HPESBHF03805 rev.4 - Certain HPE products using Microprocessors from Intel, AMD, and ARM, with Speculative Execution, Elevation of Privilege and Information Disclosure.

TBCS IT announces the following HPE Support Alert: 

 

Find more here

If you need any assistance please call us: +49 (0)5321 35 1000 or send an e-mail to sales@tbcs-it.de

 
SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: hpesbhf03805en_us

Version: 1

HPESBHF03805 rev.4 - Certain HPE products using Microprocessors from Intel, AMD, and ARM, with Speculative Execution, Elevation of Privilege and Information Disclosure.
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2018-01-05

Last Updated: 2018-01-09


Potential Security Impact: Local: Disclosure of Information, Elevation of Privilege

Source: Hewlett Packard Enterprise, HPE Product Security Response Team

VULNERABILITY SUMMARY

On January 3 2018, side-channel security vulnerabilities involving speculative execution were publicly disclosed. These vulnerabilities may impact the listed HPE products, potentially leading to information disclosure and elevation of privilege. Mitigation and resolution of these vulnerabilities may call for both an operating system update, provided by the OS vendor, and a system ROM update from HPE.

Note:

References:
  • PSRT110634
  • PSRT110633
  • PSRT110632
  • CVE-2017-5715 - aka Spectre, branch target injection
  • CVE-2017-5753 - aka Spectre, bounds check bypass
  • CVE-2017-5754 - aka Meltdown, rogue data cache load, memory access permission check performed after kernel memory read

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  • HPE ProLiant DL380 Gen10 Server prior to v1.28
  • HPE ProLiant DL180 Gen10 Server prior to v1.28
  • HPE ProLiant DL160 Gen10 Server prior to v1.28
  • HPE ProLiant DL360 Gen10 Server prior to v1.28
  • HPE ProLiant ML110 Gen10 Server prior to v1.28
  • HPE ProLiant DL580 Gen10 Server prior to v1.28
  • HPE ProLiant DL560 Gen10 Server prior to v1.28
  • HPE ProLiant DL120 Gen10 Server prior to v1.28
  • HPE ProLiant ML350 Gen10 Server prior to v1.28
  • HPE ProLiant XL450 Gen10 Server prior to v1.28
  • HPE ProLiant XL170r Gen10 Server prior to v1.28
  • HPE ProLiant BL460c Gen10 Server Blade prior to v1.28
  • HPE ProLiant XL230a Gen9 Server prior to v2.54
  • HPE ProLiant XL230k Gen10 Server prior to v1.28
  • HPE ProLiant XL730f Gen9 Server prior to v2.54
  • HPE ProLiant XL740f Gen9 Server prior to v2.54
  • HPE ProLiant XL750f Gen9 Server prior to v2.54
  • HPE ProLiant XL170r Gen9 Server prior to v2.54
  • HP ProLiant DL60 Gen9 Server prior to v2.54
  • HPE ProLiant XL450 Gen9 Server prior to v2.54
  • HP ProLiant DL160 Gen9 Server prior to v2.54
  • HPE Apollo 4200 Gen9 Server prior to v2.54
  • HP ProLiant BL460c Gen9 Server Blade prior to v2.54
  • HP ProLiant ML110 Gen9 Server prior to v2.54
  • HP ProLiant ML150 Gen9 Server prior to v2.54
  • HPE ProLiant ML350 Gen9 Server prior to v2.54
  • HP ProLiant DL380 Gen9 Server prior to v2.54
  • HP ProLiant DL120 Gen9 Server prior to v2.54
  • HPE ProLiant DL560 Gen9 Server prior to v2.54
  • HPE ProLiant XL270d Gen9 Special Server prior to v2.54
  • HP ProLiant BL660c Gen9 Server prior to v2.54
  • HPE ProLiant m710x Server Cartridge prior to v1.60
  • HPE ProLiant DL20 Gen9 Server prior to v2.52
  • HPE ProLiant DL385 Gen10 Server prior to v1.04
  • HPE Synergy 660 Gen9 Compute Module prior to v2.54
  • HPE Synergy 480 Gen10 Compute Module prior to v1.28
  • HPE Synergy 480 Gen9 Compute Module prior to v2.54
  • HPE ProLiant ML30 Gen9 Server prior to v2.52
  • HPE ProLiant XL190r Gen10 Server prior to v1.28
  • HPE ProLiant XL250a Gen9 Server prior to v2.54
  • HPE ProLiant XL190r Gen9 Server prior to v2.54
  • HP ProLiant DL80 Gen9 Server prior to v2.54
  • HPE ProLiant DL180 Gen9 Server prior to v2.54
  • HPE ProLiant XL270d Gen9 Accelerator Tray 2U Configure-to-order Server prior to v2.54
  • HPE ProLiant WS460c Gen9 Workstation prior to v2.54
  • HPE ProLiant DL580 Gen9 Special Server prior to v2.54
  • HPE Synergy 680 Gen9 Compute Modules prior to v2.54
  • HPE ProLiant XL260a Gen9 Server prior to 1/22/2018
  • HPE ProLiant m510 Server Cartridge prior to 1/22/2018
  • HPE ProLiant m710p Server Cartridge prior to 12/12/2017
  • HP ProLiant m350 Server Cartridge prior to 12/12/2017
  • HP ProLiant m300 Server Cartridge prior to 12/12/2017
  • HP ProLiant ML350e Gen8 Server prior to 12/12/2017
  • HPE ProLiant ML350e Gen8 v2 Server prior to 12/12/2017
  • HP ProLiant BL460c Gen8 Server prior to 12/12/2017
  • HP ProLiant BL660c Gen8 Server prior to 12/12/2017
  • HPE ProLiant SL4540 Gen8 1 Node Server prior to 12/12/2017
  • HP ProLiant DL380e Gen8 Server prior to 12/12/2017
  • HP ProLiant DL360e Gen8 Server prior to 12/12/2017
  • HP ProLiant ML350p Gen8 Server prior to 12/12/2017
  • HP ProLiant DL360p Gen8 Server prior to 12/12/2017
  • HP ProLiant DL380p Gen8 Server prior to 12/12/2017
  • HP ProLiant DL320e Gen8 Server prior to 12/12/2017
  • HPE ProLiant DL320e Gen8 v2 Server prior to 12/12/2017
  • HP ProLiant ML310e Gen8 Server prior to 12/12/2017
  • HPE ProLiant ML310e Gen8 v2 Server prior to 12/12/2017
  • HP ProLiant DL160 Gen8 Server prior to 12/12/2017
  • HP ProLiant SL270s Gen8 Server prior to 12/12/2017
  • HP ProLiant SL250s Gen8 Server prior to 12/12/2017
  • HP ProLiant SL230s Gen8 Server prior to 12/12/2017
  • HP ProLiant DL560 Gen8 Server prior to 12/12/2017
  • HPE ProLiant SL210t Gen8 Server prior to 12/12/2017
  • HP ProLiant DL580 Gen8 Server prior to 12/12/2017 (v1.98)
  • HP ProLiant ML10 Server prior to 12/12/2017
  • HP ProLiant m710 Server Cartridge prior to 12/12/2017 (v1.60)
  • HPE Synergy Composer prior to 12/12/2017
  • HPE Integrity Superdome X with BL920s Blades prior to 8.8.6
  • HPE Superdome Flex Server prior to 2.3.110
  • HP ProLiant DL360 Gen9 Server prior to v2.54
  • HPE Synergy 620 Gen9 Compute Module prior to v2.54
  • HPE ProLiant Thin Micro TM200 Server prior to 1/16/2017
  • HPE ProLiant ML350 Gen10 Server prior to v1.28
  • HP ProLiant BL420c Gen8 Server prior to 12/12/2017
  • HPE ProLiant ML10 v2 Server prior to 12/12/2017
  • HPE ProLiant MicroServer Gen8 prior to 12/12/2017
  • HPE Synergy 660 Gen10 Compute Module prior to v1.28

BACKGROUND

CVSS Version 3.0 and Version 2.0 Base Metrics
Reference
V3 Vector
V3 Base Score
V2 Vector
V2 Base Score
CVE-2017-5715
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
8.2
(AV:A/AC:L/Au:N/C:C/I:P/A:N)
6.8
CVE-2017-5753
CVSS:3.0/AV:A/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L
5.0
(AV:A/AC:M/Au:N/C:P/I:P/A:P)
5.4
CVE-2017-5754
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5
(AV:N/AC:L/Au:N/C:C/I:N/A:N)
7.8
Information on CVSS is documented in HPE Customer Notice: HPSN-2008-002

RESOLUTION

HPE has made the following system ROM updates which include an updated microcode to resolve the vulnerability:

  • HPE has provided a customer bulletin https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00039267en_us with specific instructions to obtain the udpated sytem ROM

  • Note:

    • CVE-2017-5715 requires that the System ROM be updated and a vendor supplied operating system update be applied as well.
    • For CVE-2017-5753, CVE-2017-5754 require only updates of a vendor supplied operating system.
    • HPE will continue to add additional products to the list. Not all listed products have updated system ROMs yet. Impacted products awaiting system ROM updates are marked TBS (to be supplied).
HISTORY
  • Version:1 (rev.1) - 4 January 2018 Initial release
  • Version:2 (rev.2) - 5 January 2018 Added additional impacted products
  • Version:3 (rev.3) - 10 January 2018 Added more impacted products
  • Version:4 (rev.4) - 9 January 2018 Fixed product ID

Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com.

Report: To report a potential security vulnerability for any HPE supported product:

Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice

Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive

Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PV = ProCurve
ST = Storage Software
UX = HP-UX

©Copyright 2018 Hewlett Packard Enterprise Company, L.P.
 
 

Passende Artikel

HPE ProLiant DL380 Gen9 E5-2620v3 1P 16GB-R P840ar/4GB P/N 752688-B21

HPE Renew - full warranty

Statt: 3.706,00 € * 2.399,00 € *

%
HPE ProLiant DL360 Gen9 E5-2603v3 1P 8GB-R B140i P/N: 755260-B21

HPE Renew - full warranty

Statt: 2.532,00 € * 1.375,00 € *

%
HPE ProLiant DL160 Gen9 E5-2603v3 1P 8GB-R 8xSFF Entry P/N: 769504-B21

HPE Renew - full warranty

Statt: 1.717,00 € * 950,00 € *

%
 
 

Kommentar schreiben

 

Die mit einem * markierten Felder sind Pflichtfelder.