Server Management - Remote Server Management
cancel
Showing results for 
Search instead for 
Did you mean: 

iLO 4 Ripple20

 
SOLVED
Go to solution
Highlighted
Occasional Collector

iLO 4 Ripple20

Currently HP lists iLO 2 and 5 on this Ripple20 page but iLO 4 is not listed. is HP developing a patch for Ripple 20 for iLO 4 devices. (HP Gen 8 and Gen9 servers in our case)

https://techhub.hpe.com/eginfolib/securityalerts/Ripple20/Ripple20.html

 

8 REPLIES 8
Highlighted

Re: iLO 4 Ripple20

Our team was wondering this as well.  We have a bunch of iLo 3 and 4's showing up on our vulnerability reports, yet on the page you sent, they are not listed.  Does anyone know if HPE is working on updating these versions of iLo as well ? 

Highlighted
Frequent Visitor

Re: iLO 4 Ripple20

I reached out to HPE Support who sent me to HPE Cyber Security who sent me to the HPE Product Security Response Team.  They reported the following:

HPE product engineering teams are still in the process of evaluating Ripple20 product impacts, and implementing and testing patches for impacted products. HPE will not disclose impacted products until patches are available for them. HPE PSRT will issue or revise security bulletins and update the Security Vulnerability Alerts Ripple20 web page for impacted products when those patches become available.

It looks like it may be impacted, but HPE hasn't released a fix for it so they won't confirm it.  If you look more into the Nessus scan results, you will see that it's only reporting that the Treck stack was found on that device, but not that it was vulnerable.  Tenable has a blog post online that they will be releasing plugins for the individual vulnerabilities as they develop them.  You can see the list of vulnerabilities using this plugin search.  Right now, only 137702 is shown which just detects the stack, but the others should show up over time.

Highlighted
Occasional Collector

Re: iLO 4 Ripple20

thank you for reaching out to support on our behalf. we will be watching the page for sure.

Highlighted
HPE Pro

Re: iLO 4 Ripple20

Hello sir,

iLO 4 security feature Ripple20 is need to modify with firmware or write a protactive feature.

furtht to get the support on the ILO 4 ecureity fueature, kindly reach to HPE security support team.

HPE Integrated Lights Out (iLO 4) - Document List

https://internal.support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00043732en_us

HPE PRODUCT SECURITY PRACTICES

https://www.hpe.com/in/en/services/security-vulnerability.html

Thank you

Ravi swamy

I am a HPE Employee

Accept or Kudo

Highlighted
Frequent Visitor

Re: iLO 4 Ripple20

Ravi2019,

I contacted HPE support and no firmware or confirmation of the vulnerability is available.  They did confirm they are still reviewing some products and won't make any statements until a patch is available. The latest ILO 4 firmware is 4.73 which was released before the Ripple20 vulnerabilities were publicized. 

Highlighted
Advisor

Re: iLO 4 Ripple20

Hello Sir,

thanks for your update.

As the iLO security feature is not available, further to isolate and fix the security feature what I suggest log a support case with HPE.

Regards

Ravi swamy

I am a HPE Employee
Highlighted
Frequent Visitor

Re: iLO 4 Ripple20

Raviswamy,

As stated in my last reply, I did submit a support case. They said what I included in my replay to shenanigans above.

Highlighted
Frequent Visitor
Solution

Re: iLO 4 Ripple20

The HPE Product Security Team just notified me that HPE has confirmed the vulnerability with ILO 4 and released firmware 2.75 to fix it.  You can download the latest firmware from the HPE Support Center.