HP Support Alerts - 09.12.2015 - Critical Security Bulletins - HP-UX Running Mozilla Firefox and Thunderbird, Remote Disclosure of Information

TBCS IT announces the following HP Support Alert: 

 

Find more here

If you need any assistance please call us: +49 (0)5321 35 1000 or send an e-mail to sales@tbcs-it.de

 

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04918839

Version: 1

HPSBHF03433 SSRT102964 rev.1 - HP-UX Running Mozilla Firefox and Thunderbird, Remote Disclosure of Information
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2015-12-09

Last Updated: 2015-12-09


Potential Security Impact: Remote Disclosure of Information

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY

A potential security vulnerability has been identified with HP-UX Running Mozilla Firefox and Thunderbird. This may allow remote disclosure of information.

Note:This is the TLS vulnerability using US export-grade 512-bit keys in Diffie-Hellman key exchange known as "Logjam" which could be exploited remotely resulting in disclosure of information.

References:
  • CVE-2015-4000
  • PSRT102964

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  • HP-UX Thunderbird v2.0.0.24 HP-UX Thunderbird
  • HP-UX Firefox browser v3.5.09.00 HP-UX Firefox browser

BACKGROUND

For a PGP signed version of this security bulletin please write to: security-alert@hp.com

CVSS 2.0 Base Metrics
Reference
Base Vector
Base Score
CVE-2015-4000
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
4.3
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002

 

RESOLUTION

HP has provided the following configuration instructions to resolve this vulnerability.

Do the following to mitigate the logjam issue in HP-UX Firefox and Thunderbird:

HP-UX Firefox browser:
  1. Visit about:config in the Firefox browser
  2. Search for ‘ssl3′ and disable DHE_EXPORT ciphers by setting below preferences values to false.
    • security.ssl3.dhe_rsa_aes_128_sha
    • security.ssl3.dhe_rsa_aes_256_sha
  3. Restart the browser
HP-UX Thunderbird:
  1. Select "Preferences" from the "Edit" menu
  2. Select "Advanced" Tab and then click on "Config Editor" button
  3. Search for ‘security.ssl3.dhe_rsa_aes′ and disable DHE_EXPORT ciphers by setting below preference values to false.
    • security.ssl3.dhe_rsa_aes_128_sha
    • security.ssl3.dhe_rsa_aes_256_sha

HISTORY
Version:1 (rev.1) - 9 December 2015 Initial release

Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com.

Report: To report a potential security vulnerability with any HPE supported product, send Email to: security-alert@hpe.com

Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice

Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive

Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PV = ProCurve
ST = Storage Software
UX = HP-UX

©Copyright 2015 Hewlett-Packard Development Company, L.P.
 
 
 
 

Kommentar schreiben

 

Die mit einem * markierten Felder sind Pflichtfelder.