[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[HP] Schwachstellen in HP Web Jetadmin - HPSBPI01026


Liebe Kolleginnen und Kollegen,

soeben erreichte uns das nachfolgende Bulletin der HP SupportLine. Wir
geben diese Informationen unveraendert an Sie weiter.

HP Web Jetadmin ist eine Software zur Konfiguration von HP Druckern
ueber eine Weboberflaeche.

Schwachstellen in HP Web Jetadmin

  Verschiedene Schwachstellen in der Software HP Web Jetadmin koennen
  einem entfernten Angreifer erlauben, die Server-Software auf einem
  betroffenen System zum Absturz zu bringen oder eigenen Code mit den
  Berechtigungen der Server-Software auszufuehren (im Allgemeinen root).

Betroffen sind die folgenden Software Pakete und Plattformen:

  HP Web Jetadmin Software vor Version 7.5

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken

Mit freundlichen Gruessen,

	Marco Thorbrueegge, DFN-CERT

- -- 
Marco Thorbruegge (CSIRT), DFN-CERT Services GmbH
Web: https://www.dfn-cert.de/, Phone: +49-40-808077-555
PGP RSA/2048, AE662425, 7E5C A77A F91D 63D1 02AB 9526 53FF F1A0

SSRT2397 rev.0 Web Jetadmin potential denial of service, unauthorized access

   HPSBPI01026     REVISION: 0
   SSRT2397 rev.0 Web Jetadmin potential denial of service, unauthorized access
   There are no restrictions for distribution of this Bulletin provided that it remains
   complete and intact.
   The information in this Security bulletin should be acted upon as soon as possible.
   29 April 2004
   remote denial of service, unauthorized access
   HP Software Security Response Team
   A potential security vulnerability has been identified with HP Web Jetadmin where the
   vulnerability could be exploited locally or remotely to allow unauthorized access or Denial
   of Service (DoS).
   SUPPORTED SOFTWARE VERSIONS*:  ONLY impacted versions are listed.
   HP Web Jetadmin Software prior to version 7.5.
   A number of potential vulnerabilities involving HP Web Jetadmin Software have been retorted
   here:   http://www.securityfocus.com/archive/1/361535/2004-04-24/2004-04-30/0
   HP Company wishes to thank FX <fx@xxxxxxxxxxxx> for reporting this vulnerability to us and
   assisting us to protect all of our valued customers.
   HP has released Web Jetadmin version 7.5 which resolves the reported vulnerabilities.
   HP Web Jetadmin 7.5 is available for download   on http://www.hp.com.  Please search for
   "Web Jetadmin".
   Please write to security-alert@xxxxxx to request a PGP signed version of this bulletin.
   * The software product category that this Security Bulletin relates to is represented by the
   5th and 6th characters of the Bulletin number: GN=General, MA=Management Agents, MI=Misc.
   3rd party, MP=HP-MPE/iX, NS=HP NonStop Servers, OV=HP OpenVMS, PI=HP Printing & Imaging,
   ST=HP Storage, TU=HP Tru64 UNIX, TL=Trusted Linux, UX=HP-UX, VV=Virtual Vault
   SUPPORT: For further information, contact HP Services support channel.
   SUBSCRIBE: To initiate a subscription to receive future HP Security Bulletins via Email:
   On the web page: Driver and Support Alerts/Notifications Sign-up: Product Selection
   Under Step1: your products
   1. Select product category: - a minimum of servers must be selected.
   2. Select product family or search: - a minimum of one product must be selected.
   3. Add a product: - a minimum of one product must be added.
   In Step 2: your operating system(s) - check ALL operating systems for which alerts are
   Complete the form and Save.
   To update an existing subscription:
   Log in on the web page Subscriber's choice for Business: sign-in.
   On the Web page: Subscriber's Choice: your profile summary - use Edit Profile to update
   appropriate sections.
   Note: In addition to the individual alerts/notifications for the selected operating
   systems/products, subscribers will automatically receive one copy of alerts for
   non-operating system categories (i.e., a subscriber who signs up for all six operating
   system alerts will only receive one copy of all the non-operating system alerts).
   REPORT: To report a potential security vulnerability with any HP supported product, send
   Email to: security-alert@xxxxxxx It is strongly recommended that security related
   information being communicated to HP be encrypted using PGP, especially exploit information.
   To obtain the security-alert PGP key please send an e-mail message to security-alert@xxxxxx
   with the Subject of 'get key' (no quotes).
   System management and security procedures must be reviewed frequently to maintain system
   integrity. HP is continually reviewing and enhancing the security features of software
   products to provide customers with current secure solutions.
   "HP is broadly distributing this Security Bulletin in order to bring to the attention of
   users of the affected HP products the important security information contained in this
   Bulletin. HP recommends that all users determine the applicability of this information to
   their individual situations and take appropriate action. HP does not warrant that this
   information is necessarily accurate or complete for all user situations and, consequently,
   HP will not be responsible for any damages resulting from user's use or disregard of the
   information provided in this Bulletin. To the extent permitted by law, HP disclaims all
   warranties, either express or implied, including the warranties of merchantability and
   fitness for a particular purpose, title and non-infringement."
   ©Copyright 2004 Hewlett-Packard Development Company, L.P.
   Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions
   contained herein. The information provided is provided "as is" without warranty of any kind.
   To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers
   will be liable for incidental, special or consequential damages including downtime cost;
   lost profits; damages relating to the procurement of substitute products or services; or
   damages for loss of data, or software restoration. The information in this document is
   subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard
   products referenced herein are trademarks of Hewlett-Packard Company in the United States
   and other countries. Other product and company names mentioned herein may be trademarks of
   their respective owners.
   privacy statement using this site means you accept its terms 
               © 1994-2004 Hewlett-Packard Company

Version: 2.6.2i