Advisory: SSRT051023 rev.0 - HP Openview Network Node Manager (OV NNM) Remote Unauthorized Access

SSRT051023 rev.0 - HP Openview Network Node Manager (OV NNM) Remote Unauthorized Access
HPSBMA01224
Published: 2005-08-26 19:49:15
Updated: 2005-08-26 19:49:15
 HPSBMA01224     REVISION: 0

SSRT051023 rev.0 - HP Openview Network Node Manager (OV NNM) Remote Unauthorized Access

NOTICE:


There are no restrictions for distribution of this Security Bulletin provided that it remains complete and intact.


The information in this Security Bulletin should be acted upon as soon as possible.
INITIAL RELEASE:

26 August 2005

POTENTIAL SECURITY IMPACT:

Remote Unauthorized Access
SOURCE:

Hewlett-Packard Company
HP Software Security Response Team
VULNERABILITY SUMMARY:
A potential vulnerability has been identified with Openview Network Node Manager (OV NNM).  This  vulnerability could be exploited remotely by an unauthorized user to
gain privileged access.
REFERENCES:

Portcullis Security Advisory 05-014
SUPPORTED SOFTWARE VERSIONS*:  ONLY impacted versions are listed.
Openview Network Node Manager (OV NNM) 6.2, 6.4, 7.01, 7.50 running on HP-UX, Solaris, Windows NT, Windows 2000, Windows XP, and Linux.
BACKGROUND:
For a PGP signed version of this Security Bulletin please write to
security-alert@hp.com.

AFFECTED VERSIONS

     Note: To determine if an HP-UX system has an affected
           version, search the output of
               "swlist -a revision -l fileset"
           for an affected fileset.  Then determine if the
           recommended patch or update is installed.


     HP-UX B.11.00
     HP-UX B.11.11
     HP-UX B.11.23
     =============
     OVNNMgr.OVNNM-RUN
     action: move /opt/OV/www/cgi-bin/connectedNodes.ovpl into another directory

     For Solaris OV NNM 6.2, 6.4, 7.01, 7.50
     SunOS 5.6
     SunOS 5.7
     SunOS 5.8
     SunOS 5.9
     =============
     action: move /opt/OV/www/cgi-bin/connectedNodes.ovpl into another directory


     For Windows OV NNM 6.2, 6.4, 7.01, 7.50
     Windows NT
     Windows 2000
     Windows XP
     =============
     action: move \www\cgi-bin\connectedNodes.ovpl into another directory


     For Linux OV NNM 7.01, 7.50
     Linux RedHatAS2.1
     =============
     action: move /opt/OV/www/cgi-bin/connectedNodes.ovpl into another directory

     END AFFECTED VERSIONS
RESOLUTION:
Until patches are available the potential vulnerability can be avoided by moving connectedNodes.ovpl from the cgi-bin directory into another directory.   The
capability to display connected nodes in tabular form will not be available.
BULLETIN REVISION HISTORY:
 Revision 0: 26 August 2005
  Initial release