disclosure vulnerability, various heartbleed test scripts or vulnerability scanners apparently cause it to crash.
    The only way to recover a hosed ILO2 seems to be completely removing power to the server or resetting the blade bay through OA.
    See this thread: http://h30499.www3.hp.com/t5/HP-BladeSystem-Management/OA-Heartbleed-update/td-p/6444874

    Someone from HP posted a patched beta image on HP’s FTP site in the thread but the link and other posts relating to it have been deleted. The FTP link to the beta image still works but not sure whether I should really post it.

  3. April 22nd, 2014 at 05:49 | #3

    See this HP advisory for updated versions of HP SUM and SMH (the advisory will update when more are available) : http://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04239413

  4. CLEB
    April 22nd, 2014 at 10:18 | #4

    Updates to SMH and OA are now available from HP support site.

  1. No trackbacks yet.
 

Time limit is exhausted. Please reload the CAPTCHA.