The Zero Day Initiative (ZDI) released five security holes that Hewlett-Packard has had, and known about, for more than six months.
All the zero-day holes affect products in HP’s enterprise and networking divisions:
• HP LeftHand Virtual SAN
• HP Operations Agent for NonStop
• HP Intelligent Management Center
• HP iNode Management Center
• HP Diagnostics Server
In all five products, remote attackers can exploit programming flaws to inject and execute arbitrary code via specially crafted requests – sometimes even at systsem user level.
These are all at the highest threat level. In all five cases, the ZDI informed the company of the problems at the end of 2011. HP failed to release patches for any of these critical security holes.
Because companies would often make no move to fix the security holes reported to them, two years ago, ZDI said it would in future disclose such holes after 180 days if companies failed to respond. ZDI has invoked its rule more than once.
The odd part about the release of the Zero Day news is HP owns TrippingPoint, which runs ZDI. HP took over TippingPoint when it acquired 3Com.