Hewlett Packard Enterprise (HPE) has published three security bulletins in the past few days. Almost all of them address critical security gaps in the web-based StoreServ Management Console (SSMC) , in the console AirWave Glass the network management solution AirWave from HPE’s subsidiary Aruba as well as in the BlueData EPIC software and the Ezmeral container platform.

A fourth, somewhat older bulletin from 12. October 2020 addresses several remote code execution gaps in the Intelligent Management Center ( iMC ) PLAT . In all cases there are patches and / or new software versions that should be installed promptly in view of the severity of the security vulnerabilities.

Unauthorized remote access possible The gap with the highest risk classification, namely a CVSS v3 score of 10. 0, is in the StoreServ Management Console (SSMC). According to HPE’s description, remote attackers could completely bypass authentication mechanisms via CVE – 2020 – 7197 to take control of vulnerable systems. The attack complexity is low, and existing access rights or interactions on the part of legitimate users are not required. An update to SMC 3.7.1.1 closes the hole in earlier versions.

The security holes described in the other bulletins come from CVE – 2020 – 7197 with CVSS-v3 scores from 8.8 to 9.9 upwards in terms of hazard potential very close. They can also be used remotely to extend existing access rights, execute any code or access information without authorization.

Vulnerable versions and Updates Information on vulnerable versions and available updates can be found in the security bulletins linked below:

HPE StoreServ Management Console (SSMC) Remote Authent