HP Network Node Manager patched
Hewlett Packard has released patches for its Network Node Manager (NNM) which aim to close several vulnerabilities, including some which allow for remote execution of code. The problems are caused by buffer overflows and received parameters being passed to other processes unchecked. It is the latter hole that allows for the injection of commands by an attacker. The rights with which the server executes those injected commands is dependent on the operating system that NNM is running on.
HP has released patches for HP-UX, Red Hat Linux, Solaris and Windows. iDefense, the security services provider that discovered the vulnerabilities, found both problems on some platforms, but HP is the patching all supported platforms. The affected versions of NNM are 7.01, 7.51 and 7.53. NNM 7.51 users will need to upgrade to 7.53 before applying the patches.
See also:
- HP OpenView Network Node Manager (OV NNM), Remote Execution of Arbitrary Code, Hewlett Packard report.
- HP Network Node Manager ovlaunch CGI BSS Overflow Vulnerability, iDefense report.
- HP Network Node Manager Multiple Information Disclosure Vulnerabilities, iDefense report.
- HP Network Node Manager Multiple Command Injection Vulnerabilities, iDefense report.
(djwm)