HP UCMD 정보누출

HP UCMD 정보누출  

명칭 : HP UCMD 정보누출

발령일시 : 5월1일

해당시스템 : 10.01

위험도 : ★★★☆☆

최초 보고자 : HPSBMU02988 rev.1 

[security bulletin] HPSBMU02988 rev.1 - HP Universal Configuration Management Database, Disclosure of Information 

-----BEGIN PGP SIGNED MESSAGE----- 

Hash: SHA1 

Note: the current version of the following document is available here: 

https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ 

docDisplay?docId=emr_na-c04220407 

SUPPORT COMMUNICATION - SECURITY BULLETIN 

Document ID: c04220407 

Version: 1 

HPSBMU02988 rev.1 - HP Universal Configuration Management Database, 

Disclosure of Information 

NOTICE: The information in this Security Bulletin should be acted upon as 

soon as possible. 

Release Date: 2014-04-17 

Last Updated: 2014-04-17 

Potential Security Impact: Disclosure of Information 

Source: Hewlett-Packard Company, HP Software Security Response Team 

VULNERABILITY SUMMARY 

A potential security vulnerability has been identified with HP Universal 

Configuration Management Database Integration Service. The vulnerability 

could be exploited to allow disclosure of information. 

References: 

CVE-2013-6214 (ZDI-CAN-2042, SSRT101373) 

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. 

HP Universal Configuration Management Database v9.05, v10.01, v10.10 

BACKGROUND 

CVSS 2.0 Base Metrics 

=========================================================== 

Reference              Base Vector             Base Score 

CVE-2013-6214    (AV:N/AC:L/Au:S/C:P/I:P/A:P)       6.5 

=========================================================== 

           Information on CVSS is documented 

          in HP Customer Notice: HPSN-2008-002 

The Hewlett-Packard Company thanks MikeArnold (Bruk0ut) for working with HP's 

Zero Day Initiative to report CVE-2013-6214 to security-alert@hp.com 

RESOLUTION 

HP has provided the following content pack update for HP Universal 

Configuration Management Database to resolve the vulnerability. The updates 

are available at the HP Live Network Content Pack Updates here: 

https://hpln.hp.com/node/11274/contentfiles 

Note: For HP Universal Configuration Management Database Integration Service 

v9.05, please contact HP Software customer support 

HISTORY 

Version:1 (rev.1) - 17 April 2014 Initial release 

Third Party Security Patches: Third party security patches that are to be 

installed on systems running HP software products should be applied in 

accordance with the customer's patch management policy. 

Support: For issues about implementing the recommendations of this Security 

Bulletin, contact normal HP Services support channel.  For other issues about 

the content of this Security Bulletin, send e-mail to security-alert@hp.com. 

Report: To report a potential security vulnerability with any HP supported 

product, send Email to: security-alert@hp.com 

Subscribe: To initiate a subscription to receive future HP Security Bulletin 

alerts via Email: 

http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins   

Security Bulletin Archive: A list of recently released Security Bulletins is 

available here: 

https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ 

Software Product Category: The Software Product Category is represented in 

the title by the two characters following HPSB. 

3C = 3COM 

3P = 3rd Party Software 

GN = HP General Software 

HF = HP Hardware and Firmware 

MP = MPE/iX 

MU = Multi-Platform Software 

NS = NonStop Servers 

OV = OpenVMS 

PI = Printing and Imaging 

PV = ProCurve 

ST = Storage Software 

TU = Tru64 UNIX 

UX = HP-UX 

Copyright 2014 Hewlett-Packard Development Company, L.P. 

Hewlett-Packard Company shall not be liable for technical or editorial errors 

or omissions contained herein. The information provided is provided "as is" 

without warranty of any kind. To the extent permitted by law, neither HP or 

its affiliates, subcontractors or suppliers will be liable for 

incidental,special or consequential damages including downtime cost; lost 

profits; damages relating to the procurement of substitute products or 

services; or damages for loss of data, or software restoration. The 

information in this document is subject to change without notice. 

Hewlett-Packard Company and the names of Hewlett-Packard products referenced 

herein are trademarks of Hewlett-Packard Company in the United States and 

other countries. Other product and company names mentioned herein may be 

trademarks of their respective owners. 

-----BEGIN PGP SIGNATURE----- 

Version: GnuPG v1.4.13 (GNU/Linux) 

iEYEARECAAYFAlNPO6gACgkQ4B86/C0qfVntswCgoacTw+Os6TfUhQugavXIcVxV 

f/AAoOIeHWZDH9M03BI9ctNM1hLjpvlJ 

=dGEL 

-----END PGP SIGNATURE----- 

=====

[security bulletin] HPSBMU02987 rev.1 - HP Universal Configuration Management Database Integration Service, Remote Code Execution 

-----BEGIN PGP SIGNED MESSAGE----- 

Hash: SHA1 

Note: the current version of the following document is available here: 

https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ 

docDisplay?docId=emr_na-c04219959 

SUPPORT COMMUNICATION - SECURITY BULLETIN 

Document ID: c04219959 

Version: 1 

HPSBMU02987 rev.1 - HP Universal Configuration Management Database 

Integration Service, Remote Code Execution 

NOTICE: The information in this Security Bulletin should be acted upon as 

soon as possible. 

Release Date: 2014-04-17 

Last Updated: 2014-04-17 

Potential Security Impact: Remote code execution 

Source: Hewlett-Packard Company, HP Software Security Response Team 

VULNERABILITY SUMMARY 

A potential security vulnerability has been identified with HP Universal 

Configuration Management Database Integration Service. The vulnerability 

could be exploited to allow remote execution of code. 

References: 

CVE-2013-6215 (SSRT101372, ZDI-CAN-1977) 

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. 

HP Universal Configuration Management Database Integration Service v10.01 and 

v10.10 

BACKGROUND 

CVSS 2.0 Base Metrics 

=========================================================== 

Reference              Base Vector             Base Score 

CVE-2013-6215    (AV:N/AC:M/Au:S/C:C/I:C/A:C)       8.5 

=========================================================== 

           Information on CVSS is documented 

          in HP Customer Notice: HPSN-2008-002 

The Hewlett-Packard Company thanks Andrea Micalizzi aka rgod for working with 

HP's Zero Day Initiative to report CVE-2013-6215 to security-alert@hp.com 

RESOLUTION 

HP has provided the following patches for HP Universal Configuration 

Management Database Integration Service to resolve the vulnerability. The 

patches are available here: http://support.openview.hp.com/selfsolve/patches   

For HP Universal Configuration Management Database Integration Service v10.01 

acquire and apply KM00692874 from 

http://support.openview.hp.com/selfsolve/document/KM00692874   

For HP Universal Configuration Management Database Integration Service v10.10 

acquire and apply KM00759032 

http://support.openview.hp.com/selfsolve/document/KM00759032   

HISTORY 

Version:1 (rev.1) - 17 April 2014 Initial release 

Third Party Security Patches: Third party security patches that are to be 

installed on systems running HP software products should be applied in 

accordance with the customer's patch management policy. 

Support: For issues about implementing the recommendations of this Security 

Bulletin, contact normal HP Services support channel.  For other issues about 

the content of this Security Bulletin, send e-mail to security-alert@hp.com. 

Report: To report a potential security vulnerability with any HP supported 

product, send Email to: security-alert@hp.com 

Subscribe: To initiate a subscription to receive future HP Security Bulletin 

alerts via Email: 

http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins   

Security Bulletin Archive: A list of recently released Security Bulletins is 

available here: 

https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ 

Software Product Category: The Software Product Category is represented in 

the title by the two characters following HPSB. 

3C = 3COM 

3P = 3rd Party Software 

GN = HP General Software 

HF = HP Hardware and Firmware 

MP = MPE/iX 

MU = Multi-Platform Software 

NS = NonStop Servers 

OV = OpenVMS 

PI = Printing and Imaging 

PV = ProCurve 

ST = Storage Software 

TU = Tru64 UNIX 

UX = HP-UX 

Copyright 2014 Hewlett-Packard Development Company, L.P. 

Hewlett-Packard Company shall not be liable for technical or editorial errors 

or omissions contained herein. The information provided is provided "as is" 

without warranty of any kind. To the extent permitted by law, neither HP or 

its affiliates, subcontractors or suppliers will be liable for 

incidental,special or consequential damages including downtime cost; lost 

profits; damages relating to the procurement of substitute products or 

services; or damages for loss of data, or software restoration. The 

information in this document is subject to change without notice. 

Hewlett-Packard Company and the names of Hewlett-Packard products referenced 

herein are trademarks of Hewlett-Packard Company in the United States and 

other countries. Other product and company names mentioned herein may be 

trademarks of their respective owners. 

-----BEGIN PGP SIGNATURE----- 

Version: GnuPG v1.4.13 (GNU/Linux) 

iEYEARECAAYFAlNPQUMACgkQ4B86/C0qfVnQigCeOTXmvqmo/bEVYDR+/rVt91TI 

QcEAoK2E+f99v08e+W0P7rs2xbTkCZ63 

=zjdU 

-----END PGP SIGNATURE-----