HPE SimpliVity

New iLO 4 and iLO 5 firmware for security vulnerabilities

 
Kipp_Glover
HPE Pro

New iLO 4 and iLO 5 firmware for security vulnerabilities

Good day all!   Just yesterday (May 18, 2021) a SimpliVity Security Bulletin was released.  There is new iLO 4 and iLO 5 firmware (2.78 and 2.44) to address multiple remote and local vulnerabilities. 

VULNERABILITY SUMMARY

Multiple potential security vulnerabilities have been identified in HPE Integrated Lights-Out 5 (iLO 5) and HPE Integrated Lights-Out 4 (iLO 4). The vulnerabilities are XSS, CR-LF injection, DOM XSS and several buffer overflow vulnerabilities. The XSS, CR-LF injection and DOM XSS are against authenticated privileged iLO users of the ILO web interface. The iLO buffer overflow vulnerabilities can be exploited by a privileged user on a host OS to execute code on the iLO as a privileged user.

For details and resolution, please refer to the security bulletin:  https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbhf04134en_us  

The iLO firmware can be applied on top of 4.1.0, 4.0.1 U1 & 3.710 U1 OmniStack Versions.

Cheers!
/Kipp

I work for HPE
1 REPLY 1
Mohsina_4
HPE Pro

Re: New iLO 4 and iLO 5 firmware for security vulnerabilities

Hi @Kipp_Glover ,

Thank you so much for posting this information and I am sure this would be of great use to our customers.

Regards,

Mohsina

Accept or Kudo