Operational Defect Database
BugZero found this defect 1337 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
Hewlett Packard Enterprise | a00106000en_us
Advisory: HPE B-Series SAN Switches - Web Tools Launch Will Be Blocked By The Java Security Code When The Java Code Signing Certificate Expires On Select FOS Versions
Last update date:
2/28/2024
Affected products:
Brocade 16Gb SAN Switch for HPE BladeSystem c-Class
Brocade 8Gb SAN Switch for HPE BladeSystem c-Class
HPE 1606 Extension SAN Switch
HPE 8/24 SAN Switch
HPE 8/8 SAN Switch
HPE B-series SN6000B Fibre Channel Switch
HPE B-series SN6500B Fibre Channel Switch
HPE SN3000B Fibre Channel Switch
HPE Storage Fibre Channel Switch B-series SN3600B
HPE Storage Fibre Channel Switch B-series SN6600B
HPE Storage SAN Director Switch
HPE Storage SAN Extension Switch B-series SN4000B
Affected releases:
No affected releases provided.
Fixed releases:
No fixed releases provided.
Description:
Info
All HPE B-series SAN switches with Fabric OS (FOS) versions earlier than v8.2.1 contain a Java code signing certificate that will expire on 13 November 2020. Once this certificate expires, Web Tools launches will be blocked by Java security. The code signing certificate is used on Web Tools jar files to protect against illegal tampering. This certificate is validated by Java before launching the Java client. Switches with an expired code signing certificate will continue to operate without failure. There is no interruption to traffic or any other operation of the switch. Only Web Tools access will be blocked.
Scope
This advisory affects all HPE B-series SAN switches that utilize Web Tools running FOS versions earlier than v8.2.1. NOTE : HPE B-series switches running FOS v8.2.1 and later, including v8.2.2x and v9.x, are not at risk of having their Web Tools launch blocked by Java code signing certification expiry, due to an enhanced code signing algorithm present in all versions of FOS starting with FOS v8.2.1.
Resolution
HPE recommends upgrading to FOS v8.2.1 or later to obtain the enhanced code signing algorithm that will not block the launch of Web Tools on switches that support FOS v8.x. Customers running versions of FOS earlier than v8.2.1 must install a new Java code signing certificate by upgrading to FOS v8.1.2k, 7.4.2g or later. After upgrading, a new valid certificate will be in use and the launching of Web Tools will not be blocked by Java security. Workaround Switches can continue to be managed by HPE SANnav and HPE Network Advisor, provided that the selected operations do not require launching the Web Tools interface. You can also use the CLI- and API-supported interfaces. IMPORTANT : HPE highly recommends using the resolution or one of the other management tools listed above. The use of the workaround below will disable the Java code signing enforcement. Users who wish to continue using Web Tools on a switch with an expired certificate can perform the following two-step workaround for Java 8: Add the Web Tools URLs of all the managed switches to the Exception Site List under the Security tab of the Java Control Panel (Note: Also see additional information on how to manage and configure the Exception Site List). Disable signed code certificate revocation checks. To disable signed code certificate revocation checks, select Do not check (not recommended) for Perform signed code Certificate revocation checks under the Advanced tab: This will allow Web Tools to run after presenting security warnings. Both of these workaround steps must be performed to prevent the Java client launch from being blocked by the Java security code. Disclaimer: One or more of the links above will take you outside the HPE website. HPE is not responsible for content outside of its domain. RECEIVE PROACTIVE UPDATES : Receive support alerts (such as Customer Advisories), as well as updates on drivers, software, firmware, and customer replaceable components, proactively in your e-mail through HPE Subscriber's Choice. Sign up for Subscriber's Choice at the following URL: Proactive Updates Subscription Form.
