By: Chris Saso, SVP of Technology

heartbleed HP OpenSSl fixThe Heartbleed bug has been a concern for many organizations since it’s discovery early this month. For those that are faced with addressing the Heartbleed bug within their organization, we wanted to share some support tips from HP. Below are some links that might help you solve vulnerabilities you are facing. HP uses OpenSSL in several of its products.  The primary use is in the area of the HP Systems Management Home Page (SMH).

SMH is a web-based interface that consolidates and simplifies the management of individual ProLiant and Integrity servers running Microsoft Windows or Linux operating systems, or HP 9000 and HP Integrity servers running HP-UX 11i. By aggregating data from HP Insight Management Agents and other management tools, the System Management Homepage provides an intuitive interface to review in-depth hardware configuration and status data, performance metrics, system thresholds and software version control information. The System Management Homepage can also be used to access the HP Lights-Out Management processor on ProLiant and Integrity servers.

HP Systems Management Homepage (SMH) Fixes Available:
There are publicly available updated versions for HP’s System Management Homepage product for both Windows (32bit/64 bit) and Linux products.

They are indirectly referenced by HP Support, searching on the specific server model, and then choosing an OS version.

When additional products/advisories are provided they will continually be updated.  In this blog post I am highlighting the links to the most common solutions that Dasher provides to our clients.

Servers and Storage:
HP Servers Communication: OpenSSL “HeartBleed” Vulnerability
HP Storage Products – OpenSSL HeartBleed Vulnerability

Server:
HP BladeSystem c-Class Onboard Administrator (OA) running OpenSSL, Remote Disclosure of Information–  (Currently Rev 1)
HP Smart Update Manager (SUM) running OpenSSL, Remote Disclosure of Information – (Currently Rev 1)
HP System Management Homepage (SMH) running OpenSSL on Linux and Windows, Remote Disclosure of Information – (Currently Rev 1)

HP Software HP Service Manager, Asset Manager, UCMDB Browser, UCMDB Configuration Manager, Executive Scorecard, Server Automation, Diagnostics, LoadRunner, and Performance Center, running OpenSSL, Remote Disclosure of Information – (Currently Rev 2)
HP NonStop Volume Level Encryption (VLE) running OpenSSL, Remote Disclosure of Information – (Currently Rev 2)

Software:
HP Software Autonomy WorkSite Server (On-Premises Software), Running OpenSSL, Remote Disclosure of Information – (Currently Rev 2)

Storage:
HP XP P9500 Disk Array running OpenSSL, Remote Disclosure of Information – (Currently Rev 1)

ILO/ILO2 (Special Note) :
Inside the announcement on “Servers Communication” HP has added this notation.  It should not be missed.
“Reports have been received that scanners used to identify the Heartbleed vulnerability cause first-generation Integrated Lights-Out (iLO) and Integrated Lights-Out 2 (iLO 2) to lockup and become unresponsive. Although the server’s operating system will continue to function normally,  first-generation iLO and iLO 2 will no longer be responsive over the management network. To recover, power must be PHYSICALLY removed from the server. HP recommends not using vulnerability scanners to test first-generation iLO and iLO 2 devices, as these products are not vulnerable to the Heartbleed vulnerability.”

Sources:
National Vulnerability Database
Heartbleed