Re: OA Heartbleed update? (4138 Views)
Reply
Respected Contributor
Trygve Henriksen
Posts: 336
Registered: ‎08-18-2003
Message 1 of 25 (4,698 Views)

OA Heartbleed update?

According to a post on the interwebs, OA v4.11 web interface is affected by the Heartbleed screwup.

 

Is there a 'known good' version that is recommended or will there be a fix up soon?

 

 

Please use plain text.
HP Pro
scharchouf
Posts: 296
Registered: ‎03-07-2013
Message 2 of 25 (4,687 Views)

Re: OA Heartbleed update?

can you give us more details, because what you said is not mentioned at HP as a bug, known issue ....
I am an HP employee
Was the post useful? Click on the white KUDOS! Star
Please use plain text.
Occasional Collector
Andrew Hammond
Posts: 4
Registered: ‎11-01-2007
Message 3 of 25 (4,655 Views)

Re: OA Heartbleed update?

I found this.

 

http://alpacapowered.wordpress.com/2014/04/08/openssl-heartbleed-attack-the-cryptocalypitc-judgement...

 

Is there a Security Advisory from HP regarding affected products?

 

 

Please use plain text.
Honored Contributor
Oscar A. Perez
Posts: 643
Registered: ‎11-01-2005
Message 4 of 25 (4,612 Views)

Re: OA Heartbleed update?

OA v4.11 and v4.20 contain an OpenSSL version that has the vulnerability.

 

Please go back to v4.01 until we can release a fix.

 

Oh, by the way.

iLOs are NOT vulnerable as they don't use SSL/TLS libraries that contain the TLS heartbeat extension BUT, we are receiving reports that the script that test for the HeartBleed bug is causing iLO2 to stop responding and the blades have to be e-fused to recover iLO2 functionality.  

Please don't run the Heartbleed script against iLO2 until we fix this problem. 

Please use plain text.
Occasional Advisor
Barmaley
Posts: 6
Registered: ‎05-02-2012
Message 5 of 25 (4,500 Views)

Re: OA Heartbleed update?

Oscar,

 

Is possible to deactivate some iLO functionality and features to do it invulnerable for HeartBleed?

 

May be change SSL port to not 443?
May be enable the "Enforce AES/3DES Encryption"?

 

Something else?

Please use plain text.
Occasional Advisor
RyanTerry
Posts: 5
Registered: ‎04-14-2014
Message 6 of 25 (4,342 Views)

Re: OA Heartbleed update?

Is there an ETA for a fix for this? 

 

We are running 4.0.1a and are seeing all of our iLO cards crash.  We cannot upgrade to the releases that are vulnerable.

Please use plain text.
Occasional Advisor
Barmaley
Posts: 6
Registered: ‎05-02-2012
Message 7 of 25 (4,340 Views)

Re: OA Heartbleed update?

+1

 

We have >300 servers iLO2 offline. It' horrible :(

Please use plain text.
Honored Contributor
Oscar A. Perez
Posts: 643
Registered: ‎11-01-2005
Message 8 of 25 (4,322 Views)

Re: OA Heartbleed update?

Please do not scan iLO for heartbleed. iLOs are not vulnerable as they have never supported TLS HeartBeat extension anyway.

We are investigating why iLO2 stops responding after security scanners run the Heartbleed bug test but, so far we cannot even reproduce this issue in our labs. Any info that can help us reproduce the issue is welcomed.

Please use plain text.
Occasional Advisor
Barmaley
Posts: 6
Registered: ‎05-02-2012
Message 9 of 25 (4,313 Views)

Re: OA Heartbleed update?

Oscar,

 

We have one of servers which we can access remotelly.

Also, iLO address of this server responds to ping's.

But do not allow to connect via HTTP(s), IPMI or SSH.

 

Here is output of hponcfg utility:

 

# hponcfg
HP Lights-Out Online Configuration utility
Version 4.3.0 Date 12/10/2013 (c) Hewlett-Packard Company, 2014

ERROR: CpqCiCreateFunc() 0 time failed.
Driver Error Code:(1,1h).
Driver Error Message: CPQCIDRV driver is not loaded.

ERROR: CpqCiCreateFunc() 1 time failed.
Driver Error Code:(1,1h).
Driver Error Message: CPQCIDRV driver is not loaded.
ERROR: A general system error occurred while detecting Management Processor.
ACTION REQUIRED: Check if iLO and iLO driver are up and running.

Please use plain text.
HP Pro
scharchouf
Posts: 296
Registered: ‎03-07-2013
Message 10 of 25 (4,287 Views)

Re: OA Heartbleed update?

HP is currently investigating the issue and which systems are potentially affected.  and when all investigation is done a formal noticed will be published.

I am an HP employee
Was the post useful? Click on the white KUDOS! Star
Please use plain text.
Occasional Advisor
RyanTerry
Posts: 5
Registered: ‎04-14-2014
Message 11 of 25 (4,275 Views)

Re: OA Heartbleed update?

I was able to get the iLO addresses excluded from any futre scans.  However all of my iLO 2 cards are down. 

 

Bay iLO Name                      iLO IP Address  Status   Power   UID Partner
--- ----------------------------- --------------- -------- ------- --- -------
  1 [Unknown]                     N/A             Failed   On       ?
  2 [Unknown]                     N/A             Failed   On       ?

 

Is there a way to reset iLO in this state without a reboot of the server?

Please use plain text.
Occasional Advisor
RyanTerry
Posts: 5
Registered: ‎04-14-2014
Message 12 of 25 (4,254 Views)

Re: OA Heartbleed update?

Oscar,

 

We are running a c7000 enclosure with the 4.01 Firmware for OA.  The scanner that was used to test is from Qualsys.  We have confirmed that after a reset, the scan still crashes the iLO2 card.

Please use plain text.
Occasional Visitor
tjagoda
Posts: 3
Registered: ‎04-14-2014
Message 13 of 25 (4,183 Views)

Re: OA Heartbleed update?

We are seeing this behavior on all iLO2 blades, observed firmware ranging from 2.12 through 2.23.  A way to reset the management processor without requiring the physical re-seating of the blade would be spectacular, so far hponcfg, ssh, and the web interface have been unresponsive. 

Please use plain text.
Occasional Visitor
Daniel McPeake
Posts: 1
Registered: ‎12-17-2007
Message 14 of 25 (4,171 Views)

Re: OA Heartbleed update?

[ Edited ]

Our secruity group scanned for the hearbleed bug last night and crashed about 500 ilo2. Is there anyway to recover without powering off all these servers?

Please use plain text.
Occasional Advisor
RyanTerry
Posts: 5
Registered: ‎04-14-2014
Message 15 of 25 (4,138 Views)

Re: OA Heartbleed update?

tjagoda,

 

we were able to use:

 

reset server [bay number]

 

ssh'd into the OA card.  However it still reboots the server.  Still looking to see if there is a way to recover without a reboot.

Please use plain text.
Occasional Visitor
tjagoda
Posts: 3
Registered: ‎04-14-2014
Message 16 of 25 (4,133 Views)

Re: OA Heartbleed update?

That is at least better than requiring a physical re-seating, but ideally we would still like a way to reset the management processor without a downtime-generating event.  

 

Please use plain text.
Occasional Visitor
Wohlstand
Posts: 1
Registered: ‎04-14-2014
Message 17 of 25 (4,046 Views)

ILO 2 crashes

I can confirm this behavior. I had to take our  server from power by a support man on remote site. Really no fun. And a real DOS. There will be some script kiddies who will break down our ILO2 interface in the next hours. I can bet for it.

Please use plain text.
Occasional Visitor
lindnear
Posts: 1
Registered: ‎07-19-2012
Message 18 of 25 (2,272 Views)

Re: OA Heartbleed update?

Hi Folks,

 

is iLO4 allso affected by this bug? We have a lot of iLO4 Boards in use and I'm asking if a scan would down all iLO Boards.

 

Thx for your replys,

 

Alex

Please use plain text.
Visitor
Luke Hsieh
Posts: 4
Registered: ‎10-31-2010
Message 19 of 25 (2,265 Views)

Re: OA Heartbleed update?

[ Edited ]

Per following link, HP has verified that it's only ILO1 and ILO2 that are affected.  We have not seen similar issues in our ILO3/4 as well.

http://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04249852

Edit: fixed link :p

Please use plain text.
Occasional Visitor
AlexanderGom
Posts: 1
Registered: ‎04-23-2014
Message 20 of 25 (2,097 Views)

Re: OA Heartbleed update?

If you are a HP employee, we have this sharepoint with a good information about the Heartbleed Vulnerability

 

http://h30499.www3.hp.com/t5/HP-BladeSystem-Management/OA-Heartbleed-update/m-p/6444874/highlight/tr...

Please use plain text.
Acclaimed Contributor
Dennis Handly
Posts: 24,956
Registered: ‎03-06-2006
Message 21 of 25 (2,084 Views)

Re: OA Heartbleed update?

[ Edited ]

>we have this sharepoint

 

Your link just points to this topic.

You can edit your post by using Post Options > Edit Reply.

Please use plain text.
Acclaimed Contributor
Torsten.
Posts: 23,253
Registered: ‎10-02-2001
Message 22 of 25 (2,064 Views)

Re: OA Heartbleed update - OA fw 4.21!

[ Edited ]

By the way - OA firmware 4.21 is available!

 

http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/psi/swdDetails/?sp4ts.oid=5193138&sp...

 

 

Disabled support for OpenSSL TLS heartbeat extension.

 

http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/psi/swdDetails/?sp4ts.oid=5193138&sp...


Hope this helps!
Regards
Torsten.

__________________________________________________

There are only 10 types of people in the world -
those who understand binary, and those who don't.

__________________________________________________

No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! star in the left column!   
Please use plain text.
Visitor
Luke Hsieh
Posts: 4
Registered: ‎10-31-2010
Message 23 of 25 (2,010 Views)

Re: OA Heartbleed update - OA fw 4.21!

Please use plain text.
Advisor
Enzo Genuardi
Posts: 19
Registered: ‎08-17-2005
Message 24 of 25 (1,887 Views)

Re: OA Heartbleed update?

Hello,

 

The ILO2 FW version 2.25 was issued and also the OA FW version 4.21, who at least is preventing the hack.

But, for all other ILO2 who where blocked by the first scan, did someone as a solution to force then to reset without rebooting the server?

 

Best regards.

Please use plain text.
Advisor
Enzo Genuardi
Posts: 19
Registered: ‎08-17-2005
Message 25 of 25 (1,885 Views)

Re: OA Heartbleed update?

Hello Alex,

As far as I have seen on my servers ILO3 FW 1.70 and ILO4 with 1.32 or 1.40 are not concerned!
Regards.
Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation