A new issue has been spotted where although iLO devices are not affected by Heartbleed, running a vulnerability scanner against iLO and iLO2 ports can cause the device to lock up which requires you to physically remove the power or reset the blade to get back iLO functionality.
HP has also updated its advisories to include fixes for SMH, SUM and partly for OA.
The world has been scrambling to understand and mitigate the effects of the HeartBleed SSL vulnerability.
HP has released information about which of its server management products are affected by HeartBleed.
The good news is that the following products are NOT affected.
- Virtual Connect
- Integrated Lights Out (iLO) 2, 3, 4
- HP Insight Control Server Provisioning
- System Management Homepage (SMH) HP-UX
- HP OneView
- Systems Insight Manager
- NonStop SSL
- iTP WebServer for NonStop Servers
- Onboard Administrator for NonStop Integrity Platforms
The following products ARE affected and as yet there are no fixes.
Check back with the linked security bulletins or sign up to get HP Security Bulletin alerts at http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
HP System Management Homepage (SMH) Linux and Windows
HP has updated the advisory below with new versions of SMH
The following versions are affected: 7.1.2, 7.2, 7.2.1, 7.2.2, 7.3, 7.3.1
No fix as yet, no suggestion from HP as to what to do, best not to access it then unless on a secure and isolated private management network.
If you’ve deployed HP agents to all your servers and include the SMH as is the default, get ready, you’re going to have to update all of your servers, if you thought your impact was limited, think again!
HP Onboard Administrator (OA)
HP has released a new 4.12 version, if you have 4.20 you can downgrade to 4.12 or wait for an update to 4.20. See the advisory below for the updated information.
Versions 4.11 and 4.20 are affected, there is no fix as yet, the only current option is to downgrade your version.
HP Smart Update Manager (HP SUM)
HPSUM 6.3.1 has been released although the advisory has not yet been updated
Versions 6.0.0 through to 6.3.0 are affected, HP recommend limiting HP SUM usage to a secure and isolated private management network
Integrated Lights Out (iLO)
Although iLO devices are not affected by Heartbleed, there is another software bug which means if you run a vulnerability scanner against iLO and iLO2 ports it can cause the device to lock up which requires you to physically remove the power or reset the blade to get back iLO functionality. iLO3 and iLO4 are not affected.