Print | Rate this content

HP Networking Communication: OpenSSL HeartBleed Vulnerability

SUPPORT COMMUNICATION - CUSTOMER NOTICE

Document ID: c04237347

Version: 1

HP Networking Communication: OpenSSL HeartBleed Vulnerability
NOTICE: The information in this document, including products and software versions, is current as of the Release Date. This document is subject to change without notice.

Release Date: 2014-04-11

Last Updated: 2014-05-27


DESCRIPTION

On April 8, 2014 HP Networking support was notified of the vulnerability (now known as "Heartbleed") in the open-source and widely-used OpenSSL toolkit utilized to encrypt Web communications. The vulnerability, if exploited, could provide unauthenticated access to portions of system memory and the data stored in that portion of system memory. The defect has garnered a substantial amount of media attention. See the references section for a link to National Vulnerability Database entry describing vulnerability in detail.

OpenSSL is used in some HP Networking products to provide encryption and SSL services. HP is committed to delivering secure systems that effectively manage our invaluable customer and employee data. Upon knowledge of the ”Heartbleed” vulnerability, HP teams began an aggressive and comprehensive review of all actively supported products.

We have completed investigations on all HP Networking hardware and software platforms and packages. We have determined no HP Networking product exhibits Heartbleed defect due to either using a version of OpenSSL that is not vulnerable or not using OpenSSL, including:
  • All Data Center, Campus & Branch switches and routers
  • All Unified and MSM wireless controllers and access points
  • Network Management Software (IMC, PCM)
  • All HP Networking VoIP solutions
  • All TippingPoint solutions (IPS, NGFW, SMS)
  • HP VAN SDN Controller*

*VAN SDN controller runs on an Ubuntu host operating environment and certain versions of Ubuntu (including version 12.04 LTS that is compatible with HP VAN SDN controller) have been identified as vulnerable. Please see the references section for link to Ubuntu security notice describing patch steps.

HP Networking takes its responsibility of maintaining current security policies very seriously and security remains a top priority for our customers and employees.

We have completed our investigation and verified that HP Networking products are not affected, however, you should still ensure these security best practices are being followed:
  1. Subscribe to HP’s real-time security information: All HP products use a common centralized security bulletin process managed by HP’s Software Security Response Team (SSRT). We highly encourage all customers to subscribe to SSRT security bulletins by following these steps:
    1. Go to HP.com
    2. Click ‘support’
    3. Click ‘support & troubleshooting’
    4. Click ‘Sign up: driver, support & security alerts’ near bottom of page
  2. Follow hardening procedures outlined in following documents:
    1. Hardening ProCurve Switches
    2. Hardening Comware-based devices

Hardware Platforms Affected: Fixed Port Ethernet Routers, Fixed Port L2 Managed Ethernet Switches, Fixed Port L3 Managed Ethernet Switches, Fixed Port Unmanaged Ethernet Switches, Fixed Port Web Managed Ethernet Switches, HP IMC Application Performance Manager Software, HP IMC Branch Intelligent Management Software, HP IMC EPON Software, HP IMC Endpoint Admission Defense Software, HP IMC Extended API Software, HP IMC Firewall Manager Software, HP IMC IPSec/VPN Manager Software, HP IMC Intelligent Analysis Reporter Software, HP IMC Intelligent Traffic Analyzer Software, HP IMC Inter Client Communications Software, HP IMC Lite Platform, HP IMC MPLS VPN Manager Software, HP IMC Network Traffic Analyzer Software, HP IMC QoS Software, HP IMC Remote Site Manager Software, HP IMC SecCenter Software, HP IMC Service Health Manager Software, HP IMC Service Operation Management Software, HP IMC Smart Connect Virtual Appliance Software, HP IMC Smart Connect with Wireless Service Manager Virtual Appliance Software, HP IMC Software DIG Probe Software, HP IMC TACACS+ Authentication Manager Software, HP IMC Unified Communications Health Manager Software, HP IMC Unified Threat Manager Software, HP IMC User Access Management Software, HP IMC User Behavior Auditor Software, HP IMC VAN Connection Manager Software, HP IMC Virtual Application Networking Fabric Manager Software, HP IMC Virtual Application Networking Resource Automation Manager Software, HP IMC Virtual Application Networking Software Defined Network Manager Software, HP IMC Virtualization Monitor Software, HP IMC Voice Services Manager Software, HP IMC Wireless Services Manager Software, HP IMC iNode VPN Client Software, HP Intelligent Management Center Basic Software Platform, HP Intelligent Management Center Basic WLAN Manager Software Platform, HP Intelligent Management Center Enterprise Software Platform, HP Intelligent Management Center Licenses, HP Intelligent Management Center Standard Software Platform, HP M200 802.11n Access Point Series, HP M220 802.11n Access Point Series, HP MSM Controller Series, HP MSM-802.11a/b/g Access Point Series, HP MSM-802.11n Access Point Series, HP MSM-802.11n Dual Radio Access Point Series, HP MSM317 Access Device Series, HP Mobility Integrated Services Access Point Series, HP VAN SDN Controller Software, Modular Ethernet Routers, Modular Ethernet Switches, Modular InfiniBand Routers, Virtual Ethernet Routers, Virtual Ethernet Switches
Components Affected: Not Applicable
Operating Systems Affected: Not Applicable
Software Affected: Not Applicable
Third Party Products Affected: Not Applicable
Support Communication Cross Reference ID: IA04237347

REVISION HISTORY

2
©Copyright 2014 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

Provide feedback

Please rate the information on this page to help us improve our content. Thank you!