Good day all! Just yesterday (May 18, 2021) a SimpliVity Security Bulletin was released. There is new iLO 4 and iLO 5 firmware (2.78 and 2.44) to address multiple remote and local vulnerabilities.
VULNERABILITY SUMMARY
Multiple potential security vulnerabilities have been identified in HPE Integrated Lights-Out 5 (iLO 5) and HPE Integrated Lights-Out 4 (iLO 4). The vulnerabilities are XSS, CR-LF injection, DOM XSS and several buffer overflow vulnerabilities. The XSS, CR-LF injection and DOM XSS are against authenticated privileged iLO users of the ILO web interface. The iLO buffer overflow vulnerabilities can be exploited by a privileged user on a host OS to run code on the iLO as a privileged user.
For details and resolution, please refer to the security bulletin: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbhf04134en_us
The iLO firmware can be applied on top of 4.1.0, 4.0.1 U1 & 3.710 U1 OmniStack Versions.
Cheers!
/Kipp
I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Hi @Kipp_Glover ,
Thank you so much for posting this information and I am sure this would be of great use to our customers.
Regards,
Mohsina
To add to B0ris' post, the firmware for the ilo is available in the support portal. Just sign in to your account and click on my software.
While I am an HPE Employee, all of my comments (whether noted or not), are my own and are not any official representation of the company