HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Server Management - Systems Insight Manager
cancel
Showing results for 
Search instead for 
Did you mean: 

Upgrade to HP SMH 2.1.8.179 on managed nodes

 
Pagnotta
Frequent Advisor

Upgrade to HP SMH 2.1.8.179 on managed nodes


Dear All,

I'm upgrading the SMH components on our nodes in order to fix a discovered vulnerability on this component.

For this to be done, I'm using VCA / VCRM but I'm a little bit confused because the package 2.1.8.179 semmes only available for windows 2003 and not windows 2000 which is on OS still used on our side... I've tried to deploy the same package on wondows 2000 nodes and it seems to work fine, but in the VCA/VCRM infrastructure the version 2.1.8.179 is not marked as windows 2000 compatible...

Does anyone know about this issue ?

Thanks

Angelo
5 REPLIES
Rancher
Honored Contributor

Re: Upgrade to HP SMH 2.1.8.179 on managed nodes

The most current System Management Homepage for 2000 is 2.1.6.156.
Pagnotta
Frequent Advisor

Re: Upgrade to HP SMH 2.1.8.179 on managed nodes

Is the version for windows 2000 vulnerable as is the version prior to 2.1.8.179 for windows 2003 ? I've tried to install the 2.1.8.179 on windows 2000 and it seems to work...

I'm confused with this.... do we have to update on windows 2000 nodes ?

Thanks
Rancher
Honored Contributor

Re: Upgrade to HP SMH 2.1.8.179 on managed nodes

I would be surprised that it works on 2003. My VCA on my 2000 servers does not even list that version.
Yes, the latest version for 200 does fix the vulnerabilities:

Addressed the following vulnerabilities:

CVE-2005-3357: mod_ssl in Apache 2.0 up to 2.0.55, when configured with an SSL vhost with access control and a custom error 400 error page, allows remote attackers to cause a denial of service (application crash) via a non-SSL request to an SSL port, which triggers a NULL pointer dereference.
CVE-2005-3352: Cross-site scripting (XSS) vulnerability in the mod_imap module of Apache httpd before 1.3.35-dev and Apache httpd 2.0.x before 2.0.56-dev allows remote attackers to inject arbitrary web script or HTML via the Referer when using image maps.
Pagnotta
Frequent Advisor

Re: Upgrade to HP SMH 2.1.8.179 on managed nodes


I did the installation from the HP SIM CMS through "Deploy Drivers, Firmware and Agents" and it worked fine strangely...I also confirm as you said that on the managed node side the package is not proposed at all in the VCA interface but only 2.1.6.156 is available for installation!

Do you know if anyone at HP can shed the light on this... I would have tought that if a package is for windows 2003 only it wouldn't install on windows 2000.... I think I'm going to roll back to 2.1.6.156.... what do you suggest ?

I appreciate your help

Angelo
Rancher
Honored Contributor

Re: Upgrade to HP SMH 2.1.8.179 on managed nodes

I agree, I thought that if it was not supported on the OS it would not install.

I double-checked on the HP site, pulling up the specific software for my server and OS. The only version for the SMH they show for 2000 is the 2.1.6.156. That is the one I am going to use.