Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-11993

A security vulnerability has been identified in HPE SimpliVity 380 Gen 9, HPE SimpliVity 380 Gen 10, HPE SimpliVity 380 Gen 10 G, HPE SimpliVity 2600 Gen 10, SimpliVity OmniCube, SimpliVity OmniStack for Cisco, SimpliVity OmniStack for Lenovo and SimpliVity OmniStack for Dell nodes. Two now deprecated APIs run as root, accept a file name path, and can be used to create or delete arbitrary files on the nodes. These APIs do not require user authentication and are accessible over the management network, resulting in remote availability and integrity vulnerabilities For all customers running HPE OmniStack version 3.7.9 and earlier. HPE recommends upgrading the OmniStack software to version 3.7.10 or later, which contains a permanent resolution. Customers and partners who can upgrade to 3.7.10 should upgrade at the earliest convenience. For all customers and partners unable to upgrade their environments to the recommended version 3.7.10, HPE has created a Temporary Workaround https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=mmr_sf-EN_US000061675&withFrame for you to implement. All customer should upgrade to the recommended 3.7.10 or later version at the earliest convenience.

Published

2020-01-03T18:15:09.640

Last Modified

2024-11-21T04:22:07.477

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:N/I:C/A:C

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE

Exploitability Score

10.0

Impact Score

9.2

Weaknesses

Type: Primary
NVD-CWE-noinfo

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	hp	simplivity_380_gen9_firmware	≤ 3.7.9	Yes
Hardware	hp	simplivity_380_gen9	-	No
Operating System	hp	simplivity_380_gen10_g_firmware	≤ 3.7.9	Yes
Hardware	hp	simplivity_380_gen10_g	-	No
Operating System	hp	simplivity_380_gen10_firmware	≤ 3.7.9	Yes
Hardware	hp	simplivity_380_gen10	-	No
Operating System	hp	simplivity_2600_gen10_firmware	≤ 3.7.9	Yes
Hardware	hp	simplivity_2600_gen10	-	No
Operating System	hp	simplivity_omnicube_firmware	≤ 3.7.9	Yes
Hardware	hp	simplivity_omnicube	-	No
Operating System	hp	simplivity_omnistack_for_dell_firmware	≤ 3.7.9	Yes
Hardware	hp	simplivity_omnistack_for_dell	-	No
Operating System	hp	simplivity_omnistack_for_cisco_firmware	≤ 3.7.9	Yes
Hardware	hp	simplivity_omnistack_for_cisco	-	No
Operating System	hp	simplivity_omnistack_for_lenovo_firmware	≤ 3.7.9	Yes
Hardware	hp	simplivity_omnistack_for_lenovo	-	No

References

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03955en_us Vendor Advisory ([email protected])
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03955en_us Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)