Nine Zero Days for HP

Thursday, September 6, 2012 @ 04:09 PM gHale


The Zero Day Initiative (ZDI) published more unpatched critical security holes in Hewlett-Packard’s enterprise products: The Zero Day holes all allow remote attackers to inject and execute arbitrary code into the server systems.

In late August, the ZDI released five security holes that HP has had, and known about, for more than six months.

RELATED STORIES
Five HP Zero Days Released
SpecView Hole in SCADA/HMI line
Siemens Default Password Hole
Hot Fix for ICONICS Zero Day

Eight of the nine holes rate at the highest risk level (CVSS) of 10.0:
• HP SiteScope SOAP Call update Remote Code Execution Vulnerability
• HP SiteScope SOAP Call loadFileContent Remote Code Execution Vulnerability
• HP SiteScope SOAP Call getFileInternal Remote Code Execution Vulnerability
• HP SiteScope SOAP Call create Remote Code Execution Vulnerability
• HP SiteScope UploadFilesHandler Remote Code Execution Vulnerability
• HP SiteScope SOAP Call getSiteScopeConfiguration Remote Code Execution Vulnerability
• HP Operations Orchestration RSScheduler Service JDBC Connector Remote Code Execution Vulnerability
• HP Intelligent Management Center UAM sprintf Remote Code Execution Vulnerability
• HP Application Lifecycle Management XGO.ocx ActiveX Control Remote Code Execution Vulnerability

Before the disclosure of the vulnerability details, HP had up to a year to close the nine critical security holes.

Since the ZDI became a part of HP after a takeover, the company has been the victim of the release of the vulnerability advisories. This is not the first time: Two weeks ago, ZDI published five advisories for other unpatched HP security holes.

It remains unclear why HP hasn’t fixed the vulnerabilities despite the ample period of grace it has been given.



Leave a Reply

You must be logged in to post a comment.