From: Webb, Nigel (SSRT) (nigelwebbhp.com)
Date: Tue Sep 16 2003 - 11:10:49 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SECURITY BULLETIN

REVISION: 1

SSRT3608 - OpenVMS Potential security vulnerability
with DCE/COM

 ---------------------------------------------------------
NOTICE: There are no restrictions for distribution of this Bulletin
provided that it remains complete and intact.

RELEASE DATE: 12 September 2003

SEVERITY: 1

SOURCE: HEWLETT-PACKARD COMPANY
Software Security Response Team

REFERENCE: CERT VU#377804, Microsoft MS03-026

PROBLEM SUMMARY
A potential security vulnerability has been identified with
HP OpenVMS running the Distributed Computing Environment
(DCE) or Component Object Model (COM) where a remote user
may cause a buffer overflow, resulting in the DCE or COM applications
to become unresponsive. This vulnerability may also be exploited in
the DCE/RPC environment in association with the Blaster worm network
traffic.

VERSIONS IMPACTED
All currently supported versions of HP OpenVMS including
V6.2, V6.2-1H1, V6.2-1H2, V6.2-1H3, V7.1, V7.2, V7.2-1H1, V7.2-1H2,
V7.2-2, V7.3, V7.3-1 VAX or Alpha running Distributed Computing
Environment (DCE) or Component Object Model (COM) applications.

RESOLUTION
For HP OpenVMS systems running DCE or COM applications,
apply the following patches:

HP OpenVMS Alpha Versions V6.2, V6.2-1H1, V6.2-1H2,
V6.2-1H3, V7.1, V7.2, V7.2-1H1, V7.2-1H2, V7.2-2, V7.3,
V7.3-1 running DCE (RPC)

Patch: ALP_DCE_030_SSRT3608-V0100

HP OpenVMS VAX Versions V6.2, V7.1, V7.2, V7.3 running
DCE (RPC)

Patch: VAX_DCE_030_SSRT3608-V0100

HP OpenVMS Alpha Versions V7.2-2, V7.3, V7.3-1 running
COM

Patch: DCOM_013_SSRT3608-V0100

The above patches can be obtained from HP's IT Resource
Center (ITRC): http://www.itrc.hp.com

- From the ITRC home page use the link to: 'maintenance and support for

HP products' and from there use the link to: 'individual patches'.

SUPPORT: For further information, contact HP Services.

SUBSCRIBE: To subscribe to automatically receive future Security
Advisories from the Software Security Response Team via electronic
mail: http://www.support.compaq.com/patches/mail-list.shtml

REPORT: To report a potential security vulnerability with
any HP supported product, send email to:
security-alerthp.com

As always, HP urges you to periodically review your system management
and security procedures. HP will continue to review and enhance the
security features of its products and work with our customers to
maintain and improve the security and integrity of their systems.

"HP is broadly distributing this Security Bulletin in order
to bring to the attention of users of the affected HP
products the important security information contained in
this Bulletin. HP recommends that all users determine the
applicability of this information to their individual situations and
take appropriate action. HP does not warrant that this information is
necessarily accurate or complete for all user situations and,
consequently, HP will not be responsible for any damages resulting
from user's use or disregard of the information provided in this
Bulletin."

(C) Copyright 2001, 2003 Hewlett-Packard Development
Company, L.P.
Hewlett-Packard Company shall not be liable for technical
or editorial errors or omissions contained herein.
The information in this document is subject to change
without notice. Hewlett-Packard Company and the names of
Hewlett-Packard products referenced herein are trademarks of
Hewlett-Packard Company in the United States and other countries.
Other product and company names mentioned herein may be trademarks of
their respective owners.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBP2X+pOAfOvwtKn1ZEQK/eACeK118g94fH+EtgoytR5DVjiC9VecAoPGA
nD/senoP1YtD8tfHqavHSwmj
=wPVT
-----END PGP SIGNATURE-----

---

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]