HPE Community
Server Management - Systems Insight Manager
1752515 Members
5073 Online
108788 Solutions
New Discussion

hpsmh heartbleed

 
Alwin Warringa
Occasional Contributor

‎04-12-2014 04:45 PM - last edited on ‎04-13-2014 08:32 PM by

‎04-12-2014 04:45 PM - last edited on ‎04-13-2014 08:32 PM by

hpsmh heartbleed

Hi,

 

We discovered that hpsmh (version 7.2.2-8) is vurnerable for the OpenSSL Heartbleed problem on tcp port 2381, when will HP fix this issue? Is it possible to manual patch the embedded openssl?

 

Alwin.

 

 

P.S. This trhead has been moevd from ProLiant Servers (ML,DL,SL) to ITRC HP Systems Insight Manager Forum. - Hp forum moderator

 

0 Kudos
Reply
21 REPLIES 21
SwisspostIT
Valued Contributor

‎04-13-2014 10:49 PM

‎04-13-2014 10:49 PM

Re: hpsmh heartbleed

Hello,

 

this would interest me too!

 

I've read in the Revision history of SMH for Windows, that the last update to openSSL was with HP SMH version 7.3.0.9 in which OpenSSL got updated to version 1.0.1e.

According to the OpenSSL Security Advisory (https://www.openssl.org/news/secadv_20140407.txt) the "heartbleed" is fixed in version 1.0.1g.

 

HP can you please provide us information about a release of a fixed HP SMH?

 

Thank you!

0 Kudos
Reply
SwisspostIT
Valued Contributor

‎04-14-2014 02:20 AM

‎04-14-2014 02:20 AM

Re: hpsmh heartbleed

They released a security bulletin now which is available here: http://alerts.hp.com/r?2.1.3KT.2ZR.11MyKG.KUeOn0..N.ewLY.8RKW.bW89MQ%5f%5fDCTOFQR0

 

(No information yet about a release of a fixed version)

0 Kudos
Reply
beermaster
New Member

‎04-15-2014 08:59 AM - edited ‎04-15-2014 09:10 AM

‎04-15-2014 08:59 AM - edited ‎04-15-2014 09:10 AM

Re: hpsmh heartbleed

I was able to patch the service with a non-vulnerable openssl obtained from Red Hat rpms:

 

openssl-1.0.1e-16.el6_5.7.x86_64.rpm

openssl-devel-1.0.1e-16.el6_5.7.x86_64.rpm

 

It is necessary to extract the binary, libraries and creating the necessary symlinks:

 

/opt/hp/hpsmh # ll bin/openssl

-rwxr-xr-x 1 czkccz adminux 521472 Apr 15 10:00 bin/openssl

 

/opt/hp/hpsmh # ll lib/libssl.so*

lrwxrwxrwx 1 root   root        16 Apr 15 10:06 lib/libssl.so -> libssl.so.1.0.1e

lrwxrwxrwx 1 root   root        16 Apr 15 10:06 lib/libssl.so.1.0.0 -> libssl.so.1.0.1e

-rwxr-xr-x 1 czkccz adminux 441112 Apr 15 10:01 lib/libssl.so.1.0.1e

 

/opt/hp/hpsmh # ll lib/libcrypto.so*

lrwxrwxrwx 1 root   root         19 Apr 15 10:09 lib/libcrypto.so -> libcrypto.so.1.0.1e

lrwxrwxrwx 1 root   root         19 Apr 15 10:09 lib/libcrypto.so.1.0.0 -> libcrypto.so.1.0.1e

-rwxr-xr-x 1 czkccz adminux 1950976 Apr 15 10:08 lib/libcrypto.so.1.0.1e

lrwxrwxrwx 1 root   root         19 Apr 15 10:10 lib/libcrypto.so.10 -> libcrypto.so.1.0.1e

/opt/hp/hpsmh #

 

 

I ran the script (https://github.com/noxxi/p5-scripts/blob/master/check-ssl-heartbleed.pl) to check and indicated that it is no longer vulnerable.

 

# /etc/init.d/hpsmhd start

Starting hpsmhd ..                                                                                                                          done

# ./ssl-hearbleed-check.pl -s 127.0.0.1:2381

...ssl received type=22 ver=0x301 ht=0x2 size=77

...ssl received type=22 ver=0x301 ht=0xb size=968

...ssl received type=22 ver=0x301 ht=0xe size=0

...send heartbeat#1

no reply - probably not vulnerable

#

 

I hope it will be useful, while a new hpsmh version is released.

 

Regards

 

Sergio Ramirez

GNU/Linux Team

HP Enterprise Services México 

--
Sergio Manuel Ramirez Martinez
GNU/Linux Team
HP Enterprise Services México
Reply
AUS-1032
Frequent Visitor

‎04-15-2014 10:26 PM

‎04-15-2014 10:26 PM

Re: hpsmh heartbleed

Do we have any procedure for windows systems?

0 Kudos
Reply
Andrew_Haak
Honored Contributor

‎04-18-2014 05:33 AM

‎04-18-2014 05:33 AM

Re: hpsmh heartbleed

Hello people,

 

I've updated the SMH for a Windows 2008 R2 server to the new version 7.3.2.1.

Now i get a timeout on the System Management homepage. I used the VCA 7.2.0.0 and this version becomes unresponsive with the new SMH. I had to update to the latest VCA. That version has the bug that you can't update the Diskfirmware. HP advised me to uninstall the VCA since HPSUm is the new way to update instead of VCA. So HP is leaving VCA. So i've just posteded this message to let you all know.

 

Kind regards,

 

Andrew Haak

Kind regards,

Andrew
Reply
SwisspostIT
Valued Contributor

‎04-23-2014 12:52 AM

‎04-23-2014 12:52 AM

Re: hpsmh heartbleed

Hi Andrew,

 

thanks for your information!

Are you aware of any other bugs from the newest VCA except the harddisk firmware issue?

We'd like to have it installed anyway on the systems, so you have a overview of installed firmware/driver/software on one page... (unless we'll have rolled out HPSUM on every system)

 

Thanks and regards,

Ville

0 Kudos
Reply
mikj
New Member

‎04-23-2014 08:54 AM

‎04-23-2014 08:54 AM

Re: hpsmh heartbleed

Please be aware that the 32 bit Windows 7.3.2.1 version of the patch breaks the HP smh, the service starts but is not listening on 2381

 

smhstart_err.log show it cannot load the php5apache2.so module

0 Kudos
Reply
sungminjin
Occasional Advisor

‎04-23-2014 12:25 PM

‎04-23-2014 12:25 PM

Re: hpsmh heartbleed

mikj , I think I installed this on a 32bit windows 7.3.2.1 version and now when I try to open up  https://localhost:2381   i get a page can not be displayed ...  are you having same issue as me ?

I installed this on my windows 2003 standard version.

 

thanks.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.