SUPPORT COMMUNICATION – SECURITY BULLETIN
Document ID: hpesbhf03894en_us
Release Date: 2018-11-03
Last Updated: 2018-11-03
Potential Security Impact: Local: Bypass Security Restrictions
Source: Hewlett Packard Enterprise, HPE Product Security Response Team
A security vulnerability in HPE Integrated Lights-Out 5 (iLO 5) prior to v1.37 could be locally exploited to bypass the security restrictions for firmware updates.
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers – Prior to v1.37
CVSS Version 3.0 and Version 2.0 Base Metrics
|Reference||V3 Vector||V3 Base Score||V2 Vector||V2 Base Score|
Information on CVSS is documented in HPE Customer Notice: HPSN-2008-002
HPE would like to thank Fabien Perigaud of Synacktiv, Joffrey Czarny of Medallia, and Alexandre Gazet of the Airbus Evaluation Team for reporting this issue to [email protected]
HPE has provided the following software updates and mitigation information to resolve the vulnerability in HPE Integrated Lights-Out 5 (iLO 5):
* Install HPE Integrated Lights-Out 5 (iLO 5) v1.37
Version:1 (rev.1) – 2 November 2018 Initial release