[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: [security bulletin] HPSBPI02732 SSRT100435 rev.1 - HP Managed Printing Administration, Remote Execut
From: security-alert () hp ! com
Date: 2011-12-27 21:03:44
Message-ID: 20111227210344.CE43E21834 () security ! hp ! com
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c03128469
Version: 1
HPSBPI02732 SSRT100435 rev.1 - HP Managed Printing Administration, Remote Execution \
of Arbitrary Code and Other Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as soon as \
possible.
Release Date: 2011-12-21
Last Updated: 2011-12-21
Potential Security Impact: Remote execution of arbitrary code, directory traversal, \
creation and deletion of arbitrary files, unauthorized access to application database
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP Managed Printing \
Administration. These vulnerabilities could be exploited remotely for execution of \
arbitrary code, directory traversal, creation and deletion of arbitrary files, and \
unauthorized access to the application database.
References: CVE-2011-4166 (ZDI-CAN-1064, SSRT100438)
CVE-2011-4167 (ZDI-CAN-1065, SSRT100435)
CVE-2011-4168 (ZDI-CAN-1066, SSRT100436)
CVE-2011-4169 (ZDI-CAN-1067, SSRT100422)
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Managed Printing Administration before v2.6.4
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2011-4166 (AV:N/AC:L/Au:N/C:P/I:P/A:C) 9.0
CVE-2011-4167 (AV:N/AC:L/Au:N/C:P/I:P/A:C) 9.0
CVE-2011-4168 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2011-4169 (AV:N/AC:L/Au:N/C:P/I:P/A:C) 9.0
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
The Hewlett-Packard Company thanks Andrea Micalizzi aka rgod along with \
TippingPoint's Zero Day Initiative for reporting these vulnerabilities to \
security-alert@hp.com.
RESOLUTION
HP has made HP Managed Printing Administration v2.6.4 or subsequent available to \
resolve the vulnerabilities.
HP Managed Printing Administration can be downloaded as follows.
Browse to http://www.hp.com/go/upd then
Select "Download software"
Select a product
Select an operating system
Under "Software - Universal Print Driver " download "HP Printer Administrator \
Resource Kit" Install the Managed Printing Administration contained in the HP Printer \
Administrator Resource Kit
HISTORY
Version:1 (rev.1) - 21 December 2011 Initial release
Third Party Security Patches: Third party security patches that are to be installed \
on systems running HP software products should be applied in accordance with the \
customer's patch management policy.
Support: For issues about implementing the recommendations of this Security Bulletin, \
contact normal HP Services support channel. For other issues about the content of \
this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported product, \
send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts \
via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin List: A list of HP Security Bulletins, updated periodically, is \
contained in HP Security Notice HPSN-2011-001: \
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964430
Security Bulletin Archive: A list of recently released Security Bulletins is \
available here: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in the title \
by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2011 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or \
omissions contained herein. The information provided is provided "as is" without \
warranty of any kind. To the extent permitted by law, neither HP or its affiliates, \
subcontractors or suppliers will be liable for incidental,special or consequential \
damages including downtime cost; lost profits;damages relating to the procurement of \
substitute products or services; or damages for loss of data, or software \
restoration. The information in this document is subject to change without notice. \
Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein \
are trademarks of Hewlett-Packard Company in the United States and other countries. \
Other product and company names mentioned herein may be trademarks of their \
respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk7x8sIACgkQ4B86/C0qfVk6tACgnp3rlqM6ENbGw1qmI2ogZ6Lt
EkkAnR9JAb9MeEZ6sI3qZhylG+NZ1xoT
=bla7
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic