topic Re: Internet Explorer Update MS04-025 and HP SIM in Server Management - Systems Insight Manager

Internet Explorer Update MS04-025 and HP SIM

David Claypool — Wed, 04 Aug 2004 17:49:32 GMT

Latest news: changes to the code are required for HP SIM to cope with the changes in behavior that Microsoft made to IE with this patch. The exact changes have been identified and are being incorporated into the source. It will take several days for the teams to go through the changes and qualify on all of the OS variants that are supported.

Bottom line: don't expect anything to be posted this week.

While we are hopeful that everything will go correctly, by the time the tests are completed and the publishing process goes through, expect something probably the week of August 12.

In the meantime if you choose to de-install the patch, be careful where you surf because there are known sites out there that will exploit the vulnerability. The best recommendation is not to de-install the patch and in the meantime attempt to use Netscape or Mozilla.

Re: Internet Explorer Update MS04-025 and HP SIM

David Claypool — Wed, 04 Aug 2004 17:51:55 GMT

bump

Re: Internet Explorer Update MS04-025 and HP SIM

Glen Brill — Thu, 05 Aug 2004 13:36:04 GMT

We are also experiencing the same problem with HP SIM 4.0 after loading MS04-025. Will the fix also apply to 4.0 or just 4.1?

Re: Internet Explorer Update MS04-025 and HP SIM

David Claypool — Thu, 05 Aug 2004 13:41:35 GMT

Rest easy. It will apply to both HP SIM versions.

Re: Internet Explorer Update MS04-025 and HP SIM

Grzegorz Kedziora — Thu, 05 Aug 2004 13:48:25 GMT

David please look at "http://forums.itrc.hp.com/service/forums/questionanswer.do?threadId=629545". I see that You have direct access to SIM development group. Some group os users hope that You have also access to PMP development group.

Re: Internet Explorer Update MS04-025 and HP SIM

David Claypool — Fri, 06 Aug 2004 10:49:26 GMT

A problem like you describe is not related to any known issue. It would be best to take this up with Customer Services locally and have them escalate it to the third level support team so it can be duplicated. This forum is not the way to escalate problems to development.

Re: Internet Explorer Update MS04-025 and HP SIM

Larry Hedrick — Mon, 09 Aug 2004 14:20:04 GMT

Can a HP person check out this patch and post it...?

Technical Support
Hot News - Patch Released
The Microsoft patch MS04-025 (KB867801) for Internet Explorer broke the
login to HP SIM 4.0, 4.0.1, and 4.1 when using IE..

[EDIT]

>> Windows patches Here you will find a directory for HP SIM 4.0 and
4.1. The patch and directions are in each directory. Once installed, the
patch for HP SIM 4.0 does not provide a version string in the help-about
box, however the 4.1 patch does show the version of HP SIM as being
C.04.01.00.01. A file is placed in the main HP SIM directory named
sp1.txt which prevents the patch from being installed a second time.

In this edition:
HP SIM fix for Microsoft patch MS04-025 (KB867801)

OpenSSH 3.7p1 PAM authentication vulnerability

HP SIM fix for Microsoft patch MS04-025 (KB867801)
Microsoft released a new IE Patch on 7/30/04 that disables the ability
to login to HP SIM when using Internet Explorer. Read more about this
in HP SIM Newsletter #7

[EDIT]

The version string will show in HP SIM 4.1 as C.04.01.00.01. However,
this will not show in HP SIM 4.0. You will have to check for the
presence of the sp1.txt file in the main HP SIM directory to determine
if the patch had been installed.

OpenSSH 3.7p1 PAM authentication vulnerability
Recently a critical security advisory was released regarding OpenSSH and
PAM. This advisory is being presented in the event you receive queries
about how it applies to HP SIM.

Although HP SIM uses OpenSSH, PAM is not enabled in the sshd_config file
(see below where "usePAM" is commented-out):

The setting is appropriate for any of the OSs on which HP SIM can be
installed. To ensure PAM vulnerability is not present, ensure that PAM
is commented-out in the sshd_conf file on your CMS platform.

Below is the actual advisory from http://www.openssh.com/txt/sshpam.adv.

Subject: Portable OpenSSH Security Advisory: sshpam.adv

This document can be found at: http://www.openssh.com/txt/sshpam.adv

1. Versions affected:

Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple
vulnerabilities in the new PAM code. At least one of these bugs is
remotely exploitable (under a non-standard configuration, with privsep
disabled).

The OpenBSD releases of OpenSSH do not contain this code and are not
vulnerable. Older versions of portable OpenSSH are not vulnerable.

2. Solution:

Upgrade to Portable OpenSSH 3.7.1p2 or disable PAM support ("UsePam no"
in sshd_config).

Due to complexity, inconsistencies in the specification and differences
between vendors' PAM implementations we recommend that PAM be left
disabled in sshd_config unless there is a need for its use. Sites only
using public key or simple password authentication usually have little
need to enable PAM support.

As stated earlier, the problem discussed in the advisory does not affect
systems on which HP SIM is installed unless someone has modified the
sshd_conf file.

Re: Internet Explorer Update MS04-025 and HP SIM

David Claypool — Mon, 09 Aug 2004 14:44:56 GMT

The text above refers to an internal document. Maybe I'm being paranoid, but I'm sorry to edit--internal hostnames with their FQDN just might be a hacker invitation.

Although the note says "tested," this refers to rudimentary testing to validate its effectiveness. Much more rigorous QA testing is happening now across all of the platforms.

The good news is that things are looking good. With a little luck the patch will be available soon. We appreciate your patience. I know the wait is excruciating, but we would hate to have a patch for a patch need to be released.

Re: Internet Explorer Update MS04-025 and HP SIM

David Claypool — Thu, 12 Aug 2004 11:44:21 GMT

Fix is posted. See thread at http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=666957