Release Date: 2018-08-14
Last Updated: 2018-08-15
Potential Security Impact: Remote: Denial of Service (DoS)
Source: Hewlett Packard Enterprise, HPE Product Security Response Team
VULNERABILITY SUMMARY
A potential security vulnerability has been identified in HPE Integrated Lights Out 4 and 5 (iLO 4,5). The vulnerability could be exploited remotely to allow denial of service.
References: CVE-2018-7101
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
- HPE Integrated Lights-Out 4 (iLO 4) – Prior to 2.60
- HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers – Prior to 1.30
BACKGROUND
CVSS Version 3.0 and Version 2.0 Base Metrics
| Reference | V3 Vector | V3 Base Score | V2 Vector | V2 Base Score |
|---|---|---|---|---|
| CVE-2018-7101 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 7.5 | (AV:N/AC:M/Au:N/C:N/I:N/A:C) | 7.1 |
Information on CVSS is documented in HPE Customer Notice: HPSN-2008-002
Hewlett Packard Enterprise would like to thank Matias Soler, working with Immunity Inc. for reporting this vulnerability to [email protected]
RESOLUTION
HPE has made the following software updates and mitigation information to resolve the vulnerability in HPE Integrated Lights Out 4 and Integrated Lights 5. Please visit HPE Support Center to download the updates:
HISTORY
Version:1 (rev.1) – 14 August 2018 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer’s patch management policy.