Hewlett-Packard has warned of a serious vulnerability in its Web-Enabled Management Software that leaves an unusually diverse range of software open to remote attack.
The company has issued a patch for a bug in HP HTTP Server, a Web-Enabled Management Software component, that allows for a denial-of-service attack or remote code execution. The vulnerability - a boundary error within the handling of input parameters - could be used to take over a host running the HTTP Server, or could be taken advantage of by a worm, according to independent security company Secunia.
Affected are HP Web-enabled management products running versions 5.0 to 5.95 of the server. The patch is available from HP's Web site. Users can also fix the problem by updating to Systems Management Hompage version 2.0, HP said. The affected software runs on Linux and various flavours of Windows.
Software vendors often bundle common software with various systems, but the HTTP Server flaw affects an unusually diverse range of software, Secunia said. "These vulnerabilities affect many different types of systems across the corporate network," said Secunia chief technology officer Thomas Kristensen. "Most other vulnerabilities affect only a few different systems or a large number of homogeneous systems."
The software affected is: HP / Compaq Insight Management Agents, HP Array Configuration Utility, HP Insight Manager 7.x, HP Performance Management Pack, HP Performance Management Pack Tools, HP ProLiant Performance Analyzer, HP Version Control Agent and HP Version Control Repository Agent.
Last spring a bug in HTTP Server potentially allowed malicious users to gain access to administrative functions.