Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.1091
HPSBHF02912 rev.1 - HP Networking Products including H3C and 3COM Routers
and Switches, OSPF Remote Information Disclosure and Denial of Service
9 August 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: HP Networking Products
Publisher: Hewlett-Packard
Operating System: Network Appliance
Impact/Access: Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2013-4806
Original Bulletin:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03880910
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c03880910
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c03880910
Version: 1
HPSBHF02912 rev.1 - HP Networking Products including H3C and 3COM Routers and
Switches, OSPF Remote Information Disclosure and Denial of Service
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2013-08-08
Last Updated: 2013-08-08
Potential Security Impact: Remote information disclosure and denial of
service
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP Networking
Products including 3COM and H3C routers and switches. The vulnerabilities
could be remotely exploited resulting in disclosure of information and denial
of service.
References: CVE-2013-4806 (CERT VU#229804 SSRT101224)
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
Please refer to the RESOLUTION
section below for a list of impacted products.
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2013-4806 (AV:N/AC:M/Au:S/C:P/I:N/A:C) 7
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has made the following software updates available to resolve the
vulnerabilities in the following products:
Fixed Version
HP Branded Products Impacted
H3C Branded Products Impacted
3Com Branded Products Impacted
R5000_3.14p14
JD935A HP 5012 Router
JD943A HP 5232 Router
JD944A HP 5642 Router
JD945A HP Router 5642 TAA
JD946A HP 5682 Router
N/A
3Com Router 5642 TAA (3C13755TAA)
3Com Router 5012 (3C13701)
3Com Router 5232 (3C13751)
3Com Router 5642 (3C13755)
3Com Router 5682 (3C13759)
R301X_1.40.23
JD916A HP 3012 Router
JD919A HP 3018 Router
N/A
3Com Router 3012 (3C13612)
3Com Router 3018 (3C13618)
S5600_3.10.R1702P39
JD391A HP S5600-50C Ethernet Switch
JD392A HP S5600-50C-PWR Ethernet Switch
JD393A HP S5600-26C Ethernet Switch
JD394A HP S5600-26C-PWR Ethernet Switch
JD395A HP S5600-26F Ethernet Switch
H3C S5600-26C Ethernet Switch (0235A11F)
H3C S5600-26C-PWR Ethernet Switch (0235A11G)
H3C S5600-26F Ethernet Switch (0235A11H)
H3C S5600-50C Ethernet Switch (0235A11D)
H3C S5600-50C-PWR Ethernet Switch (0235A11E)
N/A
E5500G_03.03.02p19
JE088A HP E5500-24G Switch
JE089A HP E5500-24G Switch (TAA)
JE090A HP E5500-48G Switch
JE091A HP E5500-48G Switch (TAA)
JE092A HP E5500-24G-PoE Switch
JE093A HP E5500-24G-PoE Switch (TAA)
JE094A HP E5500-48G-PoE Switch
JE095A HP E5500-48G-PoE Switch (TAA)
JE096A HP E5500-24G-SFP Switch
JE097A HP E5500-24G-SPF Switch (TAA)
JF551A HP SS4 SWITCH 5500G-EI 24PT (no psu)
JF552A HP SS4 SWITCH 5500G-EI 48PT(no psu)
JF553A HP SS4 5500G-EI 24 PORT
SFP (no psu)
N/A
3Com SS4 5500G-EI 24 Port SFP (NO PSU) (3CR17259-91)
3Com SS4 Switch 5500G-EI 24PT (NO PSU) (3CR17254-91)
3Com SS4 Switch 5500G-EI 48PT (NO PSU) (3CR17255-91)
3Com Switch 5500G-EI 24 Port (3CR17250-91)
3Com Switch 5500G-EI 48-Port (3CR17251-91)
3Com Switch 5500G-EI PWR 24-Port (3CR17252-91)
3Com Switch 5500G-EI PWR 48-Port (3CR17253-91)
3Com Switch 5500G-EI SFP 24-Port (3CR17258-91)
3Com TAA Compliant 5500G-EI 24-Port (3CR17250TAA-91)
3Com TAA Compliant 5500G-EI 48-Port (3CR17251TAA-91)
3Com TAA Compliant 5500G-EI PWR 24P (3CR17252TAA-91)
3Com TAA Compliant 5500G-EI PWR 48P (3CR17253TAA-91)
3Com TAA Compliant 5500G-EI SFP 24P (3CR17258TAA-91)
E5500_03.03.02p19
JE099A HP E5500-24 SI Switch
JE100A HP E5500-48 SI Switch
JE101A HP E5500-24 Switch
JE102A HP E5500-24 Switch (TAA)
JE103A HP E5500-48 Switch
JE104A HP E5500-48 Switch (TAA)
JE105A HP E5500-24-PoE Switch
JE106A HP E5500-24-PoE Switch (TAA)
JE107A HP E5500-48-PoE Switch
JE108A HP E5500-48-PoE Switch (TAA)
JE109A HP E5500-24-SFP Switch,
JE110A HP E5500-24-SPF Switch (TAA)
N/A
3Com SS4 Switch 5500-SI 28 Port (3CR17151-91)
3Com SS4 Switch 5500-SI 52 Port (3CR17152-91)
3Com Switch 5500-EI 28-Port (3CR17161-91)
3Com Switch 5500-EI 28-Port FX (3CR17181-91) 3Com Switch 5500-EI 52-Port
(3CR17162-91)
3Com Switch 5500-EI PWR 28-Port (3CR17171-91) 3Com Switch 5500-EI PWR 52-Port
(3CR17172-91)
3Com TAA Switch 5500-EI 28-Port (3CR17161TAA-91)
3Com TAA Switch 5500-EI 28-Port FX (3CR17181TAA-91)
3Com TAA Switch 5500-EI 52-Port (3CR17162TAA-91)
3Com TAA Switch 5500-EI PWR 28-Port (3CR17171TAA-91)
3Com TAA Switch 5500-EI PWR 52-Port (3CR17172TAA-91)
S3600.EI_3.10.R1702P34
JD326A HP 3600-24-PoE EI Switch
JD328A HP 3600-48-PoE EI Switch
JD331A HP 3600-24 EI Switch
JD333A HP 3600-48 EI Switch
JD334A HP 3600-24-SFP EI Switch
H3C S3600-28F-EI - model LS-3600-28F-EI-OVS (0235A10L)
H3C S3600-28P-EI - model LS-3600-28P-EI-OVS (0235A10H)
H3C S3600-28P-PWR-EI - model LS-3600-28P-PWR-EI-OVS (0235A10C)
H3C S3600-52P-EI - model LS-3600-52P-EI-OVS (0235A10K)
H3C S3600-52P-PWR-EI - model LS-3600-52P-PWR-EI-OVS (0235A10E)
N/A
E.11.38
J4850A HP ProCurve Switch 5304xl
J8166A HP ProCurve Switch 5304xl-32G
J4819A HP ProCurve Switch 5308xl
J8167A HP ProCurve Switch 5308xl-48G
J4849A HP ProCurve Switch 5348xl
J4849B HP ProCurve Switch 5348xl
J4848A HP ProCurve Switch 5372xl
J4848B HP ProCurve Switch 5372xl
N/A
N/A
M.10.99
J4906A HP E3400-48G cl Switch
J4905A HP ProCurve Switch 3400cl-24G
N/A
N/A
M.08.140
J8433A HP 6400-6XG CL Switch J8474A HP 6410-6XG CL Switch
N/A
N/A
HISTORY
Version:1 (rev.1) - 8 August 2013 Initial Release
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2013 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits;damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
iEYEARECAAYFAlIDpdwACgkQ4B86/C0qfVldlwCcDDroDhqjX0UVp4i8jVvizBGx
XcQAnjFZJnhpwE7xpI1wxQZ1tdrFvaGL
=Q4Dh
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUgRBEhLndAQH1ShLAQKn5w//eMiJLBns76Q4gWGHB3iJRPcuMMC8oAEW
Uv1kYmcLgwGeWWXk8jR8AySyvwsAV8fqYg8vsfU8r7O5+cEsMUMaJR2JLHaAHx7F
TRd8+56fzr2Be372qXmbn+g5rrMlKSWTJyfzkQO9yPtiU0Q+FLdwXjjWm3ehzsOE
EEyEgVRaseisqNWWb8YPGcNRY7Sek+78Njx+9rDZTnpMLDjkrC720ymq1yP3+wiy
vNGV1ik+zyDoKJFBNqAOoPmnrIAPw5VgmRFoAmkP9xobVoMoFX9mqGNoJ0tsCt7+
ttXM/MrYaJrex9JgdYZtcVgphyOYe3E1o2ygWlFFF/qU0GlZ5h77O6LoWUaxuuPm
It1hwib0prKsSbm90Cx+E5ZFro00eu+9wFcFwOJm0LIr8/lugPYBLlkmZX4D+KEx
20vrASVPbVTKqU5oBVMP/xy5jjxYRCuIs1TXAkTBPFFH9pZYBpI1qsp1N4/PJuk8
CAnBkAtzo6xNoGqzVZXOtLDMb/TklydeAu6maLBwWXWFwIZVZJZWPU01MwfDjJA/
C8cQ4lYrrfzz/Bjp1zRYmWujrqNOB0bGLfyHs0b1KlsROLIL4b7fimpsnaE7K37r
ZqaUDcewi5OU+CTcAzaf4jmgUjJfayeRiU9SOKc4b6hmWIFliAn88+FX7K/IxtEn
UHfKmqAHWyM=
=Ifaf
-----END PGP SIGNATURE-----