Hey guys,
For anyone not on Bugtraq - it's worth getting this applied.
https://h20564.www2.hp.com/portal/site/ ... -c04261644
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c04261644
Version: 3
HPSBST03015 rev.3 - HP 3PAR OS running OpenSSL, Remote Disclosure of
Information
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2014-04-22
Last Updated: 2014-05-09
Potential Security Impact: Remote disclosure of information
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP 3PAR OS
running OpenSSL. This is the OpenSSL vulnerability known as "Heartbleed"
which could be exploited remotely resulting in disclosure of information.
References: CVE-2014-0160, SSRT101526
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP 3PAR OS 3.1.2 and subsequent
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2014-0160 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has released patches to address this vulnerability for the impacted
software versions of 3PAR OS.
NOTE: No patch will be available for HP 3PAR OS 3.1.2 GA. HP recommends that
customers with arrays running HP 3PAR OS 3.1.2 GA should upgrade to the
latest available MU or HP 3PAR OS 3.1.3 P01. HP 3PAR OS Version
Available patch
HP 3PAR OS 3.1.3
P01
HP 3PAR OS 3.1.2 MU1, MU2, and MU3
P39