HPSBGN03305 rev.1 - HP Business Service Management (BSM) products running SSLv3, Remote Disclosure of Information

Document ID:KM02993420
Creation Date:19-Oct-2017
Modified Date:19-Oct-2017

Summary

A potential security vulnerability has been identified with HP Business Service Management (BSM), SiteScope, Business Service Management (BSM) Integration Adaptor, Operations Manager for Windows, Unix and Linux, Reporter, Operation Agent Virtual Appliance, Performance Manager, Virtualization Performance Viewer, Operations Agent, BSM Connector and Service Health Reporter running SSLv3. The vulnerability could be exploited remotely to allow disclosure of information. Note: This is the SSLv3 vulnerability known as "Padding Oracle on Downgraded Legacy Encryption" also known as "POODLE", which could be exploited remotely to allow disclosure of information.

Reference

		SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM02993420 (c04626982)

Version: 1

		HPSBGN03305 rev.1 - HP Business Service Management (BSM) products running SSLv3, Remote Disclosure of Information

		NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2015-04-21

Last Updated: 2015-04-21

Potential Security Impact: Remote disclosure of information

Source: Hewlett Packard Enterprise, HPE Product Security Response Team

VULNERABILITY SUMMARY

Note: This is the SSLv3 vulnerability known as "Padding Oracle on Downgraded Legacy Encryption" also known as "POODLE", which could be exploited remotely to allow disclosure of information.

		References:
		
				CVE-2014-3566

				SSRT102009

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

		
							Product

							Impacted Version

							HP Integration Adaptor

							v 9.1X

							HP Operations Manager for Windows

							v8.10, v8.16, v9.0

							HP Operations Manager for Unix/Linux

							v 9.1x, v9.20

							HP Operations Manager i

							v9.1x, v9.2x

							HP Reporter

							v3.90, v4.0

							HP Operation Agent Virtual Appliance

							v11.11, v11.12, v11.13, v11.14

							HP Performance Manager

							v 9.0x, v9.20

							HP Virtualization Performance Viewer

							v1.0, v1.1, v1.2, v2.0, v2.01

							HP Operations Agent

							v11.0, v11.01, v11.02,v11.03 v11.04,v11.05,v11.10,v11.11, v11.12,v11.13,v11.20,v11.14

							HP SiteScope

							v11.1x, v11.2x

							Business Service Manager (BSM)

							v8.x, v9.1x, v9.2x

							HP BSM Connector

							v9.20, v9.21, v9.22, v9.23

							HP Service Health Reporter

							v9.20, v9.30, v9.31, v9.32, v9.40

Product	Impacted Version
HP Integration Adaptor	v 9.1X
HP Operations Manager for Windows	v8.10, v8.16, v9.0
HP Operations Manager for Unix/Linux	v 9.1x, v9.20
HP Operations Manager i	v9.1x, v9.2x
HP Reporter	v3.90, v4.0
HP Operation Agent Virtual Appliance	v11.11, v11.12, v11.13, v11.14
HP Performance Manager	v 9.0x, v9.20
HP Virtualization Performance Viewer	v1.0, v1.1, v1.2, v2.0, v2.01
HP Operations Agent	v11.0, v11.01, v11.02,v11.03 v11.04,v11.05,v11.10,v11.11, v11.12,v11.13,v11.20,v11.14
HP SiteScope	v11.1x, v11.2x
Business Service Manager (BSM)	v8.x, v9.1x, v9.2x
HP BSM Connector	v9.20, v9.21, v9.22, v9.23
HP Service Health Reporter	v9.20, v9.30, v9.31, v9.32, v9.40

BACKGROUND

		CVSS 2.0 Base Metrics
		
							Reference

							Base Vector

							Base Score

							CVE-2014-3566

							(AV:N/AC:M/Au:N/C:P/I:N/A:N)

							4.3

		Information on CVSS is documented in HP Customer Notice: HPSN-2008-002

Reference	Base Vector	Base Score
CVE-2014-3566	(AV:N/AC:M/Au:N/C:P/I:N/A:N)	4.3

RESOLUTION

HP has released the following software update to resolve the vulnerability in the below products:

		
							Product

							Affected versions

							Links to resolution

							HP Integration Adaptor

							v9.1X

							https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM01451927?lang=en&cc=cr&hpappid=OSP

							HP Operations Manager for Windows

							v8.10, v8.16, v9.0

							https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM01451928?lang=en&cc=cr&hpappid=OSP

							HP Operations Manager for Unix/Linux

							v9.1x, v9.20

							https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM01451925?lang=en&cc=cr&hpappid=OSP

							HP Operations Manager i

							v9.1x, v9.2x

							https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04510230

							HP Reporter

							v3.90, v4.0

							https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM01451924

							HP Operation Agent Virtual Appliance

							v11.11, v11.12, v11.13, v11.14

							https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM01451923?lang=en&cc=cr&hpappid=OSP

							HP Performance Manager

							9.0x, v9.20

							https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM01451922

							HP Virtualization Performance Viewer

							v1.0, v1.1, v1.2, v2.0, v2.01

							https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM01451921

							HP Operations Agent

							v11.0, v11.01, v11.02, v11.03, v11.04, v11.05, v11.10, v11.11, v11.12, v11.13, v11.20, v11.14

							https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM01451914?lang=en&cc=cr&hpappid=OSP

							HP SiteScope

							v11.1x, v11.2x

							Previous HP Security bulletin:https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04497114

							HP Business Service Manager (BSM)

							v8.x, v9.1x, v9.2x

							Previous HP Security Bulletin:https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04510230

							HP BSM Connector

							v9.20, v9.21, v9.22, v9.23

							https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM01451763?lang=en&cc=cr&hpappid=OSP

							HP Service Health Reporter

							v9.20, v9.30, v9.31, v9.32, v9.40

							https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM01401951?lang=en&cc=cr&hpappid=OSP

Product	Affected versions	Links to resolution
HP Integration Adaptor	v9.1X	https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM01451927?lang=en&cc=cr&hpappid=OSP
HP Operations Manager for Windows	v8.10, v8.16, v9.0	https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM01451928?lang=en&cc=cr&hpappid=OSP
HP Operations Manager for Unix/Linux	v9.1x, v9.20	https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM01451925?lang=en&cc=cr&hpappid=OSP
HP Operations Manager i	v9.1x, v9.2x	https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04510230
HP Reporter	v3.90, v4.0	https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM01451924
HP Operation Agent Virtual Appliance	v11.11, v11.12, v11.13, v11.14	https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM01451923?lang=en&cc=cr&hpappid=OSP
HP Performance Manager	9.0x, v9.20	https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM01451922
HP Virtualization Performance Viewer	v1.0, v1.1, v1.2, v2.0, v2.01	https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM01451921
HP Operations Agent	v11.0, v11.01, v11.02, v11.03, v11.04, v11.05, v11.10, v11.11, v11.12, v11.13, v11.20, v11.14	https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM01451914?lang=en&cc=cr&hpappid=OSP
HP SiteScope	v11.1x, v11.2x	Previous HP Security bulletin:https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04497114
HP Business Service Manager (BSM)	v8.x, v9.1x, v9.2x	Previous HP Security Bulletin:https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04510230
HP BSM Connector	v9.20, v9.21, v9.22, v9.23	https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM01451763?lang=en&cc=cr&hpappid=OSP
HP Service Health Reporter	v9.20, v9.30, v9.31, v9.32, v9.40	https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM01401951?lang=en&cc=cr&hpappid=OSP

Note on Installation order of patches:On a node, if multiple products such as HP Performance Manager, HP Reporter, HP Service Health Reporter, and Operations Agent are available, first install Operations Agent POODLE patch and then POODLE patches for all other products. If this order of patch installation is not followed then the Installation of Operations Agent POODLE patch will fail.

		The installation error messages on Windows, Linux, HP-UX and Solaris are as follows:
		
				.For Windows: "Installation of the component package HPOvXpl failed with error (33529200) (The upgrade cannot be installed by the Windows Installer service because the program to be upgraded may be missing, or the upgrade may update a different version of the program. Verify that the program to be upgraded exists on your computer and that you have the correct upgrade. )."

				For Linux, HP-UX and Solaris: "Hotfix (Hotfix ID) cannot be installed as same or higher version of the component HPOvSecCo is already installed"

These installation errors can be ignored if HPOvSecCore version in 'ovdeploy -inv -includeupdates' is greater than or equal to v11.14.043 for v11.1x versions and greater than or equal to v11.05.046 for v11.1x and v11.0x versions of HPOvSecCOre respectively.

HISTORY
Version:1 (rev.1) - 21 April 2015 Initial release

Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com.

Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com

Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email:http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Security Bulletin Archive: A list of recently released Security Bulletins is available here:https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive

Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX

		©Copyright 2017 Hewlett Packard Enterprise Company, L.P.

		Hewlett Packard Enterprise Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HPE nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise Company and the names of Hewlett Packard Enterprise Company products referenced herein are trademarks of Hewlett Packard Enterprise Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.