The updated HPE Windows firmware installer was released in the system ROM and HPE Integrated Lights-Out (iLO) releases documented in earlier HPE Security Bulletins: HPESBHF03805, HPESBHF03835, HPESBHF03831. At that time, the Windows firmware installer was also updated in the versions of HPE Integrated Lights-Out 2, 3, and 4 (iLO 2, 3, and 4) listed in the security bulletin.
The HPE Windows firmware installer was updated in the system ROM updates which also addressed the original Spectre/Meltdown set of vulnerabilities. This issue was resolved in previously provided firmware updates as follows.
The HPE-provided Windows firmware installer for certain Gen9, Gen8, G7,and G6 HPE servers allows local disclosure of privileged information.
The vulnerability could be remotely exploited to disclose the serial number and other information.Ī remote buffer overflow vulnerability was identified in HPE Integrated Lights-Out 4 (iLO 4) earlier than v2.61b for Gen9 servers and Integrated Lights-Out 5 (iLO 5) for Gen10 Servers earlier than version v1.39.Ī remote cross site scripting vulnerability was identified in HPE Integrated Lights-Out 4 (iLO 4) earlier than v2.61b for Gen9 servers and Integrated Lights-Out 5 (iLO 5) for Gen10 Servers earlier than version v1.39.Ī remote Cross-Site Scripting in HPE iLO 5 Web User Interface vulnerability was identified in HPE Integrated Lights-Out 5 (iLO 5) for Gen10 ProLiant Servers earlier than version v1.40.Ī security vulnerability in HPE Integrated Lights-Out 5 (iLO 5) prior to v1.37 could be locally exploited to bypass the security restrictions for firmware updates.
The vulnerability could be exploited to allow remote code execution.Ī potential security vulnerability has been identified in HPE Integrated Lights-Out 5 (iLO 5) and Integrated Lights-Out 4 (iLO 4) firmware. HP nagios plugin for iLO (nagios-plugins-hpilo v1.50 and earlier) has a php code injection vulnerability.Ī potential security vulnerability has been identified in HPE iLO Amplifier Pack server version 1.70.
HPE has provided the following software update to resolve the vulnerability in HPE iLO Amplifier Pack: HPE iLO Amplifier Pack 1.95 or later. The vulnerability could be remotely exploited to allow Cross-Site Scripting (XSS). The vulnerabilities could be remotely exploited to allow remote code execution.Ī potential security vulnerability has been identified in HPE iLO Amplifier Pack. The vulnerability could be remotely exploited to allow an unauthenticated user to run arbitrary code leading complete impact to confidentiality, integrity, and availability of the iLO Amplifier Pack appliance.Ī remote xss vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4) HPE SimpliVity 380 Gen9 HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers HPE SimpliVity 380 Gen10 HPE SimpliVity 2600 HPE SimpliVity 380 Gen10 G HPE SimpliVity 325 HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78.Ī remote dom xss, crlf injection vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4) HPE SimpliVity 380 Gen9 HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers HPE SimpliVity 380 Gen10 HPE SimpliVity 2600 HPE SimpliVity 380 Gen10 G HPE SimpliVity 325 HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78.Ī local buffer overflow vulnerability was discovered in HPE Integrated Lights-Out 4 (iLO 4) HPE SimpliVity 380 Gen9 HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers HPE SimpliVity 380 Gen10 HPE SimpliVity 2600 HPE SimpliVity 380 Gen10 G HPE SimpliVity 325 HPE SimpliVity 380 Gen10 H version(s): Prior to version 2.78.Ī potential security vulnerability was identified in HPE iLO Amplifier Pack. A remote unauthenticated directory traversal security vulnerability has been identified in HPE iLO Amplifier Pack versions 1.80, 1.81, 1.90 and 1.95.