HP Server software affected by HeartBleed: OA, SUM, SMH & iLO
UPDATE 29/04/2014
HP has released an updated HP Service Pack for Proliant which contains the Heartbleed fixes.
UPDATE: 22/04/2014
A new issue has been spotted where although iLO devices are not affected by Heartbleed, running a vulnerability scanner against iLO and iLO2 ports can cause the device to lock up which requires you to physically remove the power or reset the blade to get back iLO functionality.
HP has also updated its advisories to include fixes for SMH, SUM and partly for OA.
The world has been scrambling to understand and mitigate the effects of the HeartBleed SSL vulnerability.
HP has released information about which of its server management products are affected by HeartBleed.
The good news is that the following products are NOT affected.
- Virtual Connect
- Integrated Lights Out (iLO) 2, 3, 4
- HP Insight Control Server Provisioning
- System Management Homepage (SMH) HP-UX
- HP OneView
- Systems Insight Manager
- NonStop SSL
- iTP WebServer for NonStop Servers
- Onboard Administrator for NonStop Integrity Platforms
- HP-UX
- OpenVMS
The following products ARE affected and as yet there are no fixes.
Check back with the linked security bulletins or sign up to get HP Security Bulletin alerts at http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
HP System Management Homepage (SMH) Linux and Windows
HP has updated the advisory below with new versions of SMH
The following versions are affected: 7.1.2, 7.2, 7.2.1, 7.2.2, 7.3, 7.3.1
No fix as yet, no suggestion from HP as to what to do, best not to access it then unless on a secure and isolated private management network.
If you’ve deployed HP agents to all your servers and include the SMH as is the default, get ready, you’re going to have to update all of your servers, if you thought your impact was limited, think again!
HP Onboard Administrator (OA)
HP has released a new 4.12 version, if you have 4.20 you can downgrade to 4.12 or wait for an update to 4.20. See the advisory below for the updated information.
Versions 4.11 and 4.20 are affected, there is no fix as yet, the only current option is to downgrade your version.
HP Smart Update Manager (HP SUM)
HPSUM 6.3.1 has been released although the advisory has not yet been updated
Versions 6.0.0 through to 6.3.0 are affected, HP recommend limiting HP SUM usage to a secure and isolated private management network
Integrated Lights Out (iLO)
Document: c04249852
Although iLO devices are not affected by Heartbleed, there is another software bug which means if you run a vulnerability scanner against iLO and iLO2 ports it can cause the device to lock up which requires you to physically remove the power or reset the blade to get back iLO functionality. iLO3 and iLO4 are not affected.
Here are the patched versions of SMH.
Windows
64
7.3.2.1 = cp023240 = http://ftp.hp.com/pub/softlib2/software1/sc-windows/p221526337/v96952/cp023240.exe
7.2.3.1 = cp023243 = http://ftp.hp.com/pub/softlib2/software1/sc-windows/p221526337/v96957/cp023243.exe
32
7.3.2.1 = cp023239 = http://ftp.hp.com/pub/softlib2/software1/sc-windows/p11160892/v96949/cp023239.exe
7.2.3.1 = cp023242 = http://ftp.hp.com/pub/softlib2/software1/sc-windows/p11160892/v96955/cp023242.exe
Linux
64
7.3.2.1 = http://ftp.hp.com/pub/softlib2/software1/pubsw-linux/p1507410135/v96951/hpsmh-7.3.2-1.x86_64.rpm
32
7.3.2.1 = http://ftp.hp.com/pub/softlib2/software1/pubsw-linux/p1980463820/v96948/hpsmh-7.3.2-1.i386.rpm
No update yet on OA or SUM.
While ILO2 (and ILO1) is not affected by the original heartbleed memory disclosure vulnerability, various heartbleed test scripts or vulnerability scanners apparently cause it to crash.
The only way to recover a hosed ILO2 seems to be completely removing power to the server or resetting the blade bay through OA.
See this thread: http://h30499.www3.hp.com/t5/HP-BladeSystem-Management/OA-Heartbleed-update/td-p/6444874
Someone from HP posted a patched beta image on HP’s FTP site in the thread but the link and other posts relating to it have been deleted. The FTP link to the beta image still works but not sure whether I should really post it.
See this HP advisory for updated versions of HP SUM and SMH (the advisory will update when more are available) : http://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04239413
Updates to SMH and OA are now available from HP support site.