SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: KM02992664 (c01180021)
HPSBGN02270 SSRT0822 rev.1 - Re-release of HPSBMI01199 Java Runtime Environment Proxy and JVM, Remote Increased Privilege, Unauthorized Access
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Potential Security Impact: Remote increased privilege or unauthorized access
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential security vulnerability has been identified with Java JRE and JVM. This vulnerability could be exploited by a remote user to gain increased privilege or unauthorized access.
References: SUN Bulletin #00216 & #00218, CAN-2002-0058, CAN-2002-0076, HPSBMI01199
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
|
Product
|
Impacted Version(s)
|
|
Management Software
|
Compaq Insight Manager 7, Compaq Insight Manager XE, the Compaq Management Agents and the Remote Insight Lights-Out Edition Card leverage Java technology to deliver portions of their functionality. The Java software causing this problem is delivered as part of the Java Runtime Environment used to enable access to these management products and as part of the server-side software embedded in Compaq Insight Manager XE and Compaq Insight Manager 7.
|
|
Insight Manager XE
|
Insight Manager XE uses the Microsoft Java Runtime Environment integrated into Microsoft Internet Explorer.
|
|
Insight Manager 7
|
Insight Manager 7 uses the Sun Java Runtime Environment version 1.3.1 in place of the Microsoft Java Runtime Environment.
|
|
Management Agents
|
See Resolution Table
|
|
Remote Insight Lights-Out Edition / Integrated Lights-Out on ProLiant DL360 G2
|
See Resolution Table
|
|
HP Tru64 UNIX
|
V4.0f
|
SDK and JRE 1.1.7B-2
|
|
V4.0g
|
SDK and JRE 1.1.7B-2
|
|
V5.0a
|
SDK and JRE 1.1.7B-6
|
|
V5.1
|
SDK and JRE 1.1.8-6 (default for tools) and 1.2.2-6
|
|
V5.1a
|
SDK and JRE 1.1.8-13 default for tools (includes fix for proxy #0216) and 1.2.2-8
|
|
HP Nonstop Himalaya
|
No applets run on the Compaq NonStop Himalaya operating systems. This is not a vulnerability on these systems.
|
|
HP OpenVMS
*Please note that this is an issue for the Alpha architecture only. OpenVMS on Vax does not support Java.
|
V7.2, V7.2-1, V7.2-1h1, V7.2-1h2, V7.2-2
|
SDK and JRE 1.1.6-2
|
|
V7.3
|
SDK and JRE 1.1.8-5
|
Note: This Security Bulletin has been re-released with a new document number but without alteration of content. The purpose of this new number and re-release is to assure the document is available on all customer accessible databases.
This is a reformatted version of Security Bulletin HPSBMI01199 SSRT0822 rev.0.
RESOLUTION
The following table outlines the suggested resolutions to the vulnerabilities described above. Suggested remedies will be different on a product-by-product depending on developer of the Java Runtime Environment and any dependencies for synchronization between server and client side components.
|
Product
|
Recommendation
|
|
Insight Manager XE
|
Insight Manager XE uses the Microsoft Java Runtime Environment integrated into Microsoft Internet Explorer. HP recommends that Insight Manager XE users upgrade to Insight Manager 7 SP1 that will be available for download in the first half of May at http://www.compaq.com/manage
Insight Manager 7 SP1 leverages version 1.3.1_02 of the Sun Java Runtime Environment that addresses the vulnerabilities described above. Prior to the release of Insight Manager 7 SP1, HP recommends that users exercise care when browsing to sites outside of the internal network using a browser with a vulnerable version of the Microsoft Java Runtime Environment.
While it is possible to update the browser to the version of the Java Runtime Environment recommended by Microsoft, this version has not been tested with Insight Manager XE and HP cannot guarantee that Insight Manager XE will function properly.
|
|
Insight Manager 7
|
Insight Manager 7 uses the Sun Java Runtime Environment version 1.3.1 in place of the Microsoft Java Runtime Environment. HP is in the process of incorporating version 1.3.1_02 of the runtime environment, which fixes the aforementioned vulnerability, into Insight Manager 7 Service Pack 1.
Insight Manager 7 SP1 will be available at the beginning of May. Users may not use version 1.3.1_02 of the plug-in with the current version of Insight Manager 7 as newer versions of the Sun Java Runtime Environment are not backwards compatible and the Insight Manager 7 may not function properly if client and server side runtime environments are not of the same version.
HP recommends that current Insight Manager 7 users close Microsoft Internet Explorer prior to browsing to untrusted sites outside of the corporate firewall. This will ensure that the Java plug-in is closed prior to browsing to sites on the public Internet. With Insight Manager 7 SP1, the requirement to close the browser prior to visiting public sites will be removed.
|
|
Management Agents
|
Update to the version of the Java Runtime Environment that Microsoft Recommends. This information may be found at http://www.microsoft.com/java/vm/dl_vm40.htm
|
|
Remote Insight Lights-Out Edition / Integrated Lights-Out on ProLiant DL360 G2
|
Update to the Java(TM) 2 Runtime Environment, Standard Edition, version 1.3.1_02 http://java.sun.com/j2se/1.3/download.html To download this software simply click on the hyperlink.
|
HP Tru64 UNIX
|
V4.0f
|
SDK and JRE 1.1.7B-2
|
|
V4.0g
|
SDK and JRE 1.1.7B-2
|
|
V5.0a
|
SDK and JRE 1.1.7B-6
|
|
V5.1
|
SDK and JRE 1.1.8-6 (default ) and 1.2.2-6
|
|
V5.1a
|
SDK and JRE 1.1.8-10 (default includes proxy fix) and 1.2.2-8
|
|
HP Tru64 UNIX V4.0f - update to Java 1.1.7B-10
HP Tru64 UNIX V4.0g - update to Java 1.1.8-14 (includes proxy fix)
HP Tru64 UNIX V5.0a update default to Java 1.1.8-14 and update to Java 1.3.1-3 (includes fixes)
HP Tru64 UNIX V5.1 - update default to 1.1.8-14 (includes fixes) and update Java 1.2.2-8 to Java 1.3.1-3 (includes fixes)
HP Tru64 UNIX V5.1a - update default to 1.1.8-14 (includes fixes) and update Java 1.2.2-8 to Java 1.3.1-3 (includes fixes)
HP Tru64 UNIX 5.0 and higher include some Java-based tools that depend on the Java environment default version that ships with the operating system and is installed in /usr/bin. If changing the default system Java environment version to any release after Java 1.1.8, some operating system tools, such as the SysMan Station, the SysMan Station authentication daemon, and the Logical Storage Manager (LSM) Storage Administrator, will not work correctly.
If problems are experienced maintaining the default installation for HP Tru64 V5.0 or later, please contact normal HP Tru64 support channels for assistance.
|
HP OpenVMS
|
V7.2 V7.2-1 V7.2-1h1, V7.2-1h2, V7.2-2
|
SDK & JRE 1.1.6-2
|
|
V7.3
|
SDK & JRE 1.1.8-5
|
|
The following table shows Java versions that are available at http://www.compaq.com/java/alpha and indicates if the version includes the fix:
HP OpenVMS - Java 1.3.0-2 (includes proxy fix only)
Update to : Java 1.3.1-3 (includes fixes)
|
HISTORY
Version: 1 (rev.1) - 02 October 2007 Initial release, with an SPC change from MI to GN
Third Party Security Patches: Third party security patches which are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
©Copyright 2007 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
|