Re: Is HP c7000 iLO onboard administrator subject to CVE IDs: CVE-2009-3563, CVE-2009-5020 , (2467 Views)
Reply
Occasional Visitor
danatt
Posts: 2
Registered: ‎07-20-2011
Message 1 of 6 (2,484 Views)

Is HP c7000 iLO onboard administrator subject to CVE IDs: CVE-2009-3563, CVE-2009-5020 ,

Where is information about whether the iLO onboard administrator of the C7000 is, or is not, subject to various CVE vulnerabilities? - CVE-2009-3563 (NTP Mode 7 Request Denial Of Service Vulnerability ) - CVE-2009-5020 (AWStats awredir.pl Open Redirect Vulnerability)
Neighborhood Admin
chuckk281
Posts: 3,223
Registered: ‎01-09-2007
Message 2 of 6 (2,479 Views)

Re: Is HP c7000 iLO onboard administrator subject to CVE IDs: CVE-2009-3563, CVE-2009-5020 ,

I will have to ask the question and see what I can find out.

 

Chuck

Neighborhood Admin
chuckk281
Posts: 3,223
Registered: ‎01-09-2007
Message 3 of 6 (2,476 Views)

Re: Is HP c7000 iLO onboard administrator subject to CVE IDs: CVE-2009-3563, CVE-2009-5020 ,

First of all a general info place to get Security Bulletins and to report security issues:

 

How Do Customers Report Security Vulnerabilities?


Customers can report software security vulnerabilities to HP using the external link to the form Report a Potential Security Vulnerability to HP (http://welcome.hp.com/country/us/en/sftware_security.html).  This page accepts reports of potential security defects from customers and provides an automated email acknowledgement to the person submitting the report. The reporting Web Page can also be accessed from HP Home page:
  • http://www.hp.com
  • Select "Contact HP / Customer Service"
  • Select "Report a Software Security Issue"

To receive security information, customers can go to the general HP Web Page:

  • http://www.hp.com
  • Select "Support & Drivers"
  • Select "Sign up: Driver, Support & Security Alerts"

Customers can view all Previously Published HP ITRC Security Bulletins at the IT Resource Center (registration required).

 

Specific to the software security questions you asked above here is what I received back:

 

Specifically (but unofficially), the NTP DoS (CVE-2009-3563) documents a problem with a Linux NTP daemon and since iLO doesn’t have an NTP daemon running we don't see an issue. Similarly, CVE-2009-5020 doesn’t apply to iLO since it is for the “AWStats” utility which isn’t part of the image and specifically to a Perl module (awredir.pl) which isn’t possible since there is no Perl interpreter onboard…

 

I hope this helps.

 

Chuck

Occasional Visitor
danatt
Posts: 2
Registered: ‎07-20-2011
Message 4 of 6 (2,467 Views)

Re: Is HP c7000 iLO onboard administrator subject to CVE IDs: CVE-2009-3563, CVE-2009-5020 ,

Chuck, Your information was very helpful. I suspected ntpd and awstats were both not part of iLO but wanted to confirm. Is information about the components which comprise OA/ilO available to customers? This type of question will come up everytime the OA/iLO is flagged by our security vulnerability scanning process. :-) btw: This link in your response behind this text does not work for me: "Customers can view all Previously Published HP ITRC Security Bulletins at the IT Resource Center (registration required)." Regards, Dan
Honored Contributor
Johan Guldmyr
Posts: 3,853
Registered: ‎06-14-2009
Message 5 of 6 (2,465 Views)

Re: Is HP c7000 iLO onboard administrator subject to CVE IDs: CVE-2009-3563, CVE-2009-5020 ,

The link has been updated with the HP ITRC was moved to a new platform: new link:

https://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/secBullArchive/
Neighborhood Admin
chuckk281
Posts: 3,223
Registered: ‎01-09-2007
Message 6 of 6 (2,462 Views)

Re: Is HP c7000 iLO onboard administrator subject to CVE IDs: CVE-2009-3563, CVE-2009-5020 ,

Johan:

 

Thanks for updating the link.

 

Danatt:

 

I think your question regarding the components in the OA/iLO software would be a good question to ask the security gang. If you are going to have questions, no time like the present to see what sort of response you get from using the website.

 

Chuck

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.