'[security bulletin] HPSBPI02732 SSRT100435 rev.1 - HP Managed Printing Administration, Remote Execut'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    [security bulletin] HPSBPI02732 SSRT100435 rev.1 - HP Managed Printing Administration, Remote Execut
From:       security-alert () hp ! com
Date:       2011-12-27 21:03:44
Message-ID: 20111227210344.CE43E21834 () security ! hp ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c03128469
Version: 1

HPSBPI02732 SSRT100435 rev.1 - HP Managed Printing Administration, Remote Execution \
of Arbitrary Code and Other Vulnerabilities

NOTICE: The information in this Security Bulletin should be acted upon as soon as \
possible.

Release Date: 2011-12-21
Last Updated: 2011-12-21

Potential Security Impact: Remote execution of arbitrary code, directory traversal, \
creation and deletion of arbitrary files, unauthorized access to application database

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP Managed Printing \
Administration. These vulnerabilities could be exploited remotely for execution of \
arbitrary code, directory traversal, creation and deletion of arbitrary files, and \
unauthorized access to the application database.

References: CVE-2011-4166 (ZDI-CAN-1064, SSRT100438)

CVE-2011-4167 (ZDI-CAN-1065, SSRT100435)

CVE-2011-4168 (ZDI-CAN-1066, SSRT100436)

CVE-2011-4169 (ZDI-CAN-1067, SSRT100422)

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Managed Printing Administration before v2.6.4

BACKGROUND

CVSS 2.0 Base Metrics
===========================================================
  Reference              Base Vector             Base Score
CVE-2011-4166    (AV:N/AC:L/Au:N/C:P/I:P/A:C)       9.0
CVE-2011-4167    (AV:N/AC:L/Au:N/C:P/I:P/A:C)       9.0
CVE-2011-4168    (AV:N/AC:L/Au:N/C:N/I:P/A:N)       5.0
CVE-2011-4169    (AV:N/AC:L/Au:N/C:P/I:P/A:C)       9.0
===========================================================
             Information on CVSS is documented
            in HP Customer Notice: HPSN-2008-002

The Hewlett-Packard Company thanks Andrea Micalizzi aka rgod along with \
TippingPoint's Zero Day Initiative for reporting these vulnerabilities to \
security-alert@hp.com.

RESOLUTION

HP has made HP Managed Printing Administration v2.6.4 or subsequent available to \
resolve the vulnerabilities.

HP Managed Printing Administration can be downloaded as follows.

Browse to http://www.hp.com/go/upd then

Select "Download software"
Select a product
Select an operating system
Under "Software - Universal Print Driver " download "HP Printer Administrator \
Resource Kit" Install the Managed Printing Administration contained in the HP Printer \
Administrator Resource Kit

HISTORY
Version:1 (rev.1) - 21 December 2011 Initial release

Third Party Security Patches: Third party security patches that are to be installed \
on systems running HP software products should be applied in accordance with the \
customer's patch management policy.

Support: For issues about implementing the recommendations of this Security Bulletin, \
contact normal HP Services support channel.  For other issues about the content of \
this Security Bulletin, send e-mail to security-alert@hp.com.

Report: To report a potential security vulnerability with any HP supported product, \
send Email to: security-alert@hp.com

Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts \
via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Security Bulletin List: A list of HP Security Bulletins, updated periodically, is \
contained in HP Security Notice HPSN-2011-001: \
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964430


Security Bulletin Archive: A list of recently released Security Bulletins is \
available here: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/

Software Product Category: The Software Product Category is represented in the title \
by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX

Copyright 2011 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or \
omissions contained herein. The information provided is provided "as is" without \
warranty of any kind. To the extent permitted by law, neither HP or its affiliates, \
subcontractors or suppliers will be liable for incidental,special or consequential \
damages including downtime cost; lost profits;damages relating to the procurement of \
substitute products or services; or damages for loss of data, or software \
restoration. The information in this document is subject to change without notice. \
Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein \
are trademarks of Hewlett-Packard Company in the United States and other countries. \
Other product and company names mentioned herein may be trademarks of their \
                respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk7x8sIACgkQ4B86/C0qfVk6tACgnp3rlqM6ENbGw1qmI2ogZ6Lt
EkkAnR9JAb9MeEZ6sI3qZhylG+NZ1xoT
=bla7
-----END PGP SIGNATURE-----


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic