Power HMC is affected by vulnerabilities in in OpenSSL


Главная Форумы POWER Systems AIX/Hardware Power HMC is affected by vulnerabilities in in OpenSSL

В этой теме 4 ответа, 2 участника, последнее обновление  Sever 3 года/лет, 6 мес. назад.

  • Автор
    Сообщения
  • #20022

    Sever
    Участник

    Security Bulletin: Power Hardware Management Console is affected by vulnerabilities in OpenSSL (CVE-2014-0160 and CVE-2014-0076)

    Affected Products and Versions

    HMC V7 Release 7.7.0
    HMC V7 Release 7.8.0

    http://www-01.ibm.com/support/docview.wss?uid=nas8N1020021

    и до кучи в эту же тему…
    требуется ставить заплаты на сервера с прошивками AL770 AM770 AM780 AH780.

    http://download4.boulder.ibm.com/sar/CMA/SFA/04fyi/0/01AL770_076_032.html
    http://download4.boulder.ibm.com/sar/CMA/SFA/04fya/0/01AM770_076_032.html
    http://download4.boulder.ibm.com/sar/CMA/SFA/04fys/0/01AM780_054_040.html
    http://download4.boulder.ibm.com/sar/CMA/SFA/04fz4/0/01AH780_054_040.html

  • #20032

    Alex
    Участник

    Тут главное без паники.

    Ну кому в голову придет выставлять HMC и SP в открытую сеть? А в своей то сети вы уж сможете быть в безопасности как мне кажется.

  • #20036

    Sever
    Участник

    «trust nobody!»
    Патчи нужно ставить в любом случае.

  • #20048

    Sever
    Участник
  • #20053

    Sever
    Участник

    Вот грамотный подход к проблеме. В штатах она эскалирована на самый верхний уровень организаций:

    WASHINGTON, April 25 — The U.S. Department of the Treasury’sOffice of the Comptroller of the Currency issued the following bulletin:

    Subject: Information Security Vulnerability in OpenSSL Encryption Tool (Heartbleed)

    Date: April 25, 2014

    To: Chief Executive Officers of All National Banks, Federal Branches and Agencies, Federal Savings Associations, Technology Service Providers, Department and Division Heads, All Examining Personnel, and Other Interested Parties

    Description: Joint Statement

    Summary

    On April 10, 2014, the members of the Federal Financial Institutions Examination Council (FFIEC)1 issued the attached alert to notify financial institutions of a material security vulnerability in OpenSSL, a widely used encryption tool. The alert outlined the risks associated with this vulnerability (also known as Heartbleed) and the risk mitigation steps that financial institutions are expected to take to address those risks. It also refers institutions to additional resources to help them mitigate the risks.

    Highlights

    Banks should address the vulnerability resulting from OpenSSL by taking the following risk mitigation steps, as appropriate:

    Identify and upgrade vulnerable internal systems and services, follow appropriate patch management practices, and test to ensure a secure configuration.

    Ensure third-party vendors take appropriate risk mitigation steps and then monitor the status of the vendors’ efforts.

    Note for Community Banks

    Community banks should ensure that their in-house information technology unit and their service providers are taking appropriate action to mitigate this risk.

    Further Information

    Since the FFIEC alert, additional information regarding the OpenSSL vulnerability has emerged, indicating that it may affect a range of technologies including, but not limited to, internally and externally facing servers, network devices, printers, applications, and mobile devices. Given the evolving information about the scope and nature of this vulnerability, banks should remain vigilant and continue their ongoing risk assessments and monitoring to detect and prevent against unauthorized access to customer information. The resources listed below are available to financial institutions and provide additional guidance on risk and vulnerability identification, and implementation of appropriate risk mitigation and management practices.

    Questions regarding the FFIEC statement should be directed to the Office of the Comptroller of the Currency’s Bank Information Technology Division at (202) 649-6340. Carolyn G. DuChene

    http://insurancenewsnet.com/oarticle/2014/04/26/information-security-vulnerability-in-openssl-joint-statement-a-495148.html#.U1v6iJVZoc8

Для ответа в этой теме необходимо авторизоваться.