Within just a few days of HP's paid-only patch announcement, a pair of needs for HP patches ran across my desk here at the NewsWire. While many managers don't want to mess with patching HP enterprise systems -- because workarounds do the job and don't create new problems -- two patch needs match up with everyday requirements: security gaps, and fresh functionality.
On the HP 3000 side, an IT administrator wrote this morning looking for TRACERT, the route-tracing utility that HP eventually ported to the the 3000 in 2002. The program lives in the HP TELESUP support account on most 3000s, the one that System Engineers and HP support staff once used on the 3000. But at this customer's site, tracert.prvxl.telesup was nowhere to be found.
"It would seem that the HP-or-nothing restriction on patch downloads has officially had an impact, as I can't get the tracert.prvxl.telesup program loaded," said the administrator, adding that they "probably would have requested it back in the day had we known it was going to be locked down."
There are other places than HP's patch site to get TRACERT, since it's been in wide use for years. A community of administrators has been downloading such included software, so long as a customer has a valid MPE/iX license, it doesn't matter how they get the authorized software that's missing from their systems. (This is a place where a 3000-specialized user group could really help the community, if one would just form up.)
HP-UX customers won't be so lucky, although the HP-UX security patches released several times a month might remain available next month without a support payment. HP hasn't immediately responded to email or phone inquiries about free downloads of patches like HPSBUX02552 SSRT100062, a new shield against internal vulnerability that was just announced today.
The 3000 world isn't getting these security holes, and HP hasn't created a new patch for the system since 2008. Back when they could purchase support from HP, "many customers would buy a baseline support contract from HP," said Birket Foster, CEO of MB Foster. "Then they'd buy their real services from a third party, because the third parties tended to be more responsive -- and could even make a site visit more readily than HP's remote response center team."
Foster noted that the customers buying HP's Unix servers "don't always buy a support contract with them. If you looked at all the other vendors in that marketplace, certainly Sun does [paid-only patches], and I would imagine that IBM would do the same."
HPSBUX02552 SSRT100062 addresses "a potential security vulnerability that has been identified with HP-UX running Software Distributor (sd). The vulnerability could be exploited locally to grant an increase in privilege, or to permit unauthorized access." HP-UX 11i v1, v2 and v3 are affected.
While many HP-UX security breaches are shared with other kinds of Unix -- hacks on Unixes from Sun and IBM -- this latest one looks like it hacks through an HP-specific tool. Of Software Distributor, HP explains
Software Distributor (SD) is the standard low-level tool set for working with HP-UX software packages. SD can be used for packaging, installing, copying, listing, removing, and verifying software.
SD is a central component of the HP-UX administration tool set used to deliver, install, update, and maintain HP-UX operating system and application software.
SD is delivered as part of HP-UX, and ongoing releases of SD are available from the Web, the Application Release (AR) media, the Operating Environment (OE) media, and as HP-UX patches.
Most of the hacks on HP's Unix come through the likes of Java, DNS software, Apache -- all included on every server. But the patching against these is at a relentless pace. In the 86 weeks since the start of 2009, HP has issued 44 Security Bulletins specific to HP-UX. In the same timeframe MPE/iX has had just one, a BIND/iX hack for Remote DNS Cache Poisoning. (HP never did write a patch for that January 2009 hack, but just told customers to migrate DNS to a non-3000.)
If HP's 44 patches now include some that are aimed at tools in HP's own flavor of Unix, then you might make a case that patch payments are essential to relying on this server that HP recommends as an enterprise replacement for the 3000. In contrast, patch payments are probably not required so much for MPE/iX. But as Foster says, "There's no such thing as free software. If it's open source, you're either supposed to contribute whatever you change back to the community -- which means you're employing programmers to do this. Getting software to run in an enterprise requires thought and intention."
Without those two essentials, the level of risk rises in the enterprise. Risk, of course, is something every software environment carries in varied degrees. While HP won't even patch a security risk of the level of DNS anymore, at least the server isn't being hacked at every other week like Unix.