1745909 Members
4318 Online
108723 Solutions
New Discussion

OA Heartbleed update?

 
Trygve Henriksen
Respected Contributor

OA Heartbleed update?

According to a post on the interwebs, OA v4.11 web interface is affected by the Heartbleed screwup.

 

Is there a 'known good' version that is recommended or will there be a fix up soon?

 

 

24 REPLIES 24
scharchouf
Trusted Contributor

Re: OA Heartbleed update?

can you give us more details, because what you said is not mentioned at HP as a bug, known issue ....
Andrew Hammond
Occasional Collector

Re: OA Heartbleed update?

I found this.

 

http://alpacapowered.wordpress.com/2014/04/08/openssl-heartbleed-attack-the-cryptocalypitc-judgement-day-has-arrived/

 

Is there a Security Advisory from HP regarding affected products?

 

 

Oscar A. Perez
Honored Contributor

Re: OA Heartbleed update?

OA v4.11 and v4.20 contain an OpenSSL version that has the vulnerability.

 

Please go back to v4.01 until we can release a fix.

 

Oh, by the way.

iLOs are NOT vulnerable as they don't use SSL/TLS libraries that contain the TLS heartbeat extension BUT, we are receiving reports that the script that test for the HeartBleed bug is causing iLO2 to stop responding and the blades have to be e-fused to recover iLO2 functionality.  

Please don't run the Heartbleed script against iLO2 until we fix this problem. 




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
Barmaley
Occasional Advisor

Re: OA Heartbleed update?

Oscar,

 

Is possible to deactivate some iLO functionality and features to do it invulnerable for HeartBleed?

 

May be change SSL port to not 443?
May be enable the "Enforce AES/3DES Encryption"?

 

Something else?

RyanTerry
Occasional Advisor

Re: OA Heartbleed update?

Is there an ETA for a fix for this? 

 

We are running 4.0.1a and are seeing all of our iLO cards crash.  We cannot upgrade to the releases that are vulnerable.

Barmaley
Occasional Advisor

Re: OA Heartbleed update?

+1

 

We have >300 servers iLO2 offline. It' horrible :(

Oscar A. Perez
Honored Contributor

Re: OA Heartbleed update?

Please do not scan iLO for heartbleed. iLOs are not vulnerable as they have never supported TLS HeartBeat extension anyway.

We are investigating why iLO2 stops responding after security scanners run the Heartbleed bug test but, so far we cannot even reproduce this issue in our labs. Any info that can help us reproduce the issue is welcomed.




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
Barmaley
Occasional Advisor

Re: OA Heartbleed update?

Oscar,

 

We have one of servers which we can access remotelly.

Also, iLO address of this server responds to ping's.

But do not allow to connect via HTTP(s), IPMI or SSH.

 

Here is output of hponcfg utility:

 

# hponcfg
HP Lights-Out Online Configuration utility
Version 4.3.0 Date 12/10/2013 (c) Hewlett-Packard Company, 2014

ERROR: CpqCiCreateFunc() 0 time failed.
Driver Error Code:(1,1h).
Driver Error Message: CPQCIDRV driver is not loaded.

ERROR: CpqCiCreateFunc() 1 time failed.
Driver Error Code:(1,1h).
Driver Error Message: CPQCIDRV driver is not loaded.
ERROR: A general system error occurred while detecting Management Processor.
ACTION REQUIRED: Check if iLO and iLO driver are up and running.

scharchouf
Trusted Contributor

Re: OA Heartbleed update?

HP is currently investigating the issue and which systems are potentially affected.  and when all investigation is done a formal noticed will be published.