Server Management - Systems Insight Manager
1748102 Members
4789 Online
108758 Solutions
New Discussion

Re: hpsmh heartbleed

 
Sean Murray_1
Regular Advisor

Re: hpsmh heartbleed

Yes, the new(er) versions seems to break SMH and will not load.

 

I stayed on 7.2.2.9 for that reason alone.

Except for 2008 R2, if I install it on 2003 x32 or x64, the SMH page no longer loads.

 

Rather frustrating.

RASHMI
Trusted Contributor

Re: hpsmh heartbleed

Hello: To All,

 

HP is committed to delivering secure systems that effectively manage our invaluable customer and employee data. Therefore we kindly request you to reach out to our Software Security Response Team (SSRT).

 

Kindly find the given below "Report a potential security vulnerability to HP" link, If any claims you people have been impacted and/or have details where you can share with HP -

https://h41268.www4.hp.com/live/index.aspx?qid=11503

 

 

 

Thanks,
Rashmi
Forum Moderator
David Orwig
Regular Advisor

Re: hpsmh heartbleed

Rashmi, we know what the vulnerability is... and so does HP. We just want a fix that works on our 32 bit (x86) operating systems!

NJK-Work
Honored Contributor

Re: hpsmh heartbleed

I am in the same boat - Windows 2003 servers that cannot run the latest SMH.  I am wondering if there is an older version of SMH that is free of the Heartbleed bug and also works with Windows 2003?  In other words, how long has Heartbleed been a problem?  Has it just shown up in the last few versions, and earlier version are OK?  If so, what is the last version of SMH that had a version of OpenSSL free from Heartbleed problems?  That is the version I would need to install since the lastest version - which fixes Heartbleed - is not supported on Windows 2003.

 

Thanks

NK

Steve Weeks_1
Frequent Advisor

Re: hpsmh heartbleed

You need something like this below. All will then work for 2003 servers.

 

2008 servers work ok with 7.3.2.1

 

CLS
set repos=\\server\mydomain.com\d$\Win2003_SHMfix

Echo Replacing php5apache2.so and php5ts.dll
Echo From: %repos%\%PROCESSOR_ARCHITECTURE%
Echo To : %systemDrive%\hp\hpsmh\modules
Echo For %PROCESSOR_ARCHITECTURE% type OS

net stop "HP System Management Homepage" /Y
timeout 5 /nobreak >nul

copy %repos%\%PROCESSOR_ARCHITECTURE% %systemDrive%\hp\hpsmh\modules /Y

set repos=
net Start "HP System Management Homepage" /Y
echo Finsihed

The_Stig
New Member

Re: hpsmh heartbleed

Yes please lets see a fix. I created an account just to leave this comment, thats how much i'd love a fix =) It's disconcerting that HP mentions that this is addressed and fixed already for x86 and x64 when the proof is in the pudding regarding the drop of PHP5 code suppport.

Rashmi, can you put HP SSRT in contact with this thread and notice the 2300+ unique views on it?
pkrai
Trusted Contributor

Re: hpsmh heartbleed

Two new versions of SMH are available, which provides fix for this vulnerability:

 

SMH 7.3.2

SMH 7.2.3

Upgrade_path.jpg

pkrai
Trusted Contributor

Re: hpsmh heartbleed

Please find enclosed some more information around the same topic...

 

Thanks

waaronb
Respected Contributor

Re: hpsmh heartbleed

Let's say, for the sake of argument, that you absolutely cannot update to the latest version of SMH, VCA or VCRM.  All 3 of those have recently been updated to include OpenSSL 1.0.1g, but let's pretend you can't update for whatever reason (compatibility concerns, effort involved, etc.

 

You could, if you want, simply download OpenSSL 1.0.1g for your OS and update the files yourself.  I don't have any physical boxes running Linux so I won't pretend to know about that, but someone already mentioned how a few posts up.

 

For Windows, you download a compiled version and you should have a couple of DLL's to focus on:

ssleay32.dll

libeay32.dll

 

If you're having trouble finding compiled versions of those DLL's, well hey, just extract the contents of the latest VCA, VCRM or SMH and they're inside there, both 32 and 64 bit versions.

 

On your Windows machine, under C:\HP you'll find multiple locations where those files exist, depending on what all you have installed.  On my machine which has SMH, VCA *and* VCRM installed, there are 4 spots where both files live:

 

C:\hp\hpsmh\bin\libeay32.dll
C:\hp\hpsmh\bin\ssleay32.dll
C:\hp\hpsmh\data\cgi-bin\vcagent\libeay32.dll
C:\hp\hpsmh\data\cgi-bin\vcagent\ssleay32.dll
C:\hp\hpsmh\data\cgi-bin\vcrepository\libeay32.dll
C:\hp\hpsmh\data\cgi-bin\vcrepository\ssleay32.dll
C:\hp\hpsmh\modules\libeay32.dll
C:\hp\hpsmh\modules\ssleay32.dll

 

I can't quite figure out why, but the DLLs located in hpsmh\bin and hpsmh\modules are slightly different filesizes than the ones in vcagent and vcrepository... they're all 1.0.1g though, and the 64-bit version on my 64-bit Windows, but it's odd.  It's like HP compiled them differently.  I think it'd be safe to use the same one for all the spots though, but if you really want to be sure, extract the specific files from the specific HP software.

 

Anyway, copy over either the 32 or 64 bit version depending on what you're running.   You'll need to stop the services first of course.  If you use the files from inside the HP software, the 64-bit versions have "x64" in the filename, so just copy them over to the regular filename.

 

If none of this is making any sense, then you probably shouldn't be attempting something like this... just saying...

 

Oh, and if you're running HP SIM, there's no new version out yet, but it's running an older version of OpenSSL that isn't vulnerable.  I just checked, and my HP SIM 7.3 with the latest hotfixes only has version 0.9.8d.  Seems like HP SIM is safe only by it's extreme negligence in keeping it's SSL libraries up to date in the first place.  Could be worse I guess.

 

Of course your best bet is to install the latest HP software anyway because there's more fixes besides just OpenSSL, but if none of them apply to you and you're happy with the version you're on, this could be an easier way to go to secure things.  Just script something to stop those services remotely, copy the new files out where they belong, and restart.

 

Disclaimer: I have NOT tried this out myself, but when Heartbleed was first announced, I looked into doing this as a plan B in case HP dragged it's feet getting it patched properly.  If it doesn't work, keep those old DLL's handy and roll back if needed.

NJK-Work
Honored Contributor

Re: hpsmh heartbleed

Thanks for the version list - that was vey helpful.

 

Does that mean if I have a server running a much version of the SMH, that I dont have to update it (to patch for Heartbleed)?  For example, if I have a server running this version:

 

HP System Management Homepage v3.0.1.73

 

and since this version is not on your list, it is not affected by Heartbleed (I am assuming it is using an older version OpenSSL that was not affected by Heartbleed)?  Or are pretty much ALL versions of SHM affected by Heartbleed except the two new versions you listed.

Thanks

NK