HPE OneView Vulnerability Let Attacker Bypass Authentication
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
HPE OneView Vulnerability Let Attacker Bypass Authentication
Author: GuruIn the Hewlett Packard Enterprise OneView Software, three security flaws have been identified, which might be remotely exploited to allow authentication bypass, disclosure of sensitive information, and denial of service.
HPE OneView is an integratedIT infrastructure management software that automates IT operations and streamlines infrastructure lifecycle management, including computing, storage, and networking.
Vulnerabilities Disclosed
- CVE-2023-30908 – Remote Authentication Bypass
- CVE-2022-4304 – Disclosure of sensitive information
- CVE-2023-2650 – Denial of Service
CVE-2023-30908 – Remote Authentication Bypass
This vulnerability, with a CVSS score of 9.8, enables an attacker to bypass authentication and obtain unauthorized access to HPE OneView. The flaw is caused by the way HPE OneView manages user credentials.
An attacker might take advantage of this vulnerability by sending the HPE OneView server a specially crafted request.
The CVE-2023-30908 flaw was reported by Sina Kheirkhah (@SinSinology) of the Summoning Team (@SummoningTeam) in association with the Trend Micro Zero Day Initiative.
CVE-2022-4304 – Disclosure of Sensitive Information
A timing-based side channel in the RSA Decryption implementation in OpenSSL may allow a remote attacker to get sensitive information. An attacker might exploit this issue by sending an excessively large number of trial messages for decryption.
CVE-2023-2650 – Denial of Service
A remote attacker might exploit this issue to launch a denial of service (DoS) attack on HPE OneView. The flaw is in the way OpenSSL handles the OBJ_obj2txt() method.
An attacker might take advantage of this flaw by sending a specially crafted request to the HPE OneView server.
Impacted Versions
HPE OneView – Prior to v8.5 and v6.60.05 patch
Fix Available
To address these vulnerabilities in the Hewlett Packard Enterprise OneView Version 8.5 and 6.60.05 patch, HPE has released the following software upgrade.
- Hewlett Packard Enterprise OneView v8.5 or later
- Hewlett Packard Enterprise OneView v6.60.05 LTS
You can visit the HPE Support Center to download the latest software.
HPE has issued fixes for the impacted HPE OneView versions. To protect systems from these vulnerabilities, users should apply the updates as soon as feasible.
#Cyber_Security_News #Vulnerability #cyber_security #Hewlett_Packard #oneview
Оригинальная версия на сайте: