Simpler Navigation coming for Servers and Operating Systems
Coming soon: a much simpler Servers and Operating Systems section of the Community. We will combine many of the older boards, and you won't have to click through so many levels to get at the information you need. If you are looking for an older board and do not find it, check the consolidated boards, as the posts are still there.
Remote Lights-Out Mgmt (iLO 2, iLO, RILOE II)
cancel
Showing results for 
Search instead for 
Did you mean: 

iLO version 2 fails PCI Scans on TLS renegotiation vulnerability

David Allonby
Occasional Visitor

iLO version 2 fails PCI Scans on TLS renegotiation vulnerability

Hi All,
has anyone seen this before...

I have 51 HP servers all with iLO version2 which fail PCI scanning due to TLS renegotiation being available on the iLO port..

i upgraded to 2.05 firmware for the iLOs but it fixes everything but the TLS renegotiation...

has anyone any ideas???

cheers
2 REPLIES
Michael Leu
Honored Contributor

Re: iLO version 2 fails PCI Scans on TLS renegotiation vulnerability

One possibilty to get this fixed would be to report it to the official channels at HP:

Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Oscar A. Perez
Honored Contributor

Re: iLO version 2 fails PCI Scans on TLS renegotiation vulnerability

I'm working on a new build that has SSL/TLS key renegotiation disabled. So far, it solves the CVE-2009-3555 vulnerability but needs a lot more testing.



__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!