HPE Community
MSA Storage
1819817 Members
3375 Online
109607 Solutions
New Discussion

CVE-2020-11022 CVE-2020-11023 on latest MSA 2060 FIrmware IN210P001

 
SOLVED
Go to solution
OppositeToUp
Occasional Visitor

‎11-27-2024 03:24 AM - last edited on ‎11-29-2024 01:10 AM by

‎11-27-2024 03:24 AM - last edited on ‎11-29-2024 01:10 AM by

CVE-2020-11022 CVE-2020-11023 on latest MSA 2060 FIrmware IN210P001

Good moring, 

We've had a vulnerability scan carried out and the two CVE's where found against our Controllers. The below post says that these vulnerabilities where addressed in firmware update IN110R001 released on July 5, 2021. However our Controllers are on IN210P001 which is the current firmware according to the HPE website. Could you please let me knwow what our options are for mitigations.

Solved: HP MSA 2060 Vulnerability Assessment - Hewlett Packard Enterprise Community

0 Kudos
Reply
4 REPLIES 4
support_s
System Recommended

‎11-27-2024 04:25 AM

‎11-27-2024 04:25 AM

Query: CVE-2020-11022 CVE-2020-11023 on latest MSA 2060 FIrmware IN210P001

System recommended content:

1. HPE MSA 2060 / 1060 - Supercapacitor has reached end of life event message in firmware version: INS100R02-01

 

Please click on "Thumbs Up/Kudo" icon to give a "Kudo".

 

Thank you for being a HPE valuable community member.


Accept or Kudo

0 Kudos
Reply
OppositeToUp
Occasional Visitor

‎11-27-2024 04:28 AM

‎11-27-2024 04:28 AM

Re: Query: CVE-2020-11022 CVE-2020-11023 on latest MSA 2060 FIrmware IN210P001

We're not seeing the error message Event ID 218 - Warning - The supercapacitor has reached end of life - after 30 min of runtime,

So I don't believe the article you've linked is related to what we're dealing with.

0 Kudos
Reply
ArunKKR
HPE Pro

‎11-29-2024 12:59 AM

‎11-29-2024 12:59 AM

Solution

Re: Query: CVE-2020-11022 CVE-2020-11023 on latest MSA 2060 FIrmware IN210P001

Hi,

 

The JQuery version on MSA controller firmware (IN210P001) is 3.2.1.
The  CVE-2020-11022 and CVE-2020-11023 are already patched on firmware IN110R001 without upgrading jquery version.
Any firmware installed after this version has the patch included to mitigate the above CVEs.
The CVE Scanner seems to be comparing the jQuery version which is 3.2.1 ( less than 3.5.0), hence reporting MSA IP as vulnerable, but not looking at the patching included in the MSA firmware code.



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
ronialvin
Visitor

‎11-29-2024 01:31 AM

‎11-29-2024 01:31 AM

Re: Query: CVE-2020-11022 CVE-2020-11023 on latest MSA 2060 FIrmware IN210P001

CVE-2020-11022 and CVE-2020-11023 are vulnerabilities in jQuery that are related to cross-site scripting (XSS). If an attacker can deceive a user into visiting a malicious website, these vulnerabilities can enable them to run arbitrary code on the user's browser.

Along with additional security improvements, updates to address these vulnerabilities are included in the most recent firmware, IN210P001, for the HPE MSA 2060 series. To make sure your system is secure, it's critical to update your firmware to the most recent version.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.