HPE Community
Server Management - Systems Insight Manager
1833387 Members
3131 Online
110052 Solutions
New Discussion

Re: VPM Patch Availability Query

 
SOLVED
Go to solution
Rob Buxton
Honored Contributor

‎06-26-2005 10:44 AM

‎06-26-2005 10:44 AM

VPM Patch Availability Query

Hi Folks,
Does anyone know how the VPM Patch Availability works, in terms of when patches are available.

Our VPM Repository updated over the weekend and a number of the June MS Patches were downloaded. But not all, e.g. MS05-032 and MS05-033 were not pulled into the Repository.
These are classed as Moderate by the VPM scan, but other "moderate" patches are in the Repository.

So, why are some patches available and not others. Is there a qualification period?
0 Kudos
14 REPLIES 14
Jennifer_74
Frequent Advisor

‎06-27-2005 02:44 AM

‎06-27-2005 02:44 AM

Re: VPM Patch Availability Query

There is no delay in getting patches since we pull them directly from the Microsft data feed. All available Microsoft security patches are downloaded based on your acquisition settings.

For example, MS05-033 does not apply to Windows 2000, so if you were only downloading Windows 2000 patches we would not download MS05-033. (http://www.microsoft.com/technet/security/bulletin/MS05-033.mspx)

There was a problem with the way Microsoft posted the patch download information for MS05-025 - MS05-034, but they made corrections a few days later. We developed a patch that would allow VPM to get these patches, but did not release it when it looked like Microsoft corrected the data feed.

Let me do a quick internal test to see if maybe the patch is needed again.

0 Kudos
Jennifer_74
Frequent Advisor

‎06-27-2005 07:05 AM

‎06-27-2005 07:05 AM

Re: VPM Patch Availability Query

I am in the process of getting SoftPaq SP30363 released to the web - it will fix your issue downloading MS05-032 and MS05-033. In the meantime I have put the SoftPaq in a temporary drop box ftp://xfer.americas.digital.com/to_customer/SP30363.ZIP (it will only be available here for 48 hours)

This SoftPaq is intended for VPM version 1.10. If you are running VPM 1.0, please upgrade. If you are using the VPM Acquisition Utility released with VPM 1.10, you will need to run the SoftPaq for both products.
0 Kudos
Rob Buxton
Honored Contributor

‎06-27-2005 09:49 AM

‎06-27-2005 09:49 AM

Re: VPM Patch Availability Query

Thanks for the link to the patch.
I've pulled down the patch, installed and just re-downloading now.
I also noticed MS05-028 was also missing. So I'll check if that turns up.
We do pull down patches for both W2000 and W2003.
0 Kudos
Rob Buxton
Honored Contributor

‎06-27-2005 10:50 AM

‎06-27-2005 10:50 AM

Re: VPM Patch Availability Query

Thanks, that did indeed fix the issue and MS05-028 was also pulled down.

If you reply to this I'll allocate 10 pts to flag this item as solved.
0 Kudos
Rob Buxton
Honored Contributor

‎06-27-2005 11:48 AM

‎06-27-2005 11:48 AM

Re: VPM Patch Availability Query

Jennifer,
Possibly another query, is there a lag with the Scan Definitions.
If I select either the W2K3 or MS Advisory Scan Definition, the latest Advisory listed in the Scan Definition is MS05-025.
So, obviously if I run either of these and try and Patch against it, it will not locate any patches after MS05-025, even though these patches are in the Repository.
0 Kudos
Jennifer_74
Frequent Advisor

‎06-28-2005 03:04 AM

‎06-28-2005 03:04 AM

Re: VPM Patch Availability Query

I'm glad the softpaq fixed your acquisition. The SoftPaq (30363) should be released to hp.com today.

We released VPM Scan Definition Updates on 6/16 that scanned for issues addressed in Microsoft patches released 6/14. If you look at your acquisition event for VPM Scan Definitions Up-to-date or Updated, you will see a link to a Readme that lists the new issues being scanned for.

Also if you view the vulnerability information for a scan definition ("Customize Scan" or "View Scan Definition Details" button on scan selection screen) you can click on a vulernability id to view what the KB information associated. W2516 - W2524 address the patches released by Microsoft on 6/14.

Normally we release scan definition updates a day or two after a Microsoft release. While we recommend scanning to determine which patches to apply, you also have the option of deploying a patch without doing a scan from the Deploy Patch without a Scan menu. The patch agent will return a "Not Applicable" event if a patch is not needed or not applicable.
0 Kudos
Rob Buxton
Honored Contributor

‎06-28-2005 10:48 AM

‎06-28-2005 10:48 AM

Re: VPM Patch Availability Query

The issue is the Scan definition does not relate directly to the MS Advisory.

If I try and do a Patch-Fix Based on a Vulnerability scan based on a MS Advisories Scan the only patch it has identified is MS05-025.

If I go into the Customise Scan screen for MS Advisories and sort by Advisory, again the latest listed MS Advisory is MS05-025.

Yes, I can do a patch-fix and select the appropriate patches, but then I need to know specifically what patches to deploy. I know I can do this by using tools like the mbsacli or by tracking through the links suggested.
But it would be nice if the scan definitions were up to date and included the references to the MS Advisories directly.
0 Kudos
Jennifer_74
Frequent Advisor

‎06-29-2005 02:48 AM

‎06-29-2005 02:48 AM

Re: VPM Patch Availability Query

Please check which version of you scan definitions you have downloaded. If you look at the "VPM Scan Definitions Updated" event (see attached)you will see the Version 5.39, Update 4.

Looking in the scan definition listing (customize scan), we list a Vulnerability ID which is an id assigned by Harris with a description of the vulnerability. You should see W2528 listed as the last entry - it applies to MS05-030. Click on the W2528 link and you will get a screen with a description along with links to the CVE description and MS knowledge base article.

Every acquisition automatically checks for and downloads the latest scan definition and scanner updates. If you do not have the latest, scan definitions, there is a problem with the download web server - let me know. We released updated scan definitions on 6/16 that correspond to the MS patches released on 6/14.
0 Kudos
Rob Buxton
Honored Contributor

‎06-29-2005 10:44 AM

‎06-29-2005 10:44 AM

Re: VPM Patch Availability Query

Jennifer,

I think we're talking at slightly cross-purposes. So, here's the answers to your last e-mail.

" Please check which version of you scan definitions you have downloaded. If you look at the "VPM Scan Definitions Updated" event (see attached)you will see the Version 5.39, Update 4." - Yes we're running 5.39 Update 4.

" Looking in the scan definition listing (customize scan), we list a Vulnerability ID which is an id assigned by Harris with a description of the vulnerability. You should see W2528 listed as the last entry - it applies to MS05-030. Click on the W2528 link and you will get a screen with a description along with links to the CVE description and MS knowledge base article."

Yes, I see that. But, if I now kick off a scan using the MS Advisories Scan definition and wait for that to complete.
And then, try to do a Patch against that Scan, I only get the option to patch MS05-025. The additional vulnerabilities are listed as Wxxxx items, but there's no option to patch.
Yes I know I can then go through and manually select the patches based on the advisory links. But, in a large diverse organisation I'd like to be able to use the Patch-Fix based on a Scan option to get my Servers right up to date.
The link between the Vulnerability and the MS Patch seems to lag behind.
0 Kudos
Jennifer_74
Frequent Advisor

‎06-30-2005 09:59 AM

‎06-30-2005 09:59 AM

Re: VPM Patch Availability Query

I just duplicated your efforts and found the following:

If you look in the pdf scan results, depending on your system configuration, you will find one or more vulnerability numbers W2516 - W2528 (these correspond to MS05-025 thru MS05-033).

If you go to the Patch Based on Scan screen, you may not see the same list of vulnerabilities. The default sort of the list is by vuln id, but the vuln ids that do not have checkboxes are listed at the bottom. Click on the Vulnerability ID column to re-sort by vuln id and you should see the vulnerabilities in question - without checkboxes.

On the Patch Based on a Scan screen we are only setting checkboxes if the patch database contains the patch that resolves the vulnerability found. I have development looking into why the vulnerability id info is not getting mapped to the patch information. I see this issue in both the released and development versions of VPM.

For now, I you can deploy the MS05-026 - MS05-033 patches as necessary using the Patch without a Scan method. The patch agent does it's own scan and will not apply the patch if it is not applicable.

fyi - you should review all patches, even those without checkboxes, because these may also be vulnerabilities found that are security issues where a manual fix is required. Details on how to apply manual fixes can be found in the Detailed Summary pdf.
0 Kudos
Rob Buxton
Honored Contributor

‎06-30-2005 10:35 AM

‎06-30-2005 10:35 AM

Re: VPM Patch Availability Query

Jennifer,

Thanks, the section of your reply...
"On the Patch Based on a Scan screen we are only setting checkboxes if the patch database contains the patch that resolves the vulnerability found. I have development looking into why the vulnerability id info is not getting mapped to the patch information. I see this issue in both the released and development versions of VPM."
... is certainly the core of the problem I see.

I agree that all vulnerabilities should be checked.
Many thanks for your efforts.

0 Kudos
Jennifer_74
Frequent Advisor

‎07-01-2005 02:29 AM

‎07-01-2005 02:29 AM

Re: VPM Patch Availability Query

We found the problem with this last night and will test the fix today. We should be able to release a scanner update next week that fixes this problem. You would pick up the scanner update automatically with an acquisition once we release the fix.

I will post a message to this thread when the scanner fix is available for acquisition.
0 Kudos
Jennifer_74
Frequent Advisor

‎07-05-2005 08:29 AM

‎07-05-2005 08:29 AM

Solution

Re: VPM Patch Availability Query

We have released a scanner update that maps the vulnerability ids to the advisory ids correctly. Run an acquisition (you can uncheck Microsoft and Red Hat so that you only get the scanner updates). When you update to STAT Scanner, Version 5.39, Update 6, re-run your scan and the deploy patches based on a scan will display checkboxes for June patches.
0 Kudos
Rob Buxton
Honored Contributor

‎07-05-2005 09:31 AM

‎07-05-2005 09:31 AM

Re: VPM Patch Availability Query

Jennifer,
Excellent that has indeed fixed the problem.

We're still in the evaluation phase of VPM and getting issues like this addressed gives us a bit more confidence.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.