Main Vulnerability Database SB2023041307

SB2023041307 - Information disclosure in HPE System Management Homepage (SMH)

Published: April 13, 2023

Security Bulletin ID SB2023041307

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Information disclosure (CVE-ID: CVE-2016-0800)

The vulnerability allows a remote attacker to decrypt sensitive information.

The vulnerability exists due to usage of weak SSLv2 protocol, which requires to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data. A remote attacker can decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle.

The vulnerability is dubbed "DROWN" attack.

Remediation

Install update from vendor's website.

References

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=emr_na-c05096953