What are you looking for ?
Mobile Search Icon
Mobile Menu Icon
Advertise with us
RAIDON

HPE Security Alert Concerning StoreServ Management Console Remote Authentication

Providing update to SSMC software 3.7.0.0

This is a Press Release edited by StorageNewsletter.com on October 28, 2020 at 2:02 pm

Security bulletin

Document ID: hpesbst04045en_us

Version: 1

HPESBST04045 rev.1 – HPE StoreServ Management Console (SSMC) Remote Authentication

Bypass

NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: October 23, 2020

Last Updated: October 24, 2020

Potential Security Impact: Remote: Authentication Bypass

Source: Hewlett Packard Enterprise, HPE Product Security Response Team

Vulnerability summary
HPE StoreServ Management Console (SSMC) 3.7.0.0 is an off node multiarray manager web application and remains isolated from data on the managed arrays. SSMC is vulnerable to remote authentication bypass.

References: CVE-2020-7197 – remote authentication bypass

Supported software versions (*): Ony impacted versions are listed.
3PAR StoreServ Management and Core Software Media prior to 3.7.0.0

Background
HPE calculates CVSS using CVSS Version 3.1. If the score is provided from NIST, we will display Version 2.0, 3.0, or 3.1 as provided from NVD.

Reference

V3 Vector

V3 Base Score

V2 Vector

V2 Base Score

CVE-2020-7197

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H

10.0

(AV:N/AC:L/Au:N/C:P/I:C/A:C)

9.7

Information on CVSS is documented in HPE Customer Notice: HPSN-2008-002

HPE acknowledges Elwood Buck from MindPoint Group for reporting the vulnerabilities to security-alert@hpe.com.

Resolution
HPE has provided an update to StoreServ Management Console (SSMC) software 3.7.0.0

  • Upgrade to HPE 3PAR StoreServ Management Console 3.7.1.1 or later

  • SSMC 3.7.1.1 is available for download from Mylicense portal .

Note: For complete 3PAR and Primera SSMC compatibility lists, refer to the 3PAR and Primera Array Software section on the HPE SPOCK website .

History
Version:1 (rev.1) – October 23,  2020 Initial release

Third Party Security Patches: Third party security patches that are to be installed on systems running HPE software products should be applied in accordance with the customer’s patch management policy.

Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com.

Report: To report a potential security vulnerability for any HPE supported product:

Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via email

Security Bulletin Archive: A list of recently released Security Bulletins is available

Articles_bottom
ExaGrid
AIC
ATTOtarget="_blank"
OPEN-E