SOFTPAQ NUMBER: SP25037 PART NUMBER: N/A FILE NAME: SP25037.EXE TITLE: HP Web-Enabled Management Software Security Patch VERSION: 4.x, 5.x LANGUAGE: English CATEGORY: Software Solutions DIVISIONS: Systems PRODUCTS AFFECTED: HP Management Agents Power Management Version Control Repository Agent Version Control Agent Insight Manager 7 Array Configuration Utility Survey OPERATING SYSTEM: Microsoft Windows NT 4.0, Windows 2000, and Windows .NET SYSTEM CONFIGURATION: N/A PREREQUISITES: N/A EFFECTIVE DATE: December 12, 2003 ELECTRONIC DISTRIBUTION ALLOWED: Yes SOFTPAQ UTILITY VERSION: 5.92 SUPERSEDES: N/A DESCRIPTION: HP Management Software Security Vulnerability (SSRT3668) HP web-enabled Management Software running HTTP Server versions less than 4.43 and versions 5.0 through 5.91 for Microsoft Windows NT 4.0, Windows 2000, and Windows .NET 2003 are susceptible to a security vulnerability. As part of an ongoing commitment to software quality, a security vulnerability was recently uncovered in the secure socket layer code from the open-source OpenSSL Project that is delivered as part of the HP Web-enabled Management Software. The previous builds of HP Web-enabled Management Software utilized OpenSSL 0.9.6K, which was found to have a D.o.S. vulnerability in Windows involving a large recursion triggered by malicious ASN.1 sequences. This is a vulnerability to which OpenSSL on Windows is generally vulnerable. The fix in HP Management Software involves moving to OpenSSL Version 0.9.6L, which addresses this vulnerability. HP strongly recommends that you update your software as soon as possible to remove these vulnerabilities. HOW TO USE: Have all the associated files (see file list at the end of this text file) in a single directory on your hard drive. From a DOS command shell change to that drive and directory and type: patchweb patch This will replace the necessary files. Troubleshooting Note: In some circumstances, Windows will not stop a service indicated in this patch. When this occurs, an error message will appear at the end of the patch (on the DOS command shell) that indicates that the service could not be stopped or that a file could not be copied (the error message would say "The process cannot access the file because it is being used by another process"). When this problem occurs, it may be helpful to re-run the patch file again or to use Windows Services to manually stop the service and then re-run the patch. HOW TO RESTORE YOUR ORIGINAL CONFIGURATION: To restore the original versions of the patched files type: patchweb restore FILE LIST: SP25037.txt patchweb.bat findver.exe regtool.exe strexp.exe cpqhmmo1.fre cpqhmmo2.fre Copyright 2003 Hewlett-Packard Development Company, L.P.