__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN HP OpenView Operations (OVO) Running on HP-UX and Solaris Vulnerability [HPSBMA02288 SSRT071465 rev. 1] November 14, 2007 18:00 GMT Number S-055 ______________________________________________________________________________ PROBLEM: Potential security vulnerabilities have been identified in OpenView Operations (OVO) running on HP-UX and Solaris. PLATFORM: HP OpenView Operations(OVO) 7.1X and 8.X running on HP-UX B.11.11, B.11.23, B.11.31, and Solaris DAMAGE: May be exploited remotely to gain unauthorized access or to create a Denial of Service (DoS). SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. These vulnerabilities may be exploited ASSESSMENT: remotely to gain unauthorized access or to create a Denial of Service (DoS). ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/s-055.shtml ORIGINAL BULLETIN: Visit Hewlett-Packard Subscription Service for: HPSBMA02288 SSRT071465 rev. 1 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2007-3922 CVE-2007-3698 ______________________________________________________________________________ [***** Start HPSBMA02288 SSRT071465 rev. 1 *****] Submitted Date: Mon Nov 05 16:20:04 EST 2007 Title: HPSBMA02288 SSRT071465 rev.1 - HP OpenView Operations (OVO) Running on HP-UX and Solaris, Remote Unauthorized Access, Denial of Service (DoS) Document ID: emr_na-c01269450-1 Last Modified Date: Tue Nov 13 18:44:57 EST 2007 You may provide feedback on this document HPSBMA02288 SSRT071465 rev.1 - HP OpenView Operations (OVO) Running on HP-UX and Solaris, Remote Unauthorized Access, Denial of Service (DoS) Remote unauthorized access, Denial of Service (DoS) Potential security vulnerabilities have been identified in OpenView Operations (OVO) running on HP-UX and Solaris. These vulnerabilities may be exploited remotely to gain unauthorized access or to create a Denial of Service (DoS). SUN Alert 102995, 102997, CVE-2007-3922, CVE-2007-3698 HP OpenView Operations(OVO) 7.1X and 8.X running on HP-UX B.11.11, B.11.23, B.11.31, and Solaris. Note: The following is for use by the HP-UX Software Assistant. Only the HP-UX versions are listed. AFFECTED VERSIONS For OVO 7.1X HP-UX B.11.11 ============= OVOPC-WWW.OVOPC-WWW-GUI action: install PHSS_37197 or subsequent For OVO 8.X HP-UX B.11.11 HP-UX B.11.23 (PA) ============= OVOPC-WWW.OVOPC-WWW-GUI action: install PHSS_37183 or subsequent HP-UX B.11.23 (IA) HP-UX B.11.31 ============= OVOPC-WWW.OVOPC-WWW-GUI action: install PHSS_37182 or subsequent END AFFECTED VERSIONS HP has provided the following patches to resolve the vulnerabilities. The patches can be downloaded from http://support.openview.hp.com/patches/ OVO 7.1X HP-UX B.11.11 PHSS_37197 or subsequent OVO 7.1X Solaris ITOSOL_00619 or subsequent OVO 8.X HP-UX B.11.11 PHSS_37183 or subsequent OVO 8.X HP-UX B.11.23 (PA) PHSS_37183 or subsequent OVO 8.X HP-UX B.11.23 (IA) PHSS_37182 or subsequent OVO 8.X HP-UX B.11.31 PHSS_37182 or subsequent OVO 8.X Solaris ITOSOL_00618 or subsequent MANUAL ACTIONS: No PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all HP-issued Security Bulletins and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa HISTORY Version: 1 (rev.1) - 13 November 2007 Initial release Third Party Security Patches: Third party security patches which are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. language code: EN_US regions Asia Pacific and Japan Central America Europe/Middle East/Africa Latin America Canada United States document type: Security Bulletin object name: c01269450 doc content version: 1 content version date: 13-Nov-2007 content update date: 13-Nov-2007 [***** End HPSBMA02288 SSRT071465 rev. 1 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Hewlett-Packard for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) S-045: OpenLDAP Security and Enhancement Update S-046: TeTeX Security Update S-047: Guidance EnCase Vulnerability S-048: phpMyAdmin Vulnerability S-049: Mozilla Firefox Vulnerability S-050: Horde3 Vulnerabilities S-051: Perl-Compatible Regular Expression (PCRE) Security Update S-052: Ruby Security Update S-053: Vulnerability in Windows URI Handling S-054: Vulnerability in DNS