- Community Home
- >
- Servers and Operating Systems
- >
- HPE ProLiant
- >
- Server Management - Systems Insight Manager
- >
- Re: hpsmh heartbleed
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-23-2014 02:22 PM
04-23-2014 02:22 PM
Re: hpsmh heartbleed
Yes, the new(er) versions seems to break SMH and will not load.
I stayed on 7.2.2.9 for that reason alone.
Except for 2008 R2, if I install it on 2003 x32 or x64, the SMH page no longer loads.
Rather frustrating.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-24-2014 03:40 AM
04-24-2014 03:40 AM
Re: hpsmh heartbleed
Hello: To All,
HP is committed to delivering secure systems that effectively manage our invaluable customer and employee data. Therefore we kindly request you to reach out to our Software Security Response Team (SSRT).
Kindly find the given below "Report a potential security vulnerability to HP" link, If any claims you people have been impacted and/or have details where you can share with HP -
https://h41268.www4.hp.com/live/index.aspx?qid=11503
Rashmi
Forum Moderator
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-24-2014 11:00 AM
04-24-2014 11:00 AM
Re: hpsmh heartbleed
Rashmi, we know what the vulnerability is... and so does HP. We just want a fix that works on our 32 bit (x86) operating systems!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-25-2014 07:35 AM
04-25-2014 07:35 AM
Re: hpsmh heartbleed
I am in the same boat - Windows 2003 servers that cannot run the latest SMH. I am wondering if there is an older version of SMH that is free of the Heartbleed bug and also works with Windows 2003? In other words, how long has Heartbleed been a problem? Has it just shown up in the last few versions, and earlier version are OK? If so, what is the last version of SMH that had a version of OpenSSL free from Heartbleed problems? That is the version I would need to install since the lastest version - which fixes Heartbleed - is not supported on Windows 2003.
Thanks
NK
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-29-2014 07:07 AM
04-29-2014 07:07 AM
Re: hpsmh heartbleed
You need something like this below. All will then work for 2003 servers.
2008 servers work ok with 7.3.2.1
CLS
set repos=\\server\mydomain.com\d$\Win2003_SHMfix
Echo Replacing php5apache2.so and php5ts.dll
Echo From: %repos%\%PROCESSOR_ARCHITECTURE%
Echo To : %systemDrive%\hp\hpsmh\modules
Echo For %PROCESSOR_ARCHITECTURE% type OS
net stop "HP System Management Homepage" /Y
timeout 5 /nobreak >nul
copy %repos%\%PROCESSOR_ARCHITECTURE% %systemDrive%\hp\hpsmh\modules /Y
set repos=
net Start "HP System Management Homepage" /Y
echo Finsihed
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-29-2014 10:23 AM
04-29-2014 10:23 AM
Re: hpsmh heartbleed
Rashmi, can you put HP SSRT in contact with this thread and notice the 2300+ unique views on it?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-30-2014 03:22 AM
04-30-2014 03:22 AM
Re: hpsmh heartbleed
Two new versions of SMH are available, which provides fix for this vulnerability:
SMH 7.3.2
SMH 7.2.3
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-30-2014 04:23 AM
04-30-2014 04:23 AM
Re: hpsmh heartbleed
Please find enclosed some more information around the same topic...
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-30-2014 08:50 AM
04-30-2014 08:50 AM
Re: hpsmh heartbleed
Let's say, for the sake of argument, that you absolutely cannot update to the latest version of SMH, VCA or VCRM. All 3 of those have recently been updated to include OpenSSL 1.0.1g, but let's pretend you can't update for whatever reason (compatibility concerns, effort involved, etc.
You could, if you want, simply download OpenSSL 1.0.1g for your OS and update the files yourself. I don't have any physical boxes running Linux so I won't pretend to know about that, but someone already mentioned how a few posts up.
For Windows, you download a compiled version and you should have a couple of DLL's to focus on:
ssleay32.dll
libeay32.dll
If you're having trouble finding compiled versions of those DLL's, well hey, just extract the contents of the latest VCA, VCRM or SMH and they're inside there, both 32 and 64 bit versions.
On your Windows machine, under C:\HP you'll find multiple locations where those files exist, depending on what all you have installed. On my machine which has SMH, VCA *and* VCRM installed, there are 4 spots where both files live:
C:\hp\hpsmh\bin\libeay32.dll
C:\hp\hpsmh\bin\ssleay32.dll
C:\hp\hpsmh\data\cgi-bin\vcagent\libeay32.dll
C:\hp\hpsmh\data\cgi-bin\vcagent\ssleay32.dll
C:\hp\hpsmh\data\cgi-bin\vcrepository\libeay32.dll
C:\hp\hpsmh\data\cgi-bin\vcrepository\ssleay32.dll
C:\hp\hpsmh\modules\libeay32.dll
C:\hp\hpsmh\modules\ssleay32.dll
I can't quite figure out why, but the DLLs located in hpsmh\bin and hpsmh\modules are slightly different filesizes than the ones in vcagent and vcrepository... they're all 1.0.1g though, and the 64-bit version on my 64-bit Windows, but it's odd. It's like HP compiled them differently. I think it'd be safe to use the same one for all the spots though, but if you really want to be sure, extract the specific files from the specific HP software.
Anyway, copy over either the 32 or 64 bit version depending on what you're running. You'll need to stop the services first of course. If you use the files from inside the HP software, the 64-bit versions have "x64" in the filename, so just copy them over to the regular filename.
If none of this is making any sense, then you probably shouldn't be attempting something like this... just saying...
Oh, and if you're running HP SIM, there's no new version out yet, but it's running an older version of OpenSSL that isn't vulnerable. I just checked, and my HP SIM 7.3 with the latest hotfixes only has version 0.9.8d. Seems like HP SIM is safe only by it's extreme negligence in keeping it's SSL libraries up to date in the first place. Could be worse I guess.
Of course your best bet is to install the latest HP software anyway because there's more fixes besides just OpenSSL, but if none of them apply to you and you're happy with the version you're on, this could be an easier way to go to secure things. Just script something to stop those services remotely, copy the new files out where they belong, and restart.
Disclaimer: I have NOT tried this out myself, but when Heartbleed was first announced, I looked into doing this as a plan B in case HP dragged it's feet getting it patched properly. If it doesn't work, keep those old DLL's handy and roll back if needed.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-30-2014 10:49 AM
04-30-2014 10:49 AM
Re: hpsmh heartbleed
Thanks for the version list - that was vey helpful.
Does that mean if I have a server running a much version of the SMH, that I dont have to update it (to patch for Heartbleed)? For example, if I have a server running this version:
HP System Management Homepage v3.0.1.73
and since this version is not on your list, it is not affected by Heartbleed (I am assuming it is using an older version OpenSSL that was not affected by Heartbleed)? Or are pretty much ALL versions of SHM affected by Heartbleed except the two new versions you listed.
Thanks
NK