HPE OneView Software Plagued by Three Major Security Vulnerabilities

September 8, 2023

Hewlett Packard Enterprise's (HPE) OneView, a software designed to streamline the management of data center infrastructure, has been identified to contain three critical security vulnerabilities. These vulnerabilities could potentially be exploited to bypass authentication, disclose sensitive information, or launch a denial of service attack.

The first vulnerability, known as Remote Authentication Bypass Vulnerability (CVE-2023-30908), has a CVSS score of 9.8, indicating its severity. It permits an attacker to sidestep authentication procedures and gain unauthorized access to HPE OneView. This vulnerability is due to a flaw in the way HPE OneView processes user credentials. Exploitation of this vulnerability involves an attacker sending a specifically designed request to the HPE OneView server. This vulnerability was brought to light by Sina Kheirkhah (@SinSinology) of the Summoning Team (@SummoningTeam) in partnership with Trend Micro Zero Day Initiative.

The second vulnerability, OpenSSL Information Disclosure Vulnerability (CVE-2022-4304), could enable a remote attacker to access sensitive data like encryption keys and passwords. The flaw lies in how OpenSSL processes RSA decryption. An attacker can exploit this vulnerability by sending a specifically crafted request to the HPE OneView server.

The third vulnerability, OpenSSL Denial of Service Vulnerability (CVE-2022-4304), could potentially allow a remote attacker to instigate a denial of service (DoS) attack against HPE OneView. This vulnerability arises from the way OpenSSL handles the OBJ_obj2txt() function. An attacker can exploit this vulnerability by sending a specifically crafted request to the HPE OneView server.

HPE has acknowledged these vulnerabilities and released patches for the affected versions of HPE OneView. It is strongly recommended for users to apply these patches promptly to safeguard their systems from these vulnerabilities.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.