topic Re: New CVE's in HPE SimpliVity

New CVE's

Brian_Galante — Wed, 20 Mar 2024 04:04:31 GMT

There is a vulnerability I was notified about for ESX. Can we install the ESXi7.0U3p update?

Or does HPE have a timeframe when we will be able to?

CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, CVE-2024-22255

https://www.vmware.com/security/advisories/VMSA-2024-0006.html

Re: New CVE's

Kipp_Glover — Tue, 19 Mar 2024 20:20:13 GMT

Good day Brian!

SimpliVity will shortly publish a Customer Notice on this most recent patch from VMware, ESXi 7.0 U3p.

SimpliVity plans to release a SimpliVity ESXi 7.0 U3p Custom Offline Bundle near the end of May 2024. If a customer cannot wait for the SimpliVity custom bundle we recommend they consume the patch directly from VMware. Refer to the ESXi 7.0 U3p release notes for installation. Our data shows that over 500 customer nodes have successfully installed the ESXi 7.0 U3p patch.

The SimpliVity Interoperability Guide will be updated once the SimpliVity ESXi 7.0 U3p Offline Custom Bundle is released.

Cheers!
/Kipp

Re: New CVE's

Omareid1 — Fri, 31 Jan 2025 06:43:23 GMT

Hi @Kipp_Glover
I have HPE esxi 8.0 syn , I didn’t find patch for this CVE’s please need your support

Re: New CVE's

Kipp_Glover — Fri, 31 Jan 2025 15:07:00 GMT

Good day Omareid1,

I assume when you say you have ESXi 8.0 syn, you are referring to the ESXi 8.0 Custom bundle for Synergy. I would recommend that you use the SimpliVity ESXi Custom bundles for SimpliVity. If you take a look at the Broadcom Security Advisory for these CVEs in the "Response Matrix", it is noted these vulnerabilities were fixed in ESXi 8.0 U1d (23299997) and ESXi 8.0 U2sb (23305545). Here is the link to the security advisory: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24266

Cheers!
/Kipp

Re: New CVE's

Omareid1 — Fri, 31 Jan 2025 15:56:05 GMT

Hi kipp

Thank you for reply..

Actually,I used ESXi 8.0 U1d (23299997) patch but i got Error “ profile ( updated )
HPE-custom-syn-AddOn_800.0.0.11.1.5- is missing component (s) Esxi.Make sure the image contains these component (s) at a version equal or higher than the version found in the Esxi release version 8.0.1”

Re: New CVE's

Kipp_Glover — Fri, 31 Jan 2025 16:50:02 GMT

That is the Synergy ESXi bundle you are using. You need to use the SimpliVity Custom ESXi Bundle. You can find the SimpliVity ESXi Custom bundles link on the SimpliVity Software Releases website.

SimpliVity runs on Proliant hardware; the error you see could be related to this.

Re: New CVE's

Omareid1 — Wed, 05 Feb 2025 08:30:36 GMT

Dear Kipp

Thanks for your replay..

I can use the below Synergy versions for close the vulnerabilities ?

BR,

OMAR

Re: New CVE's

Kipp_Glover — Wed, 05 Feb 2025 19:05:57 GMT

Hi Omar!

You should use the SimpliVity ESXi offline custom bundles. Don't use the Synergy bundles for SimpliVity.

/Kipp