SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: KM02992665 (c01180076)
HPSBGN02271 SSRT2253 rev.1 - Re-release of HPSBMI01201 HP Tru64 UNIX & HP OpenVMS running Secure Web Server, Remote Arbitrary Code Execution or Denial of Service (DoS)
Release Date: 2002-06-30
Last Updated: 2007-10-02
Potential Security Impact: Arbitrary code execution or denial of service (DoS)
Source: Hewlett-Packard Company, HP Software Security Response Team
A potential vulnerability has been identified with Compaq's Secure Web Server (CSWS) for HP Tru64 UNIX and HP OpenVMS where remote users may execute arbitrary code or create a denial of service (DoS).
References: CAN-2002-0392, CERT CA-2002-17, HPSBMI01201
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
CSWS for HP Tru64
For a PGP signed version of this security bulletin please write to: firstname.lastname@example.org
Note:This Security Bulletin has been re-released with a new document number but without alteration of content. The purpose of this new number and re-release is to assure the document is available on all customer accessible databases.
This is a reformatted version of Security Bulletin HPSBMI01201 SSRT2253 rev.0.
HP has made the following software updates available to resolve the vulnerability.
HP Tru64 UNIX for V5.0a or later:
A Compaq Secure Web Server security update kit is available for download at:http://tru64unix.compaq.com/internet/download.htm#sws_v591 select and install the CSWS (Compaq Secure Web Server) kit V5.9.1
HP Tru64 UNIX INTERNET EXPRESS V5.9
SECURE WEB SERVER: Internet Express for Tru64 also contains the Secure Web Server. All versions of Internet Express up to and including version 5.9 are affected if the IAEAPCH* subset is installed. Internet Express V5.9 is currently in manufacturing and is scheduled to begin shipping. For all versions of Internet Express, obtain the Secure Web Server for HP Tru64 from the download site and only install the IAEAPCH591 subset (the Secure Web Server subset).
Note: When installing Internet Express version 5.9, the IAEAPCH591 subset will need to be uninstalled, and then reinstalled after the installation of the desired Internet Express subsets (this is mandated by version checking in many of the web related subsets).
Apache 2.0 Early Adopters Kit (2.0.39 beta): All versions are affected prior to version 5.0 (Apache 2.0.39). The latest version of the EAK may be downloaded from:http://www.tru64unix.compaq.com/internet/download.htm
CSWS for HP OpenVMS V7.1-2 or later: A Compaq Secure Web Server security update kit is available for download at:http://www.openvms.compaq.com/openvms/products/ips/apache/csws_patches.html
After completing the update, Compaq strongly recommends that you perform an immediate backup of your system disk so that any subsequent restore operations begin with updated software. Otherwise, you must reapply the patch after a future restore operation.
Note: if at some future time upgrade of the system is anticipated to a later patch version, re-application of the appropriate patch will be necessary.
Third Party Security Patches: Third party security patches which are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
Â©Copyright 2007 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.