BladeSystem Management Software
cancel
Showing results for 
Search instead for 
Did you mean: 

OA Heartbleed update?

 
Highlighted
Respected Contributor

OA Heartbleed update?

According to a post on the interwebs, OA v4.11 web interface is affected by the Heartbleed screwup.

 

Is there a 'known good' version that is recommended or will there be a fix up soon?

 

 

24 REPLIES 24
Highlighted
Trusted Contributor

Re: OA Heartbleed update?

can you give us more details, because what you said is not mentioned at HP as a bug, known issue ....
I work for HP
A quick resolution to technical issues for your HP Enterprise products is just a click away HP Support Center Knowledge-base
See Self Help Post for more details

Highlighted
Occasional Collector

Re: OA Heartbleed update?

I found this.

 

http://alpacapowered.wordpress.com/2014/04/08/openssl-heartbleed-attack-the-cryptocalypitc-judgement-day-has-arrived/

 

Is there a Security Advisory from HP regarding affected products?

 

 

Highlighted
Honored Contributor

Re: OA Heartbleed update?

OA v4.11 and v4.20 contain an OpenSSL version that has the vulnerability.

 

Please go back to v4.01 until we can release a fix.

 

Oh, by the way.

iLOs are NOT vulnerable as they don't use SSL/TLS libraries that contain the TLS heartbeat extension BUT, we are receiving reports that the script that test for the HeartBleed bug is causing iLO2 to stop responding and the blades have to be e-fused to recover iLO2 functionality.  

Please don't run the Heartbleed script against iLO2 until we fix this problem. 




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
Highlighted
Occasional Advisor

Re: OA Heartbleed update?

Oscar,

 

Is possible to deactivate some iLO functionality and features to do it invulnerable for HeartBleed?

 

May be change SSL port to not 443?
May be enable the "Enforce AES/3DES Encryption"?

 

Something else?

Highlighted
Occasional Advisor

Re: OA Heartbleed update?

Is there an ETA for a fix for this? 

 

We are running 4.0.1a and are seeing all of our iLO cards crash.  We cannot upgrade to the releases that are vulnerable.

Highlighted
Occasional Advisor

Re: OA Heartbleed update?

+1

 

We have >300 servers iLO2 offline. It' horrible :(

Highlighted
Honored Contributor

Re: OA Heartbleed update?

Please do not scan iLO for heartbleed. iLOs are not vulnerable as they have never supported TLS HeartBeat extension anyway.

We are investigating why iLO2 stops responding after security scanners run the Heartbleed bug test but, so far we cannot even reproduce this issue in our labs. Any info that can help us reproduce the issue is welcomed.




__________________________________________________
If you feel this was helpful please click the KUDOS! thumb below!
Highlighted
Occasional Advisor

Re: OA Heartbleed update?

Oscar,

 

We have one of servers which we can access remotelly.

Also, iLO address of this server responds to ping's.

But do not allow to connect via HTTP(s), IPMI or SSH.

 

Here is output of hponcfg utility:

 

# hponcfg
HP Lights-Out Online Configuration utility
Version 4.3.0 Date 12/10/2013 (c) Hewlett-Packard Company, 2014

ERROR: CpqCiCreateFunc() 0 time failed.
Driver Error Code:(1,1h).
Driver Error Message: CPQCIDRV driver is not loaded.

ERROR: CpqCiCreateFunc() 1 time failed.
Driver Error Code:(1,1h).
Driver Error Message: CPQCIDRV driver is not loaded.
ERROR: A general system error occurred while detecting Management Processor.
ACTION REQUIRED: Check if iLO and iLO driver are up and running.

Highlighted
Trusted Contributor

Re: OA Heartbleed update?

HP is currently investigating the issue and which systems are potentially affected.  and when all investigation is done a formal noticed will be published.

I work for HP
A quick resolution to technical issues for your HP Enterprise products is just a click away HP Support Center Knowledge-base
See Self Help Post for more details