BladeSystem - General
1747985 Members
4351 Online
108756 Solutions
New Discussion

Re: Is HP c7000 iLO onboard administrator subject to CVE IDs: CVE-2009-3563, CVE-2009-5020 ,

 
danatt
Occasional Visitor

Is HP c7000 iLO onboard administrator subject to CVE IDs: CVE-2009-3563, CVE-2009-5020 ,

Where is information about whether the iLO onboard administrator of the C7000 is, or is not, subject to various CVE vulnerabilities? - CVE-2009-3563 (NTP Mode 7 Request Denial Of Service Vulnerability ) - CVE-2009-5020 (AWStats awredir.pl Open Redirect Vulnerability)
5 REPLIES 5
chuckk281
Trusted Contributor

Re: Is HP c7000 iLO onboard administrator subject to CVE IDs: CVE-2009-3563, CVE-2009-5020 ,

I will have to ask the question and see what I can find out.

 

Chuck

chuckk281
Trusted Contributor

Re: Is HP c7000 iLO onboard administrator subject to CVE IDs: CVE-2009-3563, CVE-2009-5020 ,

First of all a general info place to get Security Bulletins and to report security issues:

 

How Do Customers Report Security Vulnerabilities?


Customers can report software security vulnerabilities to HP using the external link to the form Report a Potential Security Vulnerability to HP (http://welcome.hp.com/country/us/en/sftware_security.html).  This page accepts reports of potential security defects from customers and provides an automated email acknowledgement to the person submitting the report. The reporting Web Page can also be accessed from HP Home page:
  • http://www.hp.com
  • Select "Contact HP / Customer Service"
  • Select "Report a Software Security Issue"

To receive security information, customers can go to the general HP Web Page:

  • http://www.hp.com
  • Select "Support & Drivers"
  • Select "Sign up: Driver, Support & Security Alerts"

Customers can view all Previously Published HP ITRC Security Bulletins at the IT Resource Center (registration required).

 

Specific to the software security questions you asked above here is what I received back:

 

Specifically (but unofficially), the NTP DoS (CVE-2009-3563) documents a problem with a Linux NTP daemon and since iLO doesn’t have an NTP daemon running we don't see an issue. Similarly, CVE-2009-5020 doesn’t apply to iLO since it is for the “AWStats” utility which isn’t part of the image and specifically to a Perl module (awredir.pl) which isn’t possible since there is no Perl interpreter onboard…

 

I hope this helps.

 

Chuck

danatt
Occasional Visitor

Re: Is HP c7000 iLO onboard administrator subject to CVE IDs: CVE-2009-3563, CVE-2009-5020 ,

Chuck, Your information was very helpful. I suspected ntpd and awstats were both not part of iLO but wanted to confirm. Is information about the components which comprise OA/ilO available to customers? This type of question will come up everytime the OA/iLO is flagged by our security vulnerability scanning process. :-) btw: This link in your response behind this text does not work for me: "Customers can view all Previously Published HP ITRC Security Bulletins at the IT Resource Center (registration required)." Regards, Dan
Johan Guldmyr
Honored Contributor

Re: Is HP c7000 iLO onboard administrator subject to CVE IDs: CVE-2009-3563, CVE-2009-5020 ,

The link has been updated with the HP ITRC was moved to a new platform: new link:

https://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/secBullArchive/
chuckk281
Trusted Contributor

Re: Is HP c7000 iLO onboard administrator subject to CVE IDs: CVE-2009-3563, CVE-2009-5020 ,

Johan:

 

Thanks for updating the link.

 

Danatt:

 

I think your question regarding the components in the OA/iLO software would be a good question to ask the security gang. If you are going to have questions, no time like the present to see what sort of response you get from using the website.

 

Chuck