HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

OpenVMS 8.4 Integrity support ressources ?

 
frankydude
Occasional Contributor

OpenVMS 8.4 Integrity support ressources ?

We are running OpenVMS 8.4 Integrity on BL860c i2 blades.  There is a CVE, about a security vulnerability in DCL that we would like to patch.  Reference to the CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17482

To get access to the patches, we obviously need a support subscription, that we would like to purchase, but we cannot find how to do so.  HPE site for support doesn't show any OpenVMS information on support.  The roadmap also has broken links (Error 404) for software and support.  (they still have links to hp.com instead of hpe.com).

We contacted hpe, and they asked us if we know a SKU or part number for the support agreement on OpenVMS.  Else, it seems they cannot help us!

We know that VSI has a patch for that DCL vulnerability out, but they refer to HPE support for the 8.4 version of OpenVMS on integrity.  Reference: http://www.vmssoftware.com/pdfs/security/2018/03/VSI_CVE-2017-17482.pdf

So, is there someone who knows 1) how to contact hpe and 2) how to ask to purchase an OpenVMS support agreement?

Else, how is VSI support for OpenVMS ?    Anyone had used their support services? 

Thanks,

 

Francois Boucher

5 REPLIES
abrsvc
Respected Contributor

Re: OpenVMS 8.4 Integrity support ressources ?

 As far as I am aware. HPE does NOT have a patch for this.  VSI does have a patch available for their own releases.

You can avoid this vulnerability by removing privileges from the installl utility command for CDU.  Remove CMEXEC from the list and you will be safe.  As long as you use the SYSTEM account for any installs you should be safe.

Note: Either patch will require a software support contract.

 

Dan

abrsvc
Respected Contributor

Re: OpenVMS 8.4 Integrity support ressources ?

Forgot to add that with I64 systems, any attempt to exploit this will result in a process crash and not effect anything else.  In your case (I64), this may not be an issue.

Dan

Vajith V
Moderator

Re: OpenVMS 8.4 Integrity support ressources ?

Hello,

You can find the HPE OpenVMS Roadmap here : https://support.hpe.com/hpsc/doc/public/display?sp4ts.oid=null&docLocale=en_US&docId=emr_na-c04623087

Contact our support here:  https://support.hpe.com/hpesc/usageSupport

-Vajith

I am an HPE Employee
Brad McCusker
Respected Contributor

Re: OpenVMS 8.4 Integrity support ressources ?

Dan - HPE has released a patch that addresses this problem: VMS84I_DCL_V0200.  

Francois - If you are located in North America, we can arrange to sell you HPE software support.  But, if upgrading to VSI VMS is an option for you, I would strongly consider upgrading to VSI VMS.  Why waste the money on VMS 8.4 which is EOL? VSI has an active engineering group and is providing excellent support and they represent the future of VMS.  
If you are interested in VSI, we are a VSI authorized reseller, worldwide, and I would be happy to provide a quote. 

Please feel free to contact me for more information.

Brad McCusker
Software Concepts International
abrsvc
Respected Contributor

Re: OpenVMS 8.4 Integrity support ressources ?

Thanks for the update Brad.

Dan