Operating System:

[Appliance]

Published:

13 February 2020

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.0497
             Multiple Vulnerabilities in Various HPE Products
                             13 February 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Hewlett Packard Enterprise
Publisher:         Hewlett Packard Enterprise
Operating System:  Network Appliance
Impact/Access:     Denial of Service        -- Remote with User Interaction
                   Access Confidential Data -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-11998 CVE-2019-11997 

Original Bulletin: 
   https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbhf03978en_us
   https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn03975en_us

Comment: This bulletin contains two (2) Hewlett Packard Enterprise security 
         advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: hpesbhf03978en_us

Version: 1

HPESBHF03978 rev.2 - HPE Superdome Flex Server, Multiple Remote Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as soon
as possible.

Release Date: 2020-02-08

Last Updated: 2020-02-08

Potential Security Impact: Remote: Multiple Vulnerabilities

Source: Hewlett Packard Enterprise, HPE Product Security Response Team

VULNERABILITY SUMMARY

HPE Superdome Flex Server is vulnerable to multiple remote vulnerabilities via
improper input validation of administrator commands. This vulnerability could
allow an Administrator to bypass security restrictions and access multiple
remote vulnerabilities including information disclosure, or denial of service.

References: CVE-2019-11998 - information disclosure

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

HPE Superdome Flex Server Prior to v3.20.186 - Fix available in 3.20.206 (4
December 2019)

BACKGROUND

CVSS Version 3.0 and Version 2.0 Base Metrics

  Reference             V3 Vector           V3 Base      V2 Vector      V2 Base
                                             Score                       Score

CVE-2019-11998  CVSS:3.0/AV:N/AC:L/PR:H/    7.5       (AV:N/AC:L/Au:M/  8.0
                UI:R/S:C/C:H/I:L/A:H                  C:C/I:P/A:C)

Information on CVSS is documented in HPE Customer Notice: HPSN-2008-002

RESOLUTION

HPE has provided firmware updates that address the above vulnerabilities for
the HPE Superdome Flex Server, starting with firmware version v3.20.186 (not
available online) and v3.20.206 (available online). Apply v3.20.206 (4 December
2019) or a newer version to resolve this issue.

  o Please visit

    HPE Support Center

    to obtain the updated firmware for your product.

HISTORY

  o Version:1 (rev.1) - 29 January 2020 Initial release
  o Version:2 (rev.2) - 7 February 2020 Removed incorrect reference to
    CVE-2018-12204, updated CVSS vector for CVE-2019-11998

Third Party Security Patches: Third party security patches that are to be
installed on systems running Hewlett Packard Enterprise (HPE) software products
should be applied in accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HPE Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hpe.com.

Report: To report a potential security vulnerability for any HPE supported
product:

- ------------------------------------------------------------------------------

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: hpesbgn03975en_us

Version: 1

HPESBGN03975 rev.1 - HPE enhanced Internet Usage Manager (eIUM), Remote Cross
Site Scripting
NOTICE: The information in this Security Bulletin should be acted upon as soon
as possible.

Release Date: 2020-01-16

Last Updated: 2020-01-16

Potential Security Impact: Remote: Cross-Site Scripting (XSS)

Source: Hewlett Packard Enterprise, HPE Product Security Response Team

VULNERABILITY SUMMARY

A potential security vulnerability has been identified in HPE enhanced Internet
Usage Manager (eIUM) versions 8.3 and 9.0. The vulnerability could be used for
unauthorized access to information via cross site scripting.

References: CVE-2019-11997

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

HPE enhanced Internet Usage Manager (eIUM) 8.3, 9.0

BACKGROUND

CVSS Version 3.0 and Version 2.0 Base Metrics

  Reference             V3 Vector           V3 Base      V2 Vector      V2 Base
                                             Score                       Score

CVE-2019-11997  CVSS:3.0/AV:N/AC:L/PR:N/    4.7       (AV:N/AC:M/Au:N/  4.3
                UI:R/S:C/C:N/I:L/A:N                  C:N/I:P/A:N)

Information on CVSS is documented in HPE Customer Notice: HPSN-2008-002

Hewlett Packard Enterprise PSRT acknowledges Omur Ugur for reporting
CVE-2019-11997 to security-alert@hpe.com.

RESOLUTION

HPE has made the following software updates to resolve the vulnerability in
eIUM:

  o The eIUM 8.3 FP01 customers are advised to install
    eIUM83FP01Patch_QXCR1001711284.20190806-1244 patch.
  o The eIUM 9.0 customers are advised to upgrade to eIUM 9.0 FP02 PI5 or later
    versions.
  o For other versions, please, contact the product support.

HISTORY
Version:1 (rev.1) - 16 January 2020 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running Hewlett Packard Enterprise (HPE) software products
should be applied in accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HPE Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hpe.com.

Report: To report a potential security vulnerability for any HPE supported
product:

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXkTQ2GaOgq3Tt24GAQg2Og//U3/0cITt9cABpJ6UyVvgz4a8Qhhs8F9O
2bRtNyBN24Nz8EN9lhIvO/PGRTdJ62TZ2uQkL1Q01wkDmIWZL4qhEgtbi+rzILmf
xsvAY2wjLOXqVdzHJgndH+pvAKEWS+BoNAkvSkbtJZrG4uqqxD42oxsrisjydTcX
Zm1Bb6E55NR9Yq8WI3qLdF06oqgXHLeNsrHCJJYnjnrr3QQ3RAcLRCzKhnmM/eZ+
KFNfeO9kX/tJvfj9uE4VbndKbpGfG1dTlOWXyM0MZfbL+rtHA2bA+VpYNG+9rN/A
wSVL2AgW6T1fCfcEbx1kar3/T0Y5OOWQQm7GmSR4hEYfWLVqln7Qq4MaVCfoilX4
HRu0aWuw+L0uoERlDd+JUAZT8jce41e9p1ku7eLGSLVoWuQrWAZPqezbKScZWg97
11hyDTklHl/3Rt5Mb+V8ffykul9BZ7IDhqL9wTK9E8AkeK0004HEI+zM7MqSrGom
/gCV6ytmD5h76TOa6UIz33+NeOi8FQ/VU6yAmBEaBNNqQAdeorTmfI4mwyPOyBFd
O2UurwPJdo6s7wsbTcguo4aOiR5tvGYME86rTviYD1CLdHaJ1qQle+s0wy0OhCpR
mV4xiUYqIT79tpVchsvbENhl2e/0tYy/CVj71E+WX/CyAR3QMEU7chuem6nxDHJQ
1BQXxtzoCwA=
=vrUg
-----END PGP SIGNATURE-----