04-12-2014 04:45 PM - last edited on 04-13-2014 08:32 PM by maikoro
We discovered that hpsmh (version 7.2.2-8) is vurnerable for the OpenSSL Heartbleed problem on tcp port 2381, when will HP fix this issue? Is it possible to manual patch the embedded openssl?
P.S. This trhead has been moevd from ProLiant Servers (ML,DL,SL) to ITRC HP Systems Insight Manager Forum. - Hp forum moderator
04-13-2014 10:49 PM
this would interest me too!
I've read in the Revision history of SMH for Windows, that the last update to openSSL was with HP SMH version 126.96.36.199 in which OpenSSL got updated to version 1.0.1e.
According to the OpenSSL Security Advisory (https://www.openssl.org/news/secadv_20140407.txt) the "heartbleed" is fixed in version 1.0.1g.
HP can you please provide us information about a release of a fixed HP SMH?
04-14-2014 02:20 AM
They released a security bulletin now which is available here: http://alerts.hp.com/r?2.1.3KT.2ZR.11MyKG.KUeOn0..
(No information yet about a release of a fixed version)
04-15-2014 08:59 AM - edited 04-15-2014 09:10 AM
I was able to patch the service with a non-vulnerable openssl obtained from Red Hat rpms:
It is necessary to extract the binary, libraries and creating the necessary symlinks:
/opt/hp/hpsmh # ll bin/openssl
-rwxr-xr-x 1 czkccz adminux 521472 Apr 15 10:00 bin/openssl
/opt/hp/hpsmh # ll lib/libssl.so*
lrwxrwxrwx 1 root root 16 Apr 15 10:06 lib/libssl.so -> libssl.so.1.0.1e
lrwxrwxrwx 1 root root 16 Apr 15 10:06 lib/libssl.so.1.0.0 -> libssl.so.1.0.1e
-rwxr-xr-x 1 czkccz adminux 441112 Apr 15 10:01 lib/libssl.so.1.0.1e
/opt/hp/hpsmh # ll lib/libcrypto.so*
lrwxrwxrwx 1 root root 19 Apr 15 10:09 lib/libcrypto.so -> libcrypto.so.1.0.1e
lrwxrwxrwx 1 root root 19 Apr 15 10:09 lib/libcrypto.so.1.0.0 -> libcrypto.so.1.0.1e
-rwxr-xr-x 1 czkccz adminux 1950976 Apr 15 10:08 lib/libcrypto.so.1.0.1e
lrwxrwxrwx 1 root root 19 Apr 15 10:10 lib/libcrypto.so.10 -> libcrypto.so.1.0.1e
I ran the script (https://github.com/noxxi/p5-scripts/blob/master/ch
# /etc/init.d/hpsmhd start
Starting hpsmhd ..
# ./ssl-hearbleed-check.pl -s 127.0.0.1:2381
...ssl received type=22 ver=0x301 ht=0x2 size=77
...ssl received type=22 ver=0x301 ht=0xb size=968
...ssl received type=22 ver=0x301 ht=0xe size=0
no reply - probably not vulnerable
I hope it will be useful, while a new hpsmh version is released.
HP Enterprise Services México
Sergio Manuel Ramirez Martinez
HP Enterprise Services México
04-16-2014 06:10 PM
188.8.131.52 = cp023240 = http://ftp.hp.com/pub/softlib2/software1/sc-window
184.108.40.206 = cp023243 = http://ftp.hp.com/pub/softlib2/software1/sc-window
220.127.116.11 = cp023239 = http://ftp.hp.com/pub/softlib2/software1/sc-window
18.104.22.168 = cp023242 = http://ftp.hp.com/pub/softlib2/software1/sc-window
22.214.171.124 = http://ftp.hp.com/pub/softlib2/software1/pubsw-lin
126.96.36.199 = http://ftp.hp.com/pub/softlib2/software1/pubsw-lin
04-18-2014 05:33 AM
I've updated the SMH for a Windows 2008 R2 server to the new version 188.8.131.52.
Now i get a timeout on the System Management homepage. I used the VCA 184.108.40.206 and this version becomes unresponsive with the new SMH. I had to update to the latest VCA. That version has the bug that you can't update the Diskfirmware. HP advised me to uninstall the VCA since HPSUm is the new way to update instead of VCA. So HP is leaving VCA. So i've just posteded this message to let you all know.
04-23-2014 12:52 AM
thanks for your information!
Are you aware of any other bugs from the newest VCA except the harddisk firmware issue?
We'd like to have it installed anyway on the systems, so you have a overview of installed firmware/driver/software on one page... (unless we'll have rolled out HPSUM on every system)
Thanks and regards,
04-23-2014 08:54 AM
Please be aware that the 32 bit Windows 220.127.116.11 version of the patch breaks the HP smh, the service starts but is not listening on 2381
smhstart_err.log show it cannot load the php5apache2.so module
04-23-2014 12:25 PM
mikj , I think I installed this on a 32bit windows 18.104.22.168 version and now when I try to open up https://localhost:2381 i get a page can not be displayed ... are you having same issue as me ?
I installed this on my windows 2003 standard version.
04-23-2014 02:22 PM
Yes, the new(er) versions seems to break SMH and will not load.
I stayed on 22.214.171.124 for that reason alone.
Except for 2008 R2, if I install it on 2003 x32 or x64, the SMH page no longer loads.
04-24-2014 03:40 AM
Hello: To All,
HP is committed to delivering secure systems that effectively manage our invaluable customer and employee data. Therefore we kindly request you to reach out to our Software Security Response Team (SSRT).
Kindly find the given below "Report a potential security vulnerability to HP" link, If any claims you people have been impacted and/or have details where you can share with HP -
04-25-2014 07:35 AM
I am in the same boat - Windows 2003 servers that cannot run the latest SMH. I am wondering if there is an older version of SMH that is free of the Heartbleed bug and also works with Windows 2003? In other words, how long has Heartbleed been a problem? Has it just shown up in the last few versions, and earlier version are OK? If so, what is the last version of SMH that had a version of OpenSSL free from Heartbleed problems? That is the version I would need to install since the lastest version - which fixes Heartbleed - is not supported on Windows 2003.
04-29-2014 07:07 AM
You need something like this below. All will then work for 2003 servers.
2008 servers work ok with 126.96.36.199
Echo Replacing php5apache2.so and php5ts.dll
Echo From: %repos%\%PROCESSOR_ARCHITECTURE%
Echo To : %systemDrive%\hp\hpsmh\modules
Echo For %PROCESSOR_ARCHITECTURE% type OS
net stop "HP System Management Homepage" /Y
timeout 5 /nobreak >nul
copy %repos%\%PROCESSOR_ARCHITECTURE% %systemDrive%\hp\hpsmh\modules /Y
net Start "HP System Management Homepage" /Y
04-29-2014 10:23 AM
Rashmi, can you put HP SSRT in contact with this thread and notice the 2300+ unique views on it?
04-30-2014 08:50 AM
Let's say, for the sake of argument, that you absolutely cannot update to the latest version of SMH, VCA or VCRM. All 3 of those have recently been updated to include OpenSSL 1.0.1g, but let's pretend you can't update for whatever reason (compatibility concerns, effort involved, etc.
You could, if you want, simply download OpenSSL 1.0.1g for your OS and update the files yourself. I don't have any physical boxes running Linux so I won't pretend to know about that, but someone already mentioned how a few posts up.
For Windows, you download a compiled version and you should have a couple of DLL's to focus on:
If you're having trouble finding compiled versions of those DLL's, well hey, just extract the contents of the latest VCA, VCRM or SMH and they're inside there, both 32 and 64 bit versions.
On your Windows machine, under C:\HP you'll find multiple locations where those files exist, depending on what all you have installed. On my machine which has SMH, VCA *and* VCRM installed, there are 4 spots where both files live:
I can't quite figure out why, but the DLLs located in hpsmh\bin and hpsmh\modules are slightly different filesizes than the ones in vcagent and vcrepository... they're all 1.0.1g though, and the 64-bit version on my 64-bit Windows, but it's odd. It's like HP compiled them differently. I think it'd be safe to use the same one for all the spots though, but if you really want to be sure, extract the specific files from the specific HP software.
Anyway, copy over either the 32 or 64 bit version depending on what you're running. You'll need to stop the services first of course. If you use the files from inside the HP software, the 64-bit versions have "x64" in the filename, so just copy them over to the regular filename.
If none of this is making any sense, then you probably shouldn't be attempting something like this... just saying...
Oh, and if you're running HP SIM, there's no new version out yet, but it's running an older version of OpenSSL that isn't vulnerable. I just checked, and my HP SIM 7.3 with the latest hotfixes only has version 0.9.8d. Seems like HP SIM is safe only by it's extreme negligence in keeping it's SSL libraries up to date in the first place. Could be worse I guess.
Of course your best bet is to install the latest HP software anyway because there's more fixes besides just OpenSSL, but if none of them apply to you and you're happy with the version you're on, this could be an easier way to go to secure things. Just script something to stop those services remotely, copy the new files out where they belong, and restart.
Disclaimer: I have NOT tried this out myself, but when Heartbleed was first announced, I looked into doing this as a plan B in case HP dragged it's feet getting it patched properly. If it doesn't work, keep those old DLL's handy and roll back if needed.
04-30-2014 10:49 AM
Thanks for the version list - that was vey helpful.
Does that mean if I have a server running a much version of the SMH, that I dont have to update it (to patch for Heartbleed)? For example, if I have a server running this version:
HP System Management Homepage v188.8.131.52
and since this version is not on your list, it is not affected by Heartbleed (I am assuming it is using an older version OpenSSL that was not affected by Heartbleed)? Or are pretty much ALL versions of SHM affected by Heartbleed except the two new versions you listed.