WoodITWork.com

It's about time I let the world know what I was thinking...

HP Server software affected by HeartBleed: OA, SUM, SMH & iLO

By Julian Wood
hp-2

Heartbleed Bug

UPDATE 29/04/2014

HP has released an updated HP Service Pack for Proliant which contains the Heartbleed fixes.

UPDATE: 22/04/2014

A new issue has been spotted where although iLO devices are not affected by Heartbleed, running a vulnerability scanner against iLO and iLO2 ports can cause the device to lock up which requires you to physically remove the power or reset the blade to get back iLO functionality.

HP has also updated its advisories to include fixes for SMH, SUM and partly for OA.

 

 

 

The world has been scrambling to understand and mitigate the effects of the HeartBleed SSL vulnerability.

HP has released information about which of its server management products are affected by HeartBleed.

The good news is that the following products are NOT affected.

  • Virtual Connect
  • Integrated Lights Out (iLO) 2, 3, 4
  • HP Insight Control Server Provisioning
  • System Management Homepage (SMH) HP-UX
  • HP OneView
  • Systems Insight Manager
  • NonStop SSL
  • iTP WebServer for NonStop Servers
  • Onboard Administrator for NonStop Integrity Platforms
  • HP-UX
  • OpenVMS

The following products ARE affected and as yet there are no fixes.

Check back with the linked security bulletins or sign up to get HP Security Bulletin alerts at http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

HP System Management Homepage (SMH) Linux and Windows

HP has updated the advisory below with new versions of SMH

HPSBMU02998

The following versions are affected: 7.1.2, 7.2, 7.2.1, 7.2.2, 7.3, 7.3.1

No fix as yet, no suggestion from HP as to what to do, best not to access it then unless on a secure and isolated private management network.

If you’ve deployed HP agents to all your servers and include the SMH as is the default, get ready, you’re going to have to update all of your servers, if you thought your impact was limited, think again!

HP Onboard Administrator (OA)

HP has released a new 4.12 version, if you have 4.20 you can downgrade to 4.12 or wait for an update to 4.20. See the advisory below for the updated information.

HPSBMU02994

Versions 4.11 and 4.20 are affected, there is no fix as yet, the only current option is to downgrade your version.

HP Smart Update Manager (HP SUM)

HPSUM 6.3.1 has been released although the advisory has not yet been updated 

HPSBMU02997

Versions 6.0.0 through to 6.3.0 are affected, HP recommend limiting HP SUM usage to a secure and isolated private management network

Integrated Lights Out (iLO)

Document: c04249852

Although iLO devices are not affected by Heartbleed, there is another software bug which means if you run a vulnerability scanner against iLO and iLO2 ports it can cause the device to lock up which requires you to physically remove the power or reset the blade to get back iLO functionality. iLO3 and iLO4 are not affected.