ESB-2018.2571 - [Appliance] HPE Comware 5 and Comware 7 Products: Denial of service - Remote/unauthenticated 2018-08-30

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2571
         HPESBHF03883 rev.1 - HPE Comware 5 and Comware 7 Products
                    using NTP, Remote Denial of Service
                              30 August 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           HPE Comware 5 Switches
                   HPE Comware 5 Routers
                   HPE Comware 7 Switches
                   HPE Comware 7 Routers
Publisher:         Hewlett-Packard
Operating System:  Network Appliance
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-7431 CVE-2016-7428 CVE-2016-7427

Reference:         ESB-2017.0632
                   ESB-2017.0478

Original Bulletin: 
   https://support.hpe.com/hpsc/doc/public/display?docId=hpesbhf03883en_us

- --------------------------BEGIN INCLUDED TEXT--------------------

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: hpesbhf03883en_us

Version: 1

HPESBHF03883 rev.1 - HPE Comware 5 and Comware 7 Products using NTP, Remote
Denial of Service
NOTICE: The information in this Security Bulletin should be acted upon as soon
as possible.

Release Date: 2018-08-29

Last Updated: 2018-08-29

Potential Security Impact: Remote: Denial of Service (DoS)

Source: Hewlett Packard Enterprise, HPE Product Security Response Team

VULNERABILITY SUMMARY

A potential security vulnerability has been identified in HPE Comware 5 and
Comware 7 products using NTP. The vulnerability could be remotely exploited to
allow remote denial of service.

References:

  o CVE-2016-7427
  o CVE-2016-7428
  o CVE-2016-7431

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  o HPE 12500 Main Processing Unit with Comware v7 Operating System All
    versions
  o Comware v5 (CW5) Products All versions

BACKGROUND

CVSS Version 3.0 and Version 2.0 Base Metrics

  Reference            V3 Vector           V3 Base      V2 Vector      V2 Base
                                            Score                       Score

CVE-2016-7427  CVSS:3.0/AV:A/AC:L/PR:N/    4.3       (AV:A/AC:L/Au:N/  3.3
               UI:N/S:U/C:N/I:N/A:L                  C:N/I:N/A:P)

CVE-2016-7428  CVSS:3.0/AV:A/AC:L/PR:N/    4.3       (AV:A/AC:L/Au:N/  3.3
               UI:N/S:U/C:N/I:N/A:L                  C:N/I:N/A:P)

CVE-2016-7431  CVSS:3.0/AV:N/AC:L/PR:N/    5.3       (AV:N/AC:L/Au:N/  5.0
               UI:N/S:U/C:N/I:L/A:N                  C:N/I:P/A:N)

Information on CVSS is documented in HPE Customer Notice: HPSN-2008-002

RESOLUTION

HPE has made the following software updates to resolve the vulnerability in the
below Comware 5 and Comware 7 products.

  o 12500 (Comware 5) - Version: R1829P04

      o HPE Branded Products Impacted
          o JC072B HPE 12500 Main Processing Unit
          o JC085A HPE A12518 Switch Chassis
          o JC086A HPE A12508 Switch Chassis
          o JC652A HPE 12508 DC Switch Chassis
          o JC653A HPE 12518 DC Switch Chassis
          o JC654A HPE 12504 AC Switch Chassis
          o JC655A HPE 12504 DC Switch Chassis
          o JC808A HPE 12500 TAA Main Processing Unit
          o JF430A HPE A12518 Switch Chassis
          o JF430B HPE 12518 Switch Chassis
          o JF430C HPE 12518 AC Switch Chassis
          o JF431A HPE A12508 Switch Chassis
          o JF431B HPE 12508 Switch Chassis
          o JF431C HPE 12508 AC Switch Chassis
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o 9500E (Comware 5) - Version: R1829P04

      o HPE Branded Products Impacted
          o JC124A HP A9508 Switch Chassis
          o JC124B HP 9505 Switch Chassis
          o JC125A HP A9512 Switch Chassis
          o JC125B HP 9512 Switch Chassis
          o JC474A HP A9508-V Switch Chassis
          o JC474B HP 9508-V Switch Chassis
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o A6600 (Comware 5) - Version: R3303P36

      o HPE Branded Products Impacted
          o JC165A HPE 6600 RPE-X1 Router Module
          o JC177A HPE 6608 Router
          o JC177B HPE 6608 Router Chassis
          o JC178A HPE 6604 Router Chassis
          o JC178B HPE 6604 Router Chassis
          o JC496A HPE 6616 Router Chassis
          o JC566A HPE 6600 RSE-X1 Router Main Processing Unit
          o JG780A HPE 6600 RSE-X1 TAA-compliant Main Processing Unit
          o JG781A HPE 6600 RPE-X1 TAA-compliant Main Processing Unit
  o HSR6602 (Comware 5) - Version: R3303P36

      o HPE Branded Products Impacted
          o JC176A HPE 6602 Router Chassis
          o JG353A HPE HSR6602-G Router
          o JG354A HPE HSR6602-XG Router
          o JG355A HPE 6600 MCP-X1 Router Main Processing Unit
          o JG356A HPE 6600 MCP-X2 Router Main Processing Unit
          o JG776A HPE HSR6602-G TAA-compliant Router
          o JG777A HPE HSR6602-XG TAA-compliant Router
          o JG778A HPE 6600 MCP-X2 Router TAA-compliant Main Processing Unit
  o HSR6800 (Comware 5) - Version: R3303P36

      o HPE Branded Products Impacted
          o JG361A HPE HSR6802 Router Chassis
          o JG361B HPE HSR6802 Router Chassis
          o JG362A HPE HSR6804 Router Chassis
          o JG362B HPE HSR6804 Router Chassis
          o JG363A HPE HSR6808 Router Chassis
          o JG363B HPE HSR6808 Router Chassis
          o JG364A HPE HSR6800 RSE-X2 Router Main Processing Unit
          o JG779A HPE HSR6800 RSE-X2 Router TAA-compliant Main Processing Unit
  o 5830 (Comware 5) - Version: R1118P18

      o HPE Branded Products Impacted
          o JC691A HPE 5830AF-48G Switch with 1 Interface Slot
          o JC694A HPE 5830AF-96G Switch
          o JG316A HPE 5830AF-48G TAA-compliant Switch w/1 Interface Slot
          o JG374A HPE 5830AF-96G TAA-compliant Switch
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o 5800 (Comware 5) - Version: R1810P12

      o HPE Branded Products Impacted
          o JC099A HPE 5800-24G-PoE Switch
          o JC099B HPE 5800-24G-PoE+ Switch
          o JC100A HPE 5800-24G Switch
          o JC100B HPE 5800-24G Switch
          o JC101A HPE 5800-48G Switch with 2 Slots
          o JC101B HPE 5800-48G-PoE+ Switch with 2 Interface Slots
          o JC103A HPE 5800-24G-SFP Switch
          o JC103B HPE 5800-24G-SFP Switch with 1 Interface Slot
          o JC104A HPE 5800-48G-PoE Switch
          o JC104B HPE 5800-48G-PoE+ Switch with 1 Interface Slot
          o JC105A HPE 5800-48G Switch
          o JC105B HPE 5800-48G Switch with 1 Interface Slot
          o JG254A HPE 5800-24G-PoE+ TAA-compliant Switch
          o JG254B HPE 5800-24G-PoE+ TAA-compliant Switch
          o JG255A HPE 5800-24G TAA-compliant Switch
          o JG255B HPE 5800-24G TAA-compliant Switch
          o JG256A HPE 5800-24G-SFP TAA-compliant Switch with 1 Interface Slot
          o JG256B HPE 5800-24G-SFP TAA-compliant Switch with 1 Interface Slot
          o JG257A HPE 5800-48G-PoE+ TAA-compliant Switch with 1 Interface Slot
          o JG257B HPE 5800-48G-PoE+ TAA-compliant Switch with 1 Interface Slot
          o JG258A HPE 5800-48G TAA-compliant Switch with 1 Interface Slot
          o JG258B HPE 5800-48G TAA-compliant Switch with 1 Interface Slot
          o JG225A HPE 5800AF-48G Switch
          o JG225B HPE 5800AF-48G Switch
          o JG242A HPE 5800-48G-PoE+ TAA-compliant Switch with 2 Interface
            Slots
          o JG242B HPE 5800-48G-PoE+ TAA-compliant Switch with 2 Interface
          o JG243A HPE 5820-24XG-SFP+ TAA-compliant Switch
          o JG243B HPE 5820-24XG-SFP+ TAA-compliant Switch
          o JG259A HPE 5820X-14XG-SFP+ TAA-compliant Switch with 2 Interface
            Slots & 1 OAA Slot
          o JG259B HPE 5820-14XG-SFP+ TAA-compliant Switch with 2 Interface
            Slots and 1 OAA Slot
          o JC106A HPE 5820-14XG-SFP+ Switch with 2 Slots
          o JC106B HPE 5820-14XG-SFP+ Switch with 2 Interface Slots & 1 OAA
            Slot
          o JG219A HPE 5820AF-24XG Switch
          o JG219B HPE 5820AF-24XG Switch
          o JC102A HPE 5820-24XG-SFP+ Switch
          o JC102B HPE 5820-24XG-SFP+ Switch
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o 5500 HI (Comware 5) - Version: R5501P32

      o HPE Branded Products Impacted
          o JG311A HPE 5500-24G-4SFP HI Switch with 2 Interface Slots
          o JG312A HPE 5500-48G-4SFP HI Switch with 2 Interface Slots
          o JG541A HPE 5500-24G-PoE+-4SFP HI Switch with 2 Interface Slots
          o JG542A HPE 5500-48G-PoE+-4SFP HI Switch with 2 Interface Slots
          o JG543A HPE 5500-24G-SFP HI Switch with 2 Interface Slots
          o JG679A HPE 5500-24G-PoE+-4SFP HI TAA-compliant Switch with 2
            Interface Slots
          o JG680A HPE 5500-48G-PoE+-4SFP HI TAA-compliant Switch with 2
            Interface Slots
          o JG681A HPE 5500-24G-SFP HI TAA-compliant Switch with 2 Interface
            Slots
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o 5500 EI (Comware 5) - Version: R2222P05

      o HPE Branded Products Impacted
          o JD373A HPE 5500-24G DC EI Switch
          o JD374A HPE 5500-24G-SFP EI Switch
          o JD375A HPE 5500-48G EI Switch
          o JD376A HPE 5500-48G-PoE EI Switch
          o JD377A HPE 5500-24G EI Switch
          o JD378A HPE 5500-24G-PoE EI Switch
          o JD379A HPE 5500-24G-SFP DC EI Switch
          o JG240A HPE 5500-48G-PoE+ EI Switch with 2 Interface Slots
          o JG241A HPE 5500-24G-PoE+ EI Switch with 2 Interface Slots
          o JG249A HPE 5500-24G-SFP EI TAA-compliant Switch with 2 Interface
          o JG250A HPE 5500-24G EI TAA-compliant Switch with 2 Interface Slots
          o JG251A HPE 5500-48G EI TAA-compliant Switch with 2 Interface Slots
          o JG252A HPE 5500-24G-PoE+ EI TAA-compliant Switch with 2 Interface
            Slots
          o JG253A HPE 5500-48G-PoE+ EI TAA-compliant Switch with 2 Interface
            Slots
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o 4800G (Comware 5) - Version: R2222P05

      o HPE Branded Products Impacted
          o JD007A HP 4800-24G Switch
          o JD008A HP 4800-24G-PoE Switch
          o JD009A HP 4800-24G-SFP Switch
          o JD010A HP 4800-48G Switch
          o JD011A HP 4800-48G-PoE Switch
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o 5500SI (Comware 5) - Version: R2222P05

      o HPE Branded Products Impacted
          o JD369A HP 5500-24G SI Switch
          o JD370A HP 5500-48G SI Switch
          o JD371A HP 5500-24G-PoE SI Switch
          o JD372A HP 5500-48G-PoE SI Switch
          o JG238A HP 5500-24G-PoE+ SI Switch with 2 Interface Slots
          o JG239A HP 5500-48G-PoE+ SI Switch with 2 Interface Slots
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o 4210G - Version: R2222P05

      o HPE Branded Products Impacted
          o JF844A HP 4210-24G Switch
          o JF845A HP 4210-48G Switch
          o JF846A HP 4210-24G-PoE Switch
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o 5120 EI (Comware 5) - Version: R2222P05

      o HPE Branded Products Impacted
          o JE066A HPE 5120-24G EI Switch
          o JE067A HPE 5120-48G EI Switch
          o JE068A HPE 5120-24G EI Switch with 2 Interface Slots
          o JE069A HPE 5120-48G EI Switch with 2 Interface Slots
          o JE070A HPE 5120-24G-PoE EI 2-slot Switch
          o JE071A HPE 5120-48G-PoE EI 2-slot Switch
          o JG236A HPE 5120-24G-PoE+ EI Switch with 2 Interface Slots
          o JG237A HPE 5120-48G-PoE+ EI Switch with 2 Interface Slots
          o JG245A HPE 5120-24G EI TAA-compliant Switch with 2 Interface Slots
          o JG246A HPE 5120-48G EI TAA-compliant Switch with 2 Interface Slots
          o JG247A HPE 5120-24G-PoE+ EI TAA-compliant Switch with 2 Slots
          o JG248A HPE 5120-48G-PoE+ EI TAA-compliant Switch with 2 Slots
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o 4510G (Comware 5) - Version: R2222P05

      o HPE Branded Products Impacted
          o JF428A HP 4510-48G Switch
          o JF847A HP 4510-24G Switch
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o 5120 SI (Comware 5) - Version: R1519P01

      o HPE Branded Products Impacted
          o JE072A HPE 5120-48G SI Switch
          o JE072B HPE 5120 48G SI Switch
          o JE073A HPE 5120-16G SI Switch
          o JE073B HPE 5120 16G SI Switch
          o JE074A HPE 5120-24G SI Switch
          o JE074B HPE 5120 24G SI Switch
          o JG091A HPE 5120-24G-PoE+ (370W) SI Switch
          o JG091B HPE 5120 24G PoE+ (370W) SI Switch
          o JG092A HPE 5120-24G-PoE+ (170W) SI Switch
          o JG309B HPE 5120 8G PoE+ (180W) SI Switch
          o JG310B HPE 5120 8G PoE+ (65W) SI Switch
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o 3610 (Comware 5) - Version: R5319P19

      o HPE Branded Products Impacted
          o JD335A HP 3610-48 Switch
          o JD336A HP 3610-24-4G-SFP Switch
          o JD337A HP 3610-24-2G-2G-SFP Switch
          o JD338A HP 3610-24-SFP Switch
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o 3600V2 (Comware 5) - Version: R2111P07

      o HPE Branded Products Impacted
          o JG299A HPE 3600-24 v2 EI Switch
          o JG299B HPE 3600-24 v2 EI Switch
          o JG300A HPE 3600-48 v2 EI Switch
          o JG300B HPE 3600-48 v2 EI Switch
          o JG301A HPE 3600-24-PoE+ v2 EI Switch
          o JG301B HPE 3600-24-PoE+ v2 EI Switch
          o JG301C HPE 3600-24-PoE+ v2 EI Switch
          o JG302A HPE 3600-48-PoE+ v2 EI Switch
          o JG302B HPE 3600-48-PoE+ v2 EI Switch
          o JG302C HPE 3600-48-PoE+ v2 EI Switch
          o JG303A HPE 3600-24-SFP v2 EI Switch
          o JG303B HPE 3600-24-SFP v2 EI Switch
          o JG304A HPE 3600-24 v2 SI Switch
          o JG304B HPE 3600-24 v2 SI Switch
          o JG305A HPE 3600-48 v2 SI Switch
          o JG305B HPE 3600-48 v2 SI Switch
          o JG306A HPE 3600-24-PoE+ v2 SI Switch
          o JG306B HPE 3600-24-PoE+ v2 SI Switch
          o JG306C HPE 3600-24-PoE+ v2 SI Switch
          o JG307A HPE 3600-48-PoE+ v2 SI Switch
          o JG307B HPE 3600-48-PoE+ v2 SI Switch
          o JG307C HPE 3600-48-PoE+ v2 SI Switch
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o 3100V2-48 (Comware 5) - Version: R2111P07

      o HPE Branded Products Impacted
          o JG315A HPE 3100-48 v2 Switch
          o JG315B HPE 3100-48 v2 Switch
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o 3100V2 - Version: R5213P07

      o HPE Branded Products Impacted
          o JD313B HPE 3100 24 PoE v2 EI Switch
          o JD318B HPE 3100 8 v2 EI Switch
          o JD319B HPE 3100 16 v2 EI Switch
          o JD320B HPE 3100 24 v2 EI Switch
          o JG221A HPE 3100 8 v2 SI Switch
          o JG222A HPE 3100 16 v2 SI Switch
          o JG223A HPE 3100 24 v2 SI Switch
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o HP870 (Comware 5) - Version: R2607P60

      o HPE Branded Products Impacted
          o JG723A HPE 870 Unified Wired-WLAN Appliance
          o JG725A HPE 870 Unified Wired-WLAN TAA-compliant Appliance
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o HP850 (Comware 5) - Version: R2607P60

      o HPE Branded Products Impacted
          o JG722A HPE 850 Unified Wired-WLAN Appliance
          o JG724A HPE 850 Unified Wired-WLAN TAA-compliant Appliance
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o HP830 (Comware 5) - Version: R3507P60

      o HPE Branded Products Impacted
          o JG640A HP 830 24-Port PoE+ Unified Wired-WLAN Switch
          o JG641A HP 830 8-port PoE+ Unified Wired-WLAN Switch
          o JG646A HP 830 24-Port PoE+ Unified Wired-WLAN TAA-compliant Switch
          o JG647A HP 830 8-Port PoE+ Unified Wired-WLAN TAA-compliant
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o SecBlade FW (Comware 5) - Version: R3181P10

      o HPE Branded Products Impacted
          o JC635A HP 12500 VPN Firewall Module
          o JD245A HP 9500 VPN Firewall Module
          o JD249A HP 10500/7500 Advanced VPN Firewall Module
          o JD250A HP 6600 Firewall Processing Router Module
          o JD251A HP 8800 Firewall Processing Module
          o JD255A HP 5820 VPN Firewall Module
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o F1000-E (Comware 5) - Version: R3181P10

      o HPE Branded Products Impacted
          o JD272A HP F1000-E VPN Firewall Appliance
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o F1000-A-EI (Comware 5) - Version: R3734P12

      o HPE Branded Products Impacted
          o JG214A HP F1000-A-EI VPN Firewall Appliance
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o F1000-S-EI (Comware 5) - Version: R3734P12

      o HPE Branded Products Impacted
          o JG213A HP F1000-S-EI VPN Firewall Appliance
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o U200S and CS (Comware 5) - Version: F5123P35

      o HPE Branded Products Impacted
          o JD273A HP U200-S UTM Appliance
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o U200A and M (Comware 5) - Version: F5123P35

      o HPE Branded Products Impacted
          o JD275A HP U200-A UTM Appliance
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o F5000-C/S (Comware 5) - Version: R3811P09

      o HPE Branded Products Impacted
          o JG650A HP F5000-C VPN Firewall Appliance
          o JG370A HP F5000-S VPN Firewall Appliance
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o SecBlade III (Comware 5) - Version: R3820P09

      o HPE Branded Products Impacted
          o JG371A HP 12500 20Gbps VPN Firewall Module
          o JG372A HP 10500/11900/7500 20Gbps VPN Firewall Module
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o SMB1910 (Comware 5) - Version: R1117

      o HPE Branded Products Impacted
          o JG540A HP 1910-48 Switch
          o JG539A HP 1910-24-PoE+ Switch
          o JG538A HP 1910-24 Switch
          o JG537A HP 1910-8 -PoE+ Switch
          o JG536A HP 1910-8 Switch
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o SMB1920 (Comware 5) - Version: R1116

      o HPE Branded Products Impacted
          o JG928A HP 1920-48G-PoE+ (370W) Switch
          o JG927A HP 1920-48G Switch
          o JG926A HP 1920-24G-PoE+ (370W) Switch
          o JG925A HP 1920-24G-PoE+ (180W) Switch
          o JG924A HP 1920-24G Switch
          o JG923A HP 1920-16G Switch
          o JG922A HP 1920-8G-PoE+ (180W) Switch
          o JG921A HP 1920-8G-PoE+ (65W) Switch
          o JG920A HP 1920-8G Switch
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o V1910 (Comware 5) - Version: R1519P01

      o HPE Branded Products Impacted
          o JE005A HP 1910-16G Switch
          o JE006A HP 1910-24G Switch
          o JE007A HP 1910-24G-PoE (365W) Switch
          o JE008A HP 1910-24G-PoE(170W) Switch
          o JE009A HP 1910-48G Switch
          o JG348A HP 1910-8G Switch
          o JG349A HP 1910-8G-PoE+ (65W) Switch
          o JG350A HP 1910-8G-PoE+ (180W) Switch
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o 12500 (Comware 7) - Version: R7377P04

      o HPE Branded Products Impacted
          o JC072B HPE 12500 Main Processing Unit
          o JC085A HPE A12518 Switch Chassis
          o JC086A HPE A12508 Switch Chassis
          o JC652A HPE 12508 DC Switch Chassis
          o JC653A HPE 12518 DC Switch Chassis
          o JC654A HPE 12504 AC Switch Chassis
          o JC655A HPE 12504 DC Switch Chassis
          o JF430A HPE A12518 Switch Chassis
          o JF430B HPE 12518 Switch Chassis
          o JF430C HPE 12518 AC Switch Chassis
          o JF431A HPE A12508 Switch Chassis
          o JF431B HPE 12508 Switch Chassis
          o JF431C HPE 12508 AC Switch Chassis
          o JG497A HPE 12500 MPU w/Comware V7 OS
          o JG782A HPE FF 12508E AC Switch Chassis
          o JG783A HPE FF 12508E DC Switch Chassis
          o JG784A HPE FF 12518E AC Switch Chassis
          o JG785A HPE FF 12518E DC Switch Chassis
          o JG802A HPE FF 12500E MPU
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o 10500 (Comware 7) - Version: R7557P01

      o HPE Branded Products Impacted
          o JC611A HPE 10508-V Switch Chassis
          o JC612A HPE 10508 Switch Chassis
          o JC613A HPE 10504 Switch Chassis
          o JC748A HPE 10512 Switch Chassis
          o JG608A HPE FlexFabric 11908-V Switch Chassis
          o JG609A HPE FlexFabric 11900 Main Processing Unit
          o JG820A HPE 10504 TAA Switch Chassis
          o JG821A HPE 10508 TAA Switch Chassis
          o JG822A HPE 10508-V TAA Switch Chassis
          o JG823A HPE 10512 TAA Switch Chassis
          o JG496A HPE 10500 Type A MPU w/Comware v7 OS
          o JH198A HPE 10500 Type D Main Processing Unit with Comware v7
            Operating System
          o JH206A HPE 10500 Type D TAA-compliant with Comware v7 Operating
            System Main Processing Unit
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o 7500 (Comware 7) - Version: R7557P01

      o HPE Branded Products Impacted
          o JD238C HPE 7510 Switch Chassis
          o JD239C HPE 7506 Switch Chassis
          o JD240C HPE 7503 Switch Chassis
          o JD242C HPE 7502 Switch Chassis
          o JH207A HPE 7500 1.2Tbps Fabric with 2-port 40GbE QSFP+ for IRF-Only
            Main Processing Unit
          o JH208A HPE 7502 Main Processing Unit
          o JH209A HPE 7500 2.4Tbps Fabric with 8-port 1/10GbE SFP+ and 2-port
            40GbE QSFP+ Main Processing Unit
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o 12900E (Comware 7) - Version: R2706P01

      o HPE Branded Products Impacted
          o JG619A HPE FlexFabric 12910 Switch AC Chassis
          o JG621A HPE FlexFabric 12910 Main Processing Unit
          o JG632A HPE FlexFabric 12916 Switch AC Chassis
          o JG634A HPE FlexFabric 12916 Main Processing Unit
          o JH104A HPE FlexFabric 12900E Main Processing Unit
          o JH114A HPE FlexFabric 12910 TAA-compliant Main Processing Unit
          o JH263A HPE FlexFabric 12904E Main Processing Unit
          o JH255A HPE FlexFabric 12908E Switch Chassis
          o JH262A HPE FlexFabric 12904E Switch Chassis
          o JH113A HPE FlexFabric 12910 TAA-compliant Switch AC Chassis
          o JH103A HPE FlexFabric 12916E Switch Chassis
          o JH668A HPE FlexFabric 12904E v2 Main Processing Unit
          o JH669A HPE FlexFabric 12900E v2 Main Processing Unit
          o JH345A HPE FlexFabric 12902E Switch Chassis
          o JH346A HPE FlexFabric 12902E Main Processing Unit
          o JH951A HPE FlexFabric 12901E Switch Chassis
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o 5900 (Comware 7) - Version: R2432P03

      o HPE Branded Products Impacted
          o JC772A HPE 5900AF-48XG-4QSFP+ Switch
          o JG296A HPE 5920AF-24XG Switch
          o JG336A HPE 5900AF-48XGT-4QSFP+ Switch
          o JG510A HPE 5900AF-48G-4XG-2QSFP+ Switch
          o JG554A HPE 5900AF-48XG-4QSFP+ TAA Switch
          o JG555A HPE 5920AF-24XG TAA Switch
          o JG838A HPE FF 5900CP-48XG-4QSFP+ Switch
          o JH036A HPE FlexFabric 5900CP 48XG 4QSFP+ TAA-Compliant
          o JH037A HPE 5900AF 48XGT 4QSFP+ TAA-Compliant Switch
          o JH038A HPE 5900AF 48G 4XG 2QSFP+ TAA-Compliant
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o MSR95X (Comware 7) - Version: R0605P13

      o HPE Branded Products Impacted
          o JH296A HPE MSR954 1GbE SFP 2GbE-WAN 4GbE-LAN CWv7 Router
          o JH297A HPE MSR954-W 1GbE SFP (WW) 2GbE-WAN 4GbE-LAN Wireless
            802.11n CWv7 Router
          o JH298A HPE MSR954-W 1GbE SFP LTE (AM) 2GbE-WAN 4GbE-LAN Wireless
            802.11n CWv7 Router
          o JH299A HPE MSR954-W 1GbE SFP LTE (WW) 2GbE-WAN 4GbE-LAN Wireless
            802.11n CWv7 Router
          o JH300A HPE FlexNetwork MSR958 1GbE and Combo 2GbE WAN 8GbE LAN
            Router
          o JH301A HPE FlexNetwork MSR958 1GbE and Combo 2GbE WAN 8GbE LAN PoE
            Router
          o JH373A HPE MSR954 Serial 1GbE Dual 4GLTE (WW) CWv7 Router
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o MSR1000 (Comware 7) - Version: R0306P83

      o HPE Branded Products Impacted
          o JG875A HPE MSR1002-4 AC Router
          o JH060A HPE MSR1003-8S AC Router
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o MSR2000 (Comware 7) - Version: R0306P83

      o HPE Branded Products Impacted
          o JG411A HPE MSR2003 AC Router
          o JG734A HPE MSR2004-24 AC Router
          o JG735A HPE MSR2004-48 Router
          o JG866A HPE MSR2003 TAA-compliant AC Router
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o MSR3000 (Comware 7) - Version: R0306P83

      o HPE Branded Products Impacted
          o JG404A HPE MSR3064 Router
          o JG405A HPE MSR3044 Router
          o JG406A HPE MSR3024 AC Router
          o JG407A HPE MSR3024 DC Router
          o JG408A HPE MSR3024 PoE Router
          o JG409A HPE MSR3012 AC Router
          o JG410A HPE MSR3012 DC Router
          o JG861A HPE MSR3024 TAA-compliant AC Router
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o MSR4000 (Comware 7) - Version: R0306P83

      o HPE Branded Products Impacted
          o JG402A HPE MSR4080 Router Chassis
          o JG403A HPE MSR4060 Router Chassis
          o JG412A HPE MSR4000 MPU-100 Main Processing Unit
          o JG869A HPE MSR4000 TAA-compliant MPU-100 Main Processing Unit
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o VSR (Comware 7) - Version: R0326

      o HPE Branded Products Impacted
          o JG810AAE HPE VSR1001 Virtual Services Router 60 Day Evaluation
            Software
          o JG811AAE HPE VSR1001 Comware 7 Virtual Services Router
          o JG812AAE HPE VSR1004 Comware 7 Virtual Services Router
          o JG813AAE HPE VSR1008 Comware 7 Virtual Services Router
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o 7900 (Comware 7) - Version: R2710

      o HPE Branded Products Impacted
          o JG682A HPE FlexFabric 7904 Switch Chassis
          o JG841A HPE FlexFabric 7910 Switch Chassis
          o JG842A HPE FlexFabric 7910 7.2Tbps Fabric / Main Processing Unit
          o JH001A HPE FlexFabric 7910 2.4Tbps Fabric / Main Processing Unit
          o JH122A HPE FlexFabric 7904 TAA-compliant Switch Chassis
          o JH123A HPE FlexFabric 7910 TAA-compliant Switch Chassis
          o JH124A HPE FlexFabric 7910 7.2Tbps TAA-compliant Fabric/Main
            Processing Unit
          o JH125A HPE FlexFabric 7910 2.4Tbps TAA-compliant Fabric/Main
            Processing Unit
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o 5130EI (Comware 7) - Version: R3116

      o HPE Branded Products Impacted
          o JG932A HPE 5130-24G-4SFP+ EI Switch
          o JG933A HPE 5130-24G-SFP-4SFP+ EI Switch
          o JG934A HPE 5130-48G-4SFP+ EI Switch
          o JG936A HPE 5130-24G-PoE+-4SFP+ (370W) EI Switch
          o JG937A HPE 5130-48G-PoE+-4SFP+ (370W) EI Switch
          o JG938A HPE 5130-24G-2SFP+-2XGT EI Switch
          o JG939A HPE 5130-48G-2SFP+-2XGT EI Switch
          o JG940A HPE 5130-24G-PoE+-2SFP+-2XGT (370W) EI Switch
          o JG941A HPE 5130-48G-PoE+-2SFP+-2XGT (370W) EI Switch
          o JG975A HPE 5130-24G-4SFP+ EI Brazil Switch
          o JG976A HPE 5130-48G-4SFP+ EI Brazil Switch
          o JG977A HPE 5130-24G-PoE+-4SFP+ (370W) EI Brazil Switch
          o JG978A HPE 5130-48G-PoE+-4SFP+ (370W) EI Brazil Switch
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o 6125XLG - Version: R2432P03

      o HPE Branded Products Impacted
          o 711307-B21 HPE 6125XLG Blade Switch
          o 737230-B21 HPE 6125XLG Blade Switch with TAA
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o 6127XLG - Version: R2432P03

      o HPE Branded Products Impacted
          o 787635-B21 HPE 6127XLG Blade Switch Opt Kit
          o 787635-B22 HPE 6127XLG Blade Switch with TAA
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o 5700 (Comware 7) - Version: R2432P03

      o HPE Branded Products Impacted
          o JG894A HPE FlexFabric 5700-48G-4XG-2QSFP+ Switch
          o JG895A HPE FlexFabric 5700-48G-4XG-2QSFP+ TAA-compliant Switch
          o JG896A HPE FlexFabric 5700-40XG-2QSFP+ Switch
          o JG897A HPE FlexFabric 5700-40XG-2QSFP+ TAA-compliant Switch
          o JG898A HPE FlexFabric 5700-32XGT-8XG-2QSFP+ Switch
          o JG899A HPE FlexFabric 5700-32XGT-8XG-2QSFP+ TAA-compliant Switch
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o 5930 (Comware 7) - Version: R2432P03

      o HPE Branded Products Impacted
          o JG726A HPE FlexFabric 5930 32QSFP+ Switch
          o JG727A HPE FlexFabric 5930 32QSFP+ TAA-compliant Switch
          o JH178A HPE FlexFabric 5930 2QSFP+ 2-slot Switch
          o JH179A HPE FlexFabric 5930 4-slot Switch
          o JH187A HPE FlexFabric 5930 2QSFP+ 2-slot TAA-compliant Switch
          o JH188A HPE FlexFabric 5930 4-slot TAA-compliant Switch
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o HSR6600 (Comware 7) - Version: R7103P15

      o HPE Branded Products Impacted
          o JG353A HPE HSR6602-G Router
          o JG354A HPE HSR6602-XG Router
          o JG776A HPE HSR6602-G TAA-compliant Router
          o JG777A HPE HSR6602-XG TAA-compliant Router
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o HSR6800 (Comware 7) - Version: R7103P15

      o HPE Branded Products Impacted
          o JG361A HPE HSR6802 Router Chassis
          o JG361B HPE HSR6802 Router Chassis
          o JG362A HPE HSR6804 Router Chassis
          o JG362B HPE HSR6804 Router Chassis
          o JG363A HPE HSR6808 Router Chassis
          o JG363B HPE HSR6808 Router Chassis
          o JG364A HPE HSR6800 RSE-X2 Router Main Processing Unit
          o JG779A HPE HSR6800 RSE-X2 Router TAA-compliant Main Processing
          o JH075A HPE HSR6800 RSE-X3 Router Main Processing Unit
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o 1950 (Comware 7) - Version: R3116

      o HPE Branded Products Impacted
          o JG960A HPE 1950-24G-4XG Switch
          o JG961A HPE 1950-48G-2SFP+-2XGT Switch
          o JG962A HPE 1950-24G-2SFP+-2XGT-PoE+(370W) Switch
          o JG963A HPE 1950-48G-2SFP+-2XGT-PoE+(370W) Switch
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o 5950 (Comware 7) - Version: R6205P03

      o HPE Branded Products Impacted
          o JH321A HPE FlexFabric 5950 32QSFP28 Switch
          o JH402A HPE FlexFabric 5950 48SFP28 8QSFP28 Switch
          o JH404A HPE FlexFabric 5950 4-slot Switch
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o 5940 (Comware 7) - Version: R2609

      o HPE Branded Products Impacted
          o JH390A HPE FlexFabric 5940 48SFP+ 6QSFP28 Switch
          o JH391A HPE FlexFabric 5940 48XGT 6QSFP28 Switch
          o JH394A HPE FlexFabric 5940 48XGT 6QSFP+ Switch
          o JH395A HPE FlexFabric 5940 48SFP+ 6QSFP+ Switch
          o JH396A HPE FlexFabric 5940 32QSFP+ Switch
          o JH397A HPE FlexFabric 5940 2-slot Switch
          o JH398A HPE FlexFabric 5940 4-slot Switch
          o JQ044A HPE FlexFabric 5940 4-slot Back-to-Front AC Bundle
          o JQ043A HPE FlexFabric 5940 4-slot Front-to-Back AC Bundle
          o JQ042A HPE FlexFabric 5940 2-slot 2QSFP+ Back-to-Front AC Bundle
          o JQ041A HPE FlexFabric 5940 2-slot 2QSFP+ Front-to-Back AC Bundle
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o 5510HI (Comware 7) - Version: R1122P01

      o HPE Branded Products Impacted
          o JH145A HPE 5510 24G 4SFP+ HI 1-slot Switch
          o JH146A HPE 5510 48G 4SFP+ HI 1-slot Switch
          o JH147A HPE 5510 24G PoE+ 4SFP+ HI 1-slot Switch
          o JH148A HPE 5510 48G PoE+ 4SFP+ HI 1-slot Switch
          o JH149A HPE 5510 24G SFP 4SFP+ HI 1-slot Switch
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431
  o 5130HI (Comware 7) - Version: R1122P01

      o HPE Branded Products Impacted
          o JH323A HPE 5130 24G 4SFP+ 1-slot HI Switch
          o JH324A HPE 5130 48G 4SFP+ 1-slot HI Switch
          o JH325A HPE 5130 24G PoE+ 4SFP+ 1-slot HI Switch
          o JH326A HPE 5130 48G PoE+ 4SFP+ 1-slot HI Switch
      o CVEs
          o CVE-2016-7427
          o CVE-2016-7428
          o CVE-2016-7431

HISTORY
Version:1 (rev.1) - 28 August 2018 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running Hewlett Packard Enterprise (HPE) software products
should be applied in accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HPE Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hpe.com.

Report: To report a potential security vulnerability for any HPE supported
product:

  o Web Form: https://www.hpe.com/info/report-security-vulnerability

  o Email: security-alert@hpe.com

Subscribe: To initiate a subscription to receive future HPE Security Bulletin
alerts via Email: http://www.hpe.com/support/Subscriber_Choice

Security Bulletin Archive: A list of recently released Security Bulletins is
available here: http://www.hpe.com/support/Security_Bulletin_Archive

Software Product Category: The Software Product Category is represented in the
title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PV = ProCurve
ST = Storage Software
UX = HP-UX

System management and security procedures must be reviewed frequently to
maintain system integrity. HPE is continually reviewing and enhancing the
security features of software products to provide customers with current secure
solutions.

"HPE is broadly distributing this Security Bulletin in order to bring to the
attention of users of the affected HPE products the important security
information contained in this Bulletin. HPE recommends that all users determine
the applicability of this information to their individual situations and take
appropriate action. HPE does not warrant that this information is necessarily
accurate or complete for all user situations and, consequently, HPE will not be
responsible for any damages resulting from user's use or disregard of the
information provided in this Bulletin. To the extent permitted by law, HPE
disclaims all warranties, either express or implied, including the warranties
of merchantability and fitness for a particular purpose, title and
non-infringement."

(C)Copyright 2018 Hewlett Packard Enterprise Development LP
Hewlett Packard Enterprise Development shall not be liable for technical or
editorial errors or omissions contained herein. The information provided is
provided "as is" without warranty of any kind. To the extent permitted by law,
neither HPE nor its affiliates, subcontractors or suppliers will be liable for
incidental, special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The information
in this document is subject to change without notice. Hewlett Packard
Enterprise Development and the names of Hewlett Packard Enterprise Development
products referenced herein are trademarks of Hewlett Packard Enterprise
Development in the United States and other countries. Other product and company
names mentioned herein may be trademarks of their respective owners.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW4d2kmaOgq3Tt24GAQgzZA//beVEoR5Z00PZNYRQPbYHGU3ORtcJP6dz
YDIJqgTfRkn6KCHl2qpgwOzoElmlDL8kGRBdMoVB49USVjtTan/IO7kj0lgSgBrm
oE2piL9xi3rlHtpwcJF5XU7KdB2y7UBXPQtTNL5W/GWHz1+8hDMVqDvGKKdinFOD
Kzc6VoHgQgLcq9pyFDBDl6K/Q78IOEc67IFKmBxn+AcBxKNYgbrnlTmaZv8PGFjN
QrUe+c7CPnZx3sD0JNTDHWgx+AkbzRSUG9bYiYG2bY2uSoCQqFtMwStc6rUrnIdn
Qahg6Hj33DKqQXWVSwLsHVyMWIQ/hhMbiaEyE6As8Nwylm8VRS+gG+aC8S7Vpi2d
7I0oQR8v1iRbOXpbAWG4RWtHtZu9eG1H+TagOAJb2Wtp5/+zhDIwaEa9AA44V4MI
M9TC6VI+BBbf3XKjLxRG8GQS1KtF1methJB7SYKtORcA9FrtX+xp1KlwgYyKZzhS
IhufDR0KqdWwjr9eH2+q/2EEXmwBNkumUo/pEDtQKq520XYjNMBLqABlEVD6R3AA
/UqZEeNXOoOspdDz8Yw7JiVZHfOvzrdZ5Wda9FR+WtExDuMwUNgnxbCZIpTH9bbW
F52TjgmGe/zD2uqOfu3cyWv/ZZWqz6Y8QfcT27Bixliyj7Iq5l+2fcFCbBKZeIel
B3znhopqkVM=
=jS9w
-----END PGP SIGNATURE-----

« Back to bulletins