SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01923093
Version: 1
HPSBMI02473 SSRT080138 rev.1 - Cisco Catalyst Blade Switch 3020/3120, Remote Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-11-17
Last Updated: 2009-11-17
Louhi Networks Information Security Research
Security Advisory
Advisory: IBM BladeCenter Advanced Management Module
Multiple vulnerabilities
(XSS type 2 & 1, CSRF, Information Disclosure)
Release Date: 2009-04-09
Last Modified: 2009-04-09
Authors: Henri Lindberg [henri.lindberg@louhi.fi], CISA
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-049
Application: IBM BladeCenter Managmet Module
Versions Affected: before BPET50G
Vendor URL: http://www-03.ibm.com/systems/bladecenter/
Bug: DoS
Exploits: YES
Reported: 24.07.2009
====================
Abstract :
Cisco Application Control Engine (ACE) are hardware loadbalancer
available as appliance
(Model 4710) or catalyst 6000 blade.
====================
Vulnerability :
When used as a Server Load Balancer and/or SSL offloader it's possible
cisco 12404/PRP (7457) processor with 2097152K bytes of memory.
7457 processor at 1266Mhz, Revision 1.2
1 Cisco 12000 Series Performance Route Processor
1 Cisco 12000 Series - Multi-Service Blade Controller
1 1 Port ISE Packet Over SONET OC-48c/STM-16 Controller (1 POS)
1 Cisco 12000 Series SPA Interface Processor-601/501/401
3 Ethernet/IEEE 802.3 interface(s)
1 SONET/SDH Port controller(s)
1 Packet over SONET/SDH network interface(s)
issue. Products confirmed not vulnerable include:
* Cisco PIX
* Cisco ASA
* Cisco Firewall Services Module (FWSM)
* The Virtual Firewall (VFW) application on the multiservice blade
(MSB) on the Cisco XR 12000 Series Router
Details
=======
Lawrence Berkeley National Laboratory
(510) 486-7204
The reason you are having computer problems is:
Lawn mower blade in your fan need sharpening
Thomas Sesselmann discovered that slapd could be crashed by a
malformed modify requests.
CVE-2007-5708
Toby Blade discovered that incorrect memory handling in slapo-pcache
could lead to denial of service through crafted search requests.
CVE-2007-6698
It was discovered that a programming error in the interface to the
The following supported software versions are affected:
iLO-2 Management Processors on HP Integrity Servers...
HP Integrity Server model numbers rx2660, rx3600, rx6600 running iLO-2 MP firmware v F.01.58 and earlier
HP Integrity Blade Server model bl860c running iLO-2 MP firmware v T.01.22 and earlier
BACKGROUND
For a PGP signed version of this security bulletin please write to: security-alert@hp.com
CVSS 2.0 Base Metrics
* Cisco PIX 500 Series Firewall
* Cisco ASA 5500 Series Adaptive Security Appliance
* Firewall Services Module (FWSM) for Catalyst 6500 Series Switches
and 7600 Series Routers
* Virtual Firewall (VFW) application on the multiservice blade
(MSB) on the Cisco XR 12000 Series Router
* Cisco ACE Application Control Engine Module
* Cisco IOS devices NOT configured with Cisco IOS Zone-Based Policy
Firewall SIP inspection.
* Cisco IOS devices configured with legacy Cisco IOS Firewall
