Nine 0days: HP in the security dock again
The Zero Day Initiative (ZDI) has published information about further unpatched critical security holes in HP's enterprise products: the 0day holes all allow remote attackers to inject and execute arbitrary code into the server systems. Eight of the nine holes are rated at the highest risk level (CVSS) of 10.0:
- HP SiteScope SOAP Call update Remote Code Execution Vulnerability
- HP SiteScope SOAP Call loadFileContent Remote Code Execution Vulnerability
- HP SiteScope SOAP Call getFileInternal Remote Code Execution Vulnerability
- HP SiteScope SOAP Call create Remote Code Execution Vulnerability
- HP SiteScope UploadFilesHandler Remote Code Execution Vulnerability
- HP SiteScope SOAP Call getSiteScopeConfiguration Remote Code Execution Vulnerability
- HP Operations Orchestration RSScheduler Service JDBC Connector Remote Code Execution Vulnerability
- HP Intelligent Management Center UAM sprintf Remote Code Execution Vulnerability
- HP Application Lifecycle Management XGO.ocx ActiveX Control Remote Code Execution Vulnerability
Before the disclosure of the vulnerability details, HP had up to a year to close the nine critical security holes. Since the ZDI became a part of HP after a takeover, the company has effectively put itself in the dock with the release of the vulnerability advisories. And this is not the first time: two weeks ago, the ZDI published five advisories for other unpatched HP security holes.
It remains unclear why HP hasn't fixed the vulnerabilities despite the ample period of grace it has been given. HP has yet to respond to several enquiries on this subject by The H's associates at heise Security.
(crve)