Hewlett Packard Enterprise Product Security Vulnerability Alerts
Hewlett Packard Enterprise incorporates IT industry best practices during the product development lifecycle to ensure a strong focus on security. HPE engineering and manufacturing practices are designed to meet product security requirements, protect HPE intellectual property, and support HPE product warranty requirements.
When a new industry-wide security vulnerability is released, HPE investigates its product line to determine the impact. For impacted products, Security Bulletins will be published. These bulletins will contain impacted product versions and the resolution (patch, upgrade, or configuration change).
You may subscribe to receive real-time notifications on future HPE Security Bulletins and advisories for your products - Subscribe to alerts for your products.
On October 19, 2016, a privilege escalation vulnerability in Linux kernel was disclosed. A race condition was found in a way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. This flaw allows an unprivileged local user to gain write access to otherwise read-only memory mappings and thus gaining increased privileges on the Linux kernel. This vulnerability is referred to as “Dirty COW”. Additional information about this vulnerability is available at CVE-2016-5195.
On August 15th, 2016, a vulnerability referred to as “FalseCONNECT”, in the implementation of HTTP 407 (proxy authentication required) for the CONNECT method was disclosed. Since these requests are always made in plain text over HTTP, they are susceptible to man-in-the-middle attacks that may be leveraged to expose user credentials, and in some implementations, render HTML and scripts in the client DOM within a security context. The injection as well as tampering of 407 authentication headers in the context of the CONNECT method can subject a user to phishing as well as authentication downgrade attacks. Additional information about the vulnerability is available at CERT VU#905344.
Product Impact Assessment
On July 18th, 2016, a vulnerability in the handling of HTTP_PROXY environment variable by web servers, web frameworks, and programming languages that run in CGI or CGI-like environments, referred to as HTTPoxy, was disclosed. The vulnerability stems from using user-supplied input to set the HTTP_PROXY environment variable without sufficient validation. This vulnerability could allow an unauthenticated, remote attacker to perform man-in-the-middle attack (MITM) or redirect outbound traffic to an arbitrary server that can cause disclosure of sensitive information. Additional information about this vulnerability is available at CVE-HTTPoxy.
Product Impact Assessment HTML
Product Impact Assessment Spreadsheet
On March 1st 2016, a new attack was released which is being referred to as DROWN - Decrypting RSA using Obsolete and Weakened eNcryption. This is a cross-protocol attack that exploits a vulnerability in SSLv2 to decrypt passively collected TLS sessions. Additional information about the vulnerability is available at CVE-2016-0800.
On February 16, 2016, a stack-based buffer overflow vulnerability in the GNU C library (glibc) was publicly disclosed. The flaw was discovered in the getaddrinfo() library function of the glibc. Applications using this function may be exploited by attackers by performing remote code execution on the affected device. Additional information about the vulnerability is available on the NIST website CVE-2015-7547.
Product Impact Assessment
On August 6th 2015, at the Black Hat security conference in Las Vegas, security researcher Christopher Domas demonstrated installing a rootkit in a PC's firmware. Domas nicknamed the demonstration a “memory sinkhole’. The attack exploited a feature built into x86 chips manufactured since the mid-1990’s until the 2011 release of Intel Xeon Processor E5-2600 Series (i.e., Sandy Bridge-EP).
The vulnerability exists in the Advanced Programmable Interrupt Controller (APIC), which could allow an attack against the System Management Mode (SMM) memory area used by the operating system to interface with the boot environment like BIOS, EFI, or UEFI. An attacker can exploit this vulnerability to utilize the most privileged of execution modes and potentially overwrite secure features in the boot environment. The demonstration exploit uses the UEFI code features to install a rootkit.
HPE has investigated the potential impact of this issue on our Enterprise products (i.e., Servers, Storage and Networking) and determined that HPE ProLiant Gen8 and Gen9-series servers are not vulnerable, as Intel previously addressed this design flaw in Intel Xeon Processor E5-2600 Series and subsequent models of server processors. Please note that Intel Xeon Processor E5-2600 Series are used in ProLiant Gen8 servers.
In addition, HPE has investigated the potential impact of this issue on HPE ProLiant G5, G6 and G7-series servers and determined they are not vulnerable to the specific attack demonstrated by Christopher Domas at the Black Hat security conference. Intel is providing a microcode update for these servers which will prevent a potential security breach, if an attempt is made to exploit this vulnerability. As an added measure of security, HPE plans to implement this microcode in updated ProLiant System ROMs, which will be made available for download on HPE Support Center, at no cost to customers.
What can you do?
Please check back for updates to this page regarding the availability of updated System ROMs for ProLiant G5, G6 and G7-series servers.
A vulnerability affecting DNS name servers based on ISC BIND was announced on July 28, 2015. This vulnerability could allow a remotely exploitable Denial of Service against name servers running ISC BIND. Additional information about the ISC BIND TKEY query handling vulnerability is available at CVE-2015-5477.
On July 9, 2015, OpenSSL disclosed a flaw in the way alternative certificate chains are verified. This only impacts versions of OpenSSL released since June 2015: v1.0.2c, v1.0.2b, v1.0.1o and v1.0.1n. Exploitation of this vulnerability could allow an attacker to bypass certain certificate validation checks, enabling them to issue an invalid certificate. Additional information about the VENOM vulnerability is available on the NIST web site CVE-2015-1793.
On May 13, 2015, a vulnerability was announced in the virtual floppy drive code used by many virtualization platforms. Exploitation of this vulnerability could allow an attacker to escape from the affected Virtual Machine (VM) guest and potentially execute code on the host. Additional information about the VENOM vulnerability is available on the NIST web site CVE-2015-3456.
On January 27, 2015, a buffer overflow vulnerability in GNU C library (glibc) was publicly disclosed. The flaw was discovered in the gethostbyname set of functions of the GNU C library (glibc) and could be used to execute arbitrary code. Additional information about the vulnerability is available on NIST web site CVE-2015-0235.
On October 14, 2014, a vulnerability in the SSLv3 protocol was released. An exploitation of this vulnerability could allow an attacker to decrypt portions of encrypted traffic via a POODLE (Padding Oracle on Downgraded Legacy Encryption) attack. Additional information about SSLv3 POODLE vulnerability is available on NIST web site CVE-2014-3566.
A recent Bash vulnerability affecting Unix-based operating systems, such as Linux and Mac OS X, was announced on September 24, 2014. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on an affected system. More information about this issue is available at CVE-2014-7169.
On April 8, 2014, HP was notified of an OpenSSL vulnerability CVE-2014-0160 (now known as "Heartbleed"). This vulnerability has garnered a substantial amount of media attention. See resources section for link to National Vulnerability Database entry describing vulnerability in detail. OpenSSL is used in some HP products to provide encryption and SSL services.