Print | Rate this content

HPSBMA02279 SSRT071298 rev.1 - HP OpenView Configuration Management (CM) Infrastructure (Radia) and Client Configuration Manager (CCM) Running httpd.tkd, Remote Unauthorized Access to Data

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c01205079

Version: 1

HPSBMA02279 SSRT071298 rev.1 - HP OpenView Configuration Management (CM) Infrastructure (Radia) and Client Configuration Manager (CCM) Running httpd.tkd, Remote Unauthorized Access to Data
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2007-10-23

Last Updated: 2007-10-23


Potential Security Impact: Remote unauthorized access to data

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY

A potential vulnerability has been identified with HP OpenView Configuration Management (CM) Infrastructure (Radia) and Client Configuration Manager (CCM) running httpd.tkd. The vulnerability could be exploited to allow remote unauthorized access to data.

References: CVE-2007-5413

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

HP OpenView Configuration Management (CM) Infrastructure (Radia) v4.0, v4.1, v4.2, v4.2i running httpd.tkd on Windows, HP-UX, AIX, Solaris, and Linux.
HP OpenView Client Configuration Manager (CCM) v2.0 running httpd.tkd on Windows.

BACKGROUND

For a PGP signed version of this security bulletin please write to: security-alert@hp.com

The Hewlett-Packard Company thanks an anonymous researcher working with TippingPoint (www.tippingpoint.com) and the Zero Day Initiative (www.zerodayinitiative.com) for reporting this to security-alert@hp.com.

Note: The httpd.tkd module is used by several OpenView Configuration Management (CM) and OpenView Client Configuration Management (CCM) Infrastructure components. These components include OS Manager, Policy Server, Portal, Patch Manager, Proxy Server, Distributed Configuration Server and Multicast Server. There may be more than one httpd.tkd module on a system. Each must be replaced. Please refer to the patch documentation for further information.

Note: The following is for use by the HP-UX Software Assistant. Only the HP-UX versions are listed

AFFECTED VERSIONS

For CM infrastructure (Radia) v4.0

HP-UX B.11.00
HP-UX B.11.11
HP-UX B.11.23
=============
action: install RADINFRAHPUX1_00009 or subsequent
URL: http://openview.hp.com/ecare/getsupportdoc?docid=RADINFRAHPUX1_00009

For CM infrastructure (Radia) v4.1

HP-UX B.11.00
HP-UX B.11.11
HP-UX B.11.23
=============
action: install RADINFRAHPUX1_00010 or subsequent
URL: http://openview.hp.com/ecare/getsupportdoc?docid=RADINFRAHPUX1_00010

For CM infrastructure (Radia) v4.2

HP-UX B.11.00
HP-UX B.11.11
HP-UX B.11.23
=============
action: install RADINFRASOL_00011 or subsequent
URL: http://openview.hp.com/ecare/getsupportdoc?docid=RADINFRASOL_00011

End Affected Versions

RESOLUTION

HP has provided the following patches to resolve this vulnerability.
The patches and installation instructions are available from the URL's listed below.

Product
Platform
Patch ID
URL
CM Infrastructure v4.0
AIX
RADINFRAAIX_00008 or subsequent
CM Infrastructure v4.0
HP-UX B.11.00
RADINFRAHPUX1_00009 or subsequent
CM Infrastructure v4.0
HP-UX B.11.11
RADINFRAHPUX1_00009or or subsequent
CM Infrastructure v4.0
HP-UX B.11.23
RADINFRAHPUX1_00009 or subsequent
CM Infrastructure v4.0
Linux
RADINFRALNX_00007 or subsequent
CM Infrastructure v4.0
Solaris
RADINFRASOL_00009 or subsequent
CM Infrastructure v4.0
Win32
RADINFRAWIN32_00023 or subsequent
CM Infrastructure v4.0i
Win32
RADINFRAWIN32_00024 or subsequent
CM Infrastructure v4.1
AIX
RADINFRAAIX_00009 or subsequent
CM Infrastructure v4.1
HP-UX B.11.00
RADINFRAHPUX1_00010 or subsequent
CM Infrastructure v4.1
HP-UX B.11.11
RADINFRAHPUX1_00010 or subsequent
CM Infrastructure v4.1
HP-UX B.11.23
RADINFRAHPUX1_00010 or subsequent
CM Infrastructure v4.1
Linux
RADINFRALNX_00008 or subsequent
CM Infrastructure v4.1
Solaris
RADINFRASOL_00010 or subsequent
CM Infrastructure v4.1
Win32
RADINFRAWIN32_00025 or subsequent
CM Infrastructure v4.2
AIX
RADINFRAAIX_00010 or subsequent
CM Infrastructure v4.2
HP-UX B.11.00
RADINFRAHPUX1_00011 or subsequent
CM Infrastructure v4.2
HP-UX B.11.11
RADINFRAHPUX1_00011 or subsequent
CM Infrastructure v4.2
HP-UX B.11.23
RADINFRAHPUX1_00011 or subsequent
CM Infrastructure v4.2
Linux
RADINFRALNX_00009 or subsequent
CM Infrastructure v4.2
Solaris
RADINFRASOL_00011 or subsequent
CM Infrastructure v4.2
Win32
RADINFRAWIN32_00026 or subsequent
CM Infrastructure v4.2 with Patch 3.0.3
Win32
RADINFRAWIN32_00027 or subsequent
CM Infrastructure v4.2i
Win32
RADINFRAWIN32_00028 or subsequent
CCM Infrastructure v2.0
Win32
CCM_00005 or subsequent

MANUAL ACTION: Yes - Update
CM Infrastructure v4.0 HP-UX B.11.00 install RADINFRAHPUX1_00009 or subsequent
CM Infrastructure v4.0 HP-UX B.11.11 install RADINFRAHPUX1_00009 or subsequent
CM Infrastructure v4.0 HP-UX B.11.23 install RADINFRAHPUX1_00009 or subsequent
CM Infrastructure v4.1 HP-UX B.11.00 install RADINFRAHPUX1_00010 or subsequent
CM Infrastructure v4.1 HP-UX B.11.11 install RADINFRAHPUX1_00010 or subsequent
CM Infrastructure v4.1 HP-UX B.11.23 install RADINFRAHPUX1_00010 or subsequent
CM Infrastructure v4.2 HP-UX B.11.00 install RADINFRAHPUX1_00011 or subsequent
CM Infrastructure v4.2 HP-UX B.11.11 install RADINFRAHPUX1_00011 or subsequent
CM Infrastructure v4.2 HP-UX B.11.23 install RADINFRAHPUX1_00011 or subsequent

HISTORY
Version: 1 (rev.1) 23 October 2007 Initial release

©Copyright 2007 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

Provide feedback

Please rate the information on this page to help us improve our content. Thank you!