Release Date: 2018-08-14

Last Updated: 2018-08-15


Potential Security Impact: Remote: Denial of Service (DoS)

Source: Hewlett Packard Enterprise, HPE Product Security Response Team

VULNERABILITY SUMMARY

A potential security vulnerability has been identified in HPE Integrated Lights Out 4 and 5 (iLO 4,5). The vulnerability could be exploited remotely to allow denial of service.

References: CVE-2018-7101

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  • HPE Integrated Lights-Out 4 (iLO 4) – Prior to 2.60
  • HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers – Prior to 1.30

BACKGROUND

CVSS Version 3.0 and Version 2.0 Base Metrics

ReferenceV3 VectorV3 Base ScoreV2 VectorV2 Base Score
CVE-2018-7101CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H7.5(AV:N/AC:M/Au:N/C:N/I:N/A:C)7.1

Information on CVSS is documented in HPE Customer Notice: HPSN-2008-002

Hewlett Packard Enterprise would like to thank Matias Soler, working with Immunity Inc. for reporting this vulnerability to [email protected]

RESOLUTION

HPE has made the following software updates and mitigation information to resolve the vulnerability in HPE Integrated Lights Out 4 and Integrated Lights 5. Please visit HPE Support Center to download the updates:

https://support.hpe.com/hpesc/public/home

HISTORY 
Version:1 (rev.1) – 14 August 2018 Initial release

Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer’s patch management policy.