Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0497 Multiple Vulnerabilities in Various HPE Products 13 February 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Hewlett Packard Enterprise Publisher: Hewlett Packard Enterprise Operating System: Network Appliance Impact/Access: Denial of Service -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-11998 CVE-2019-11997 Original Bulletin: https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbhf03978en_us https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn03975en_us Comment: This bulletin contains two (2) Hewlett Packard Enterprise security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: hpesbhf03978en_us Version: 1 HPESBHF03978 rev.2 - HPE Superdome Flex Server, Multiple Remote Vulnerabilities NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2020-02-08 Last Updated: 2020-02-08 Potential Security Impact: Remote: Multiple Vulnerabilities Source: Hewlett Packard Enterprise, HPE Product Security Response Team VULNERABILITY SUMMARY HPE Superdome Flex Server is vulnerable to multiple remote vulnerabilities via improper input validation of administrator commands. This vulnerability could allow an Administrator to bypass security restrictions and access multiple remote vulnerabilities including information disclosure, or denial of service. References: CVE-2019-11998 - information disclosure SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HPE Superdome Flex Server Prior to v3.20.186 - Fix available in 3.20.206 (4 December 2019) BACKGROUND CVSS Version 3.0 and Version 2.0 Base Metrics Reference V3 Vector V3 Base V2 Vector V2 Base Score Score CVE-2019-11998 CVSS:3.0/AV:N/AC:L/PR:H/ 7.5 (AV:N/AC:L/Au:M/ 8.0 UI:R/S:C/C:H/I:L/A:H C:C/I:P/A:C) Information on CVSS is documented in HPE Customer Notice: HPSN-2008-002 RESOLUTION HPE has provided firmware updates that address the above vulnerabilities for the HPE Superdome Flex Server, starting with firmware version v3.20.186 (not available online) and v3.20.206 (available online). Apply v3.20.206 (4 December 2019) or a newer version to resolve this issue. o Please visit HPE Support Center to obtain the updated firmware for your product. HISTORY o Version:1 (rev.1) - 29 January 2020 Initial release o Version:2 (rev.2) - 7 February 2020 Removed incorrect reference to CVE-2018-12204, updated CVSS vector for CVE-2019-11998 Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com. Report: To report a potential security vulnerability for any HPE supported product: - ------------------------------------------------------------------------------ SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: hpesbgn03975en_us Version: 1 HPESBGN03975 rev.1 - HPE enhanced Internet Usage Manager (eIUM), Remote Cross Site Scripting NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2020-01-16 Last Updated: 2020-01-16 Potential Security Impact: Remote: Cross-Site Scripting (XSS) Source: Hewlett Packard Enterprise, HPE Product Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified in HPE enhanced Internet Usage Manager (eIUM) versions 8.3 and 9.0. The vulnerability could be used for unauthorized access to information via cross site scripting. References: CVE-2019-11997 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HPE enhanced Internet Usage Manager (eIUM) 8.3, 9.0 BACKGROUND CVSS Version 3.0 and Version 2.0 Base Metrics Reference V3 Vector V3 Base V2 Vector V2 Base Score Score CVE-2019-11997 CVSS:3.0/AV:N/AC:L/PR:N/ 4.7 (AV:N/AC:M/Au:N/ 4.3 UI:R/S:C/C:N/I:L/A:N C:N/I:P/A:N) Information on CVSS is documented in HPE Customer Notice: HPSN-2008-002 Hewlett Packard Enterprise PSRT acknowledges Omur Ugur for reporting CVE-2019-11997 to security-alert@hpe.com. RESOLUTION HPE has made the following software updates to resolve the vulnerability in eIUM: o The eIUM 8.3 FP01 customers are advised to install eIUM83FP01Patch_QXCR1001711284.20190806-1244 patch. o The eIUM 9.0 customers are advised to upgrade to eIUM 9.0 FP02 PI5 or later versions. o For other versions, please, contact the product support. HISTORY Version:1 (rev.1) - 16 January 2020 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com. Report: To report a potential security vulnerability for any HPE supported product: - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXkTQ2GaOgq3Tt24GAQg2Og//U3/0cITt9cABpJ6UyVvgz4a8Qhhs8F9O 2bRtNyBN24Nz8EN9lhIvO/PGRTdJ62TZ2uQkL1Q01wkDmIWZL4qhEgtbi+rzILmf xsvAY2wjLOXqVdzHJgndH+pvAKEWS+BoNAkvSkbtJZrG4uqqxD42oxsrisjydTcX Zm1Bb6E55NR9Yq8WI3qLdF06oqgXHLeNsrHCJJYnjnrr3QQ3RAcLRCzKhnmM/eZ+ KFNfeO9kX/tJvfj9uE4VbndKbpGfG1dTlOWXyM0MZfbL+rtHA2bA+VpYNG+9rN/A wSVL2AgW6T1fCfcEbx1kar3/T0Y5OOWQQm7GmSR4hEYfWLVqln7Qq4MaVCfoilX4 HRu0aWuw+L0uoERlDd+JUAZT8jce41e9p1ku7eLGSLVoWuQrWAZPqezbKScZWg97 11hyDTklHl/3Rt5Mb+V8ffykul9BZ7IDhqL9wTK9E8AkeK0004HEI+zM7MqSrGom /gCV6ytmD5h76TOa6UIz33+NeOi8FQ/VU6yAmBEaBNNqQAdeorTmfI4mwyPOyBFd O2UurwPJdo6s7wsbTcguo4aOiR5tvGYME86rTviYD1CLdHaJ1qQle+s0wy0OhCpR mV4xiUYqIT79tpVchsvbENhl2e/0tYy/CVj71E+WX/CyAR3QMEU7chuem6nxDHJQ 1BQXxtzoCwA= =vrUg -----END PGP SIGNATURE-----