Cyber Security News

HPE OneView Vulnerability Let Attacker Bypass Authentication

by Esmeralda McKenzie
written by Esmeralda McKenzie
HPE OneView Vulnerability Let Attacker Bypass Authentication

HPE OneView Vulnerability Let Attacker Bypass Authentication

HPE OneView Vulnerability Let Attacker Bypass Authentication

In the Hewlett Packard Endeavor OneView Tool, three security flaws were identified, which would be remotely exploited to enable authentication bypass, disclosure of easy data, and denial of carrier.

HPE OneView is an constructed-in IT infrastructure administration software program that automates IT operations and streamlines infrastructure lifecycle administration, including computing, storage, and networking.

EHA

Vulnerabilities Disclosed

  • CVE-2023-30908 – Some distance-off Authentication Bypass
  • CVE-2022-4304 –  Disclosure of easy data
  • CVE-2023-2650 – Denial of Provider

CVE-2023-30908 – Some distance-off Authentication Bypass

This vulnerability, with a CVSS get of 9.8, enables an attacker to bypass authentication and form unauthorized entry to HPE OneView. The flaw is brought about by the fashion HPE OneView manages individual credentials.

An attacker would possibly perchance well make basically the most of this vulnerability by sending the HPE OneView server a specially crafted question.

The CVE-2023-30908 flaw was once reported by Sina Kheirkhah (@SinSinology) of the Summoning Personnel (@SummoningTeam) in association with the Development Micro Zero Day Initiative.

CVE-2022-4304 –  Disclosure of Sensitive Recordsdata

A timing-essentially essentially based fully aspect channel in the RSA Decryption implementation in OpenSSL would possibly perchance well moreover simply enable a faraway attacker to gain easy data. An attacker would possibly perchance well exploit this assert by sending a very gorgeous different of trial messages for decryption.

CVE-2023-2650 – Denial of Provider

A faraway attacker would possibly perchance well exploit this assert to begin a denial of carrier (DoS) assault on HPE OneView. The flaw is in the fashion OpenSSL handles the OBJ_obj2txt() components.

An attacker would possibly perchance well make basically the most of this flaw by sending a specially crafted question to the HPE OneView server.

Impacted Variations

HPE OneView – Earlier to v8.5 and v6.60.05 patch

Fix Accessible

To take care of these vulnerabilities in the Hewlett Packard Endeavor OneView Version 8.5 and 6.60.05 patch, HPE has released the following software program upgrade.

  • Hewlett Packard Endeavor OneView v8.5 or later
  • Hewlett Packard Endeavor OneView v6.60.05 LTS

You would possibly perchance possibly moreover discuss over with the HPE Toughen Center to score basically the latest software program.

HPE has issued fixes for the impacted HPE OneView versions. To give protection to programs from these vulnerabilities, customers ought to soundless apply the updates as rapidly as feasible.

Preserve rapid about basically the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.

Source credit : cybersecuritynews.com

Related Posts

Google Chrome 127 Released With Fix for Vulnerabilities...

CrowdStrike Details Incident Affected Millions of Windows Systems...

IPFire Unveils New Feature to Protect Systems from...

Play Ransomware Variant Attacking Linux ESXi Servers

Google Researchers Detailed Tools Used by APT41 Hacker...

Threat Actors Hijacking Facebook Accounts With Password Stealing...

Weekly Cyber Security News Letter – Data Breaches,...

CrowdStrike Releases Fix for Updates Causing Windows to...

Cisco Smart Software Manager Flaw Let Attackers Change...

Killer Ultra Malware Attacking EDR Tools From Symantec,...