CFSN Detailed Analysis

Share this post

CFSN Detailed Analysis
New HPE Security Information Products
Copy link
Facebook
Email
Notes
More

New HPE Security Information Products

Patrick Coyle
May 13, 2024

Share this post

CFSN Detailed Analysis
New HPE Security Information Products
Copy link
Facebook
Email
Notes
More
1
Share

Last week HPE issued a series of new security publications looking at past security vulnerabilities that may have affected customers using HPE products. These publications are called “Hewlett Packard Enterprise Critical Product Security Vulnerability Alerts”. While this program appears to have started in August of 2023, on May 6th, 2024, published 43 specific alerts under this category. These reports do not appear to replace their standard security bulletins, but rather collects information from potentially multiple security bulletins and usually includes a product impact assessment for each vulnerability (restricted access to registered customers).

The current crop of 43 alerts includes:

  • CGI application vulnerability ("HTTPoxy") for PHP, Go, Python, and others,

  • Apache Software Log4j - Security Vulnerability,

  • Microarchitectural Data Sampling,

  • Intel Management Engine (ME) and Server Platform Services (SPS) Firmware Security Vulnerability,

  • AMD Processor Vulnerabilities,

  • Plundervolt Vulnerability,

  • UEFI BIOS Vulnerabilities Disclosed by Binarly,

  • Glibc "GHOST" Vulnerability,

  • Stack-Based Buffer Overflow in Glibc's Getaddrinfo(),

  • VENOM Vulnerability - CVE-2015-3456,

  • OpenSSL Alternative Chains Certificate Forgery Vulnerability,

  • TPM-FAIL Vulnerability (CVE-2019-16863),

  • Linux Kernel TCP SACK Panic Remote Denial of Service,

  • Intel Processor Security Vulnerability (aka “Memory Sinkhole”),

  • AMD Cross-Process Information Leak (CVE-2023-20593/Zenbleed),

  • Java Spring Vulnerabilities,

  • Apache Struts 2—Remote Code Execution Vulnerability,

  • UEFI Secure Boot Evasion Vulnerability aka BootHole Vulnerability,

  • AMI Aspeed Open BMC Reconfiguration and Security Override, aka Pantsdown,

  • ISC BIND TKEY query handling Vulnerability,

  • Dirty Pipe Linux Kernel Vulnerability,

  • OpenSSL 3.0.x X.509 punycode Vulnerabilities,

  • Cross-protocol Attack on TLS using SSLv2,

  • HPE Systems Insight Manager (SIM) Remote Code Execution,

  • Privilege Escalation Vulnerability in the Linux Kernel (“Dirty COW”),

  • HPE Integrated Lights-Out 4 iLOBleed –Security Vulnerability Exploiting Vulnerability,

  • GNU Bourne Again Shell (Bash) 'Shellshock' Vulnerability,

  • Intel Gather Data Sampling (GDS, Gather, Downfall) Issue,

  • SSLv3 POODLE Vulnerability,

  • Speculative Store Bypass Variant IV) CVE-2018-3639 & Rogue Register Load,

  • Ripple20 Vulnerability - Multiple Vulnerabilities Affecting the Treck TCP/IP Stack,

  • HTTP_PROXY Environment Variable Handling Vulnerability ("FalseCONNECT"),

  • L1 Terminal Fault–SGX (CVE-2018-3615), L1 Terminal Fault–OS, SMM,

  • CacheOut Vulnerability (CVE-2020-0548 and CVE-2020-0549),

  • WPA2 Key Reinstallation Attacks (aka "Krack Attack"),

  • Microsoft Windows WCry/WannaCry Ransomware MS17-010 Vulnerability,

  • UEFI Rootkit aka MoonBounce,

  • OpenSSL "Heartbleed" Vulnerability,

  • Side Channel Analysis Method (Spectre & Meltdown),

Share this post

CFSN Detailed Analysis
New HPE Security Information Products
Copy link
Facebook
Email
Notes
More
1
Share

Discussion about this post

No posts

Ready for more?

© 2024 Patrick Coyle
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More