HPE Support Alerts - Notice: HPE Integrated Lights-Out (iLO) - Security Scanning Tools May Give False Positive for Vulnerability Related to CSS Style Sheets Using Relative URLs

TBCS IT announces the following HPE Support Alert: 

 

Find more here

If you need any assistance please call us: +49 (0)5321 35 1000 or send an e-mail to sales@tbcs-it.de

 
SUPPORT COMMUNICATION - CUSTOMER NOTICE

Document ID: a00022038en_us

Version: 1

Notice: HPE Integrated Lights-Out (iLO) - Security Scanning Tools May Give False Positive for Vulnerability Related to CSS Style Sheets Using Relative URLs
NOTICE: The information in this document, including products and software versions, is current as of the Release Date. This document is subject to change without notice.

Release Date: 2017-08-15

Last Updated: 2017-08-15


DESCRIPTION

Some security scanning tools may warn of a security vulnerability against HPE Integrated Lights-Out (iLO) for using CSS Style sheets referenced by relative URLs. This may be referred to as a "Path-relative Style Sheet Import Vulnerability." The report of the Path-relative Style Sheet Import Vulnerability is a false positive. iLO is secured against such attacks.

Additional information regarding path-relative style sheet import (PRSSI) vulnerabilities is available at the following URLs:

https://portswigger.net/knowledgebase/issues/details/00200328_pathrelativestylesheetimport Non-HPE Site

And

http://blog.portswigger.net/2015/02/prssi.html Non-HPE Site

 

DETAILS

No action is needed. The report of the Path-relative Style Sheet Import Vulnerability is a false positive. iLO is secured against such attacks.

Although iLO does use relative style sheets, that is just one of the several requirements needed for this vulnerability to occur. In order to exploit iLO, many other things must occur. The main requirement for the vulnerability to occur is that a web server respond to valid URLs with invalid "extra stuff" appended to them (i.e http://myValidUrl/html/login.htm/Fakepart). The iLO web server does *not* accept such requests. Instead, a 404 is rightfully returned. This effectively blocks the vulnerability from occurring.

If the security scanner reports this vulnerability, it only highlights the use of relative CSS URLs, which itself is not enough for the "Path-relative Style Sheet Import Vulnerability" to occur.

NOTE: One or more of the links above will take you outside the Hewlett-Packard Enterprise web site. HPE does not control and is not responsible for information outside of the HPE web site.

 

 

 

RECEIVE PROACTIVE UPDATES : Receive support alerts (such as Customer Advisories), as well as updates on drivers, software, firmware, and customer replaceable components, proactively via e-mail through HPE Subscriber's Choice. Sign up for Subscriber's Choice at the following URL: Proactive Updates Subscription Form.

NAVIGATION TIP : For hints on navigating HPE.com to locate the latest drivers, patches, and other support software downloads for ProLiant servers and Options, refer to the Navigation Tips document .

SEARCH TIP : For hints on locating similar documents on HPE.com, refer to the Search Tips document .

To search for additional advisories related to iLO, use the following search string:

+Advisory +ProLiant -"Software and Drivers" +iLO

 

 

 


Hardware Platforms Affected: HPE ProLiant MicroServer Gen10, HPE ProLiant DL360 Gen10 Server, HPE ProLiant BL460c Gen10 Server Blade, HPE Synergy 660 Gen10 Compute Module, HPE ProLiant DL380 Gen10 Server, HPE ProLiant DL560 Gen10 Server, HPE ProLiant XL230k Gen10 Server, HPE ProLiant DL360 G7 Server, HPE ProLiant DL380 G7 Server, HPE ProLiant BL685c G7 Server Blade, HPE ProLiant DL385 G7 Server, HPE ProLiant BL465c G7 Server Blade, HPE ProLiant DL580 G7 Server, HPE ProLiant DL585 G7 Server, HPE ProLiant BL460c G7 Server Blade, HPE ProLiant SL390s G7 Server, HPE ProLiant DL980 G7 Server, HPE ProLiant BL2x220c G7 Server Blade, HPE ProLiant BL490c G7 Server Blade, HPE ProLiant BL620c G7 Server Blade, HPE ProLiant BL680c G7 Server Blade, HPE ProLiant SL335s G7 Server, HPE StoreEasy 3000 Gateway Storage Blade, HPE ProLiant DL120 G7 Server, HPE ProLiant ML110 G7 Server, HPE ProLiant SL230s Gen8 Server, HPE ProLiant SL250s Gen8 Server, HPE ProLiant SL270s Gen8 Server, HPE ProLiant BL460c Gen8 Server Blade, HPE ProLiant DL360p Gen8 Server, HPE ProLiant DL380p Gen8 Server, HPE ProLiant ML350p Gen8 Server, HPE ProLiant BL465c Gen8 Server Blade, HPE ProLiant BL420c Gen8 Server Blade, HPE ProLiant DL320e Gen8 Server, HPE ProLiant DL360e Gen8 Server, HPE ProLiant DL385p Gen8 Server, HPE ProLiant ML310e Gen8 Server, HPE ProLiant WS460c Gen8 Graphics Server Blade, HPE ProLiant ML350e Gen8 Server, HPE ProLiant DL380e Gen8 Server, HPE ProLiant BL660c Gen8 Server Blade, HPE ProLiant DL560 Gen8 Server, HPE ProLiant SL4545 G7 Server, HPE StoreEasy 1000 Storage, HPE StoreEasy 3000 Gateway Storage, HPE ProLiant DL320e Gen8 v2 Server, HPE ProLiant ML310e Gen8 v2 Server, HPE ProLiant MicroServer Gen8, HPE ProLiant ML10 Server, HPE ProLiant SL210t Gen8 Server, HPE ProLiant ML350e Gen8 v2 Server, HPE iLO Advanced, HPE ProLiant DL580 Gen8 Server, HPE ProLiant SL2500 Scalable System, HPE ProLiant XL220a Gen8 v2 Server, HPE ProLiant XL730f Gen9 Server, HPE ProLiant DL180 Gen9 Server, HPE ProLiant DL360 Gen9 Server, HPE ProLiant BL460c Gen9 Server Blade, HPE ProLiant DL380 Gen9 Server, HPE ProLiant ML350 Gen9 Server, HPE ProLiant XL230a Gen9 Server, HPE ProLiant XL250a Gen9 Server, HPE ProLiant XL740f Gen9 Server, HPE ProLiant XL750f Gen9 Server, HPE ProLiant DL120 Gen9 Server, HPE ProLiant ML150 Gen9 Server, HPE ProLiant ML10 v2 Server, HPE ProLiant ML110 Gen9 Server, HPE ProLiant XL170r Gen9 Server, HPE ProLiant XL190r Gen9 Server, HPE ProLiant WS460c Gen9 Graphics Server Blade, HPE ProLiant DL580 Gen9 Server
Operating Systems Affected: Not Applicable
Software Affected: Not Applicable
Support Communication Cross Reference ID: SIK2358
©Copyright 2017 Hewlett Packard Enterprise Company, L.P.
 
 

Passende Artikel

HPE ProLiant DL360 Gen9 E5-2603v3 1P 8GB-R B140i P/N: 755260-B21

HPE Renew - full warranty

Statt: 2.532,00 € * 1.375,00 € *

%
HPE ProLiant ML150 Gen9 E5-2603v3 4GB-R B140i 4LFF SATA 550W P/N: 776274-421

HPE Renew - full warranty

Statt: 1.267,00 € * 1.049,00 € *

%
HPE ProLiant DL580 Gen9 E7-4850v3 4P 128GB-R P830i/4G 1200W P/N: 793310-B21

New - full warranty

Statt: 25.500,00 € * ab 9.999,00 € *

%
 
 

Kommentar schreiben

 

Die mit einem * markierten Felder sind Pflichtfelder.