cancel
Showing results for 
Search instead for 
Did you mean: 

HP SMH - CVE 2016-2017

Koobal
Occasional Visitor

HP SMH - CVE 2016-2017

Hello,

As a result of a Security Audit we found that HP SMH is vulnerable to CVE 2016-2017.

http://www.securityfocus.com/archive/1/538556

As there is no mention of this breach in Hp SMH 7.5.5.6 (lastest version we found and installed) and the corrective did not mention it

http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05111017

Is there a way to correct it ? is it possible to upgrade the openssl library installed with HP-SMH ?

 

Thanks for your help,

Best regards

 

2 REPLIES
Andrew_Haak
Honored Contributor

Re: HP SMH - CVE 2016-2017

That is the latest version so there is no update available, i don't believe you can update the Open SSL version used in the software. What type of hardware you you use? If it's a Gen8 or newer you should uninstall the SMH and use AMS, if it's an older type youre stuck and if you feel upto it you can place a support case with HP to find out if an update will become available soon. If possible you can restrict access to the SMH to and from the SIM server only, if your SMH is not accesable to a public network you should not be in any real problem
Kind regards,

Andrew
Koobal
Occasional Visitor

Re: HP SMH - CVE 2016-2017

Hi,

Thanks for your reply.

That's what I did (open a case), they were not aware of that breach, and maybe it will be coreccted in SMH next release (7.6)

For now they told me to deactivated AES-NI support for SMH to workaround the issue.

 

Kind regards,