#VU65933 Input validation error in HPE products - CVE-2022-28631
Vulnerability identifier: #VU65933
Vulnerability risk: High
CVSSv4.0: 6.3 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-28631
CWE-ID:
CWE-20
Exploitation vector: Local network
Exploit availability: No
Vulnerable software:
HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers
Hardware solutions /
Firmware
HPE Apollo 2000 Gen10 Plus System
Hardware solutions /
Firmware
HPE Apollo 4200 Gen10 Plus System
Hardware solutions /
Firmware
HPE Apollo 4200 Gen10 Server
Hardware solutions /
Firmware
HPE ProLiant XL420 Gen10 Server
Hardware solutions /
Firmware
HPE Apollo 4510 Gen10 System
Hardware solutions /
Firmware
HPE Apollo 6500 Gen10 Plus System
Hardware solutions /
Firmware
HPE Apollo 6500 Gen10 System
Hardware solutions /
Firmware
HPE Apollo n2600 Gen10 Plus
Hardware solutions /
Firmware
HPE Apollo n2800 Gen10 Plus
Hardware solutions /
Firmware
HPE Apollo r2000 Chassis
Hardware solutions /
Firmware
HPE Apollo r2800 Gen10
Hardware solutions /
Firmware
HPE Apollo r2600 Gen10
Hardware solutions /
Firmware
HPE Edgeline e920 Server Blade
Hardware solutions /
Firmware
HPE Edgeline e920d Server Blade
Hardware solutions /
Firmware
HPE Edgeline e920t Server Blade
Hardware solutions /
Firmware
HPE ProLiant DL20 Gen10 Plus server
Hardware solutions /
Firmware
HPE ProLiant BL460c Gen10 Server Blade
Hardware solutions /
Firmware
HPE ProLiant DL20 Gen10 Server
Hardware solutions /
Firmware
HPE ProLiant DL110 Gen10 Plus Telco server
Hardware solutions /
Firmware
HPE ProLiant DL120 Gen10 Server
Hardware solutions /
Firmware
HPE ProLiant DL160 Gen10 Server
Hardware solutions /
Firmware
HPE ProLiant DL180 Gen10 Server
Hardware solutions /
Firmware
HPE ProLiant DL325 Gen10 Plus server
Hardware solutions /
Firmware
HPE ProLiant DL325 Gen10 Plus v2 server
Hardware solutions /
Firmware
HPE ProLiant DL325 Gen10 Server
Hardware solutions /
Firmware
HPE ProLiant DL345 Gen10 Plus server
Hardware solutions /
Firmware
HPE ProLiant DL360 Gen10 Plus server
Hardware solutions /
Firmware
HPE ProLiant DL360 Gen10 Server
Hardware solutions /
Firmware
HPE ProLiant DL365 Gen10 Plus server
Hardware solutions /
Firmware
HPE ProLiant DL380 Gen10 Plus server
Hardware solutions /
Firmware
HPE ProLiant DL380 Gen10 Server
Hardware solutions /
Firmware
HPE ProLiant DL385 Gen10 Plus server
Hardware solutions /
Firmware
HPE ProLiant DL385 Gen10 Plus v2 server
Hardware solutions /
Firmware
HPE ProLiant DL385 Gen10 Server
Hardware solutions /
Firmware
HPE ProLiant DL560 Gen10 Server
Hardware solutions /
Firmware
HPE ProLiant DL580 Gen10 Server
Hardware solutions /
Firmware
HPE ProLiant DX170r Gen10 server
Hardware solutions /
Firmware
HPE ProLiant DX190r Gen10 server
Hardware solutions /
Firmware
HPE ProLiant DX220n Gen10 Plus server
Hardware solutions /
Firmware
HPE ProLiant DX325 Gen10 Plus v2 server
Hardware solutions /
Firmware
HPE ProLiant DX360 Gen10 Plus server
Hardware solutions /
Firmware
HPE ProLiant DX360 Gen10 server
Hardware solutions /
Firmware
HPE ProLiant DX380 Gen10 Plus server
Hardware solutions /
Firmware
HPE ProLiant DX380 Gen10 server
Hardware solutions /
Firmware
HPE ProLiant DX385 Gen10 Plus server
Hardware solutions /
Firmware
HPE ProLiant DX385 Gen10 Plus v2 server
Hardware solutions /
Firmware
HPE ProLiant DX4200 Gen10 server
Hardware solutions /
Firmware
HPE ProLiant DX560 Gen10 server
Hardware solutions /
Firmware
HPE ProLiant e910 Server Blade
Hardware solutions /
Firmware
HPE ProLiant e910t Server Blade
Hardware solutions /
Firmware
HPE ProLiant m750 Server Blade
Hardware solutions /
Firmware
HPE ProLiant MicroServer Gen10 Plus
Hardware solutions /
Firmware
HPE ProLiant ML30 Gen10 Plus server
Hardware solutions /
Firmware
HPE ProLiant ML30 Gen10 Server
Hardware solutions /
Firmware
HPE ProLiant ML110 Gen10 Server
Hardware solutions /
Firmware
HPE ProLiant ML350 Gen10 Server
Hardware solutions /
Firmware
HPE ProLiant XL170r Gen10 Server
Hardware solutions /
Firmware
HPE ProLiant XL190r Gen10 Server
Hardware solutions /
Firmware
HPE ProLiant XL220n Gen10 Plus Server
Hardware solutions /
Firmware
HPE ProLiant XL225n Gen10 Plus 1U Node
Hardware solutions /
Firmware
HPE ProLiant XL230k Gen10 Server
Hardware solutions /
Firmware
HPE ProLiant XL270d Gen10 Server
Hardware solutions /
Firmware
HPE ProLiant XL290n Gen10 Plus Server
Hardware solutions /
Firmware
HPE ProLiant XL450 Gen10 Server
Hardware solutions /
Firmware
HPE ProLiant XL645d Gen10 Plus Server
Hardware solutions /
Firmware
HPE ProLiant XL675d Gen10 Plus Server
Hardware solutions /
Firmware
HPE ProLiant XL925g Gen10 Plus 1U 4-node Configure-to-order Server
Hardware solutions /
Firmware
HPE Storage File Controller
Hardware solutions /
Firmware
HPE Storage Performance File Controller
Hardware solutions /
Firmware
HPE StoreEasy 1460 Storage
Hardware solutions /
Firmware
HPE StoreEasy 1560 Storage
Hardware solutions /
Firmware
HPE StoreEasy 1660 Expanded Storage
Hardware solutions /
Firmware
HPE StoreEasy 1660 Performance Storage
Hardware solutions /
Firmware
HPE StoreEasy 1660 Storage
Hardware solutions /
Firmware
HPE StoreEasy 1860 Performance Storage
Hardware solutions /
Firmware
HPE StoreEasy 1860 Storage
Hardware solutions /
Firmware
Vendor: HPE
Description
The vulnerability allows a remote attacker on the local network to execute arbitrary code on the system and perform a denial of service attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker on the local network can trigger the vulnerability to execute arbitrary code on the system and perform a denial of service attack.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers: before 2.71
HPE Apollo 2000 Gen10 Plus System: before 2.71
HPE Apollo 4200 Gen10 Plus System: before 2.71
HPE Apollo 4200 Gen10 Server: before 2.71
HPE ProLiant XL420 Gen10 Server: before 2.71
HPE Apollo 4510 Gen10 System: before 2.71
HPE Apollo 6500 Gen10 Plus System: before 2.71
HPE Apollo 6500 Gen10 System: before 2.71
HPE Apollo n2600 Gen10 Plus: before 2.71
HPE Apollo n2800 Gen10 Plus: before 2.71
HPE Apollo r2000 Chassis: before 2.71
HPE Apollo r2800 Gen10: before 2.71
HPE Apollo r2600 Gen10: before 2.71
HPE Edgeline e920 Server Blade: before 2.71
HPE Edgeline e920d Server Blade: before 2.71
HPE Edgeline e920t Server Blade: before 2.71
HPE ProLiant DL20 Gen10 Plus server: before 2.71
HPE ProLiant BL460c Gen10 Server Blade: before 2.71
HPE ProLiant DL20 Gen10 Server: before 2.71
HPE ProLiant DL110 Gen10 Plus Telco server: before 2.71
HPE ProLiant DL120 Gen10 Server: before 2.71
HPE ProLiant DL160 Gen10 Server: before 2.71
HPE ProLiant DL180 Gen10 Server: before 2.71
HPE ProLiant DL325 Gen10 Plus server: before 2.71
HPE ProLiant DL325 Gen10 Plus v2 server: before 2.71
HPE ProLiant DL325 Gen10 Server: before 2.71
HPE ProLiant DL345 Gen10 Plus server: before 2.71
HPE ProLiant DL360 Gen10 Plus server: before 2.71
HPE ProLiant DL360 Gen10 Server: before 2.71
HPE ProLiant DL365 Gen10 Plus server: before 2.71
HPE ProLiant DL380 Gen10 Plus server: before 2.71
HPE ProLiant DL380 Gen10 Server: before 2.71
HPE ProLiant DL385 Gen10 Plus server: before 2.71
HPE ProLiant DL385 Gen10 Plus v2 server: before 2.71
HPE ProLiant DL385 Gen10 Server: before 2.71
HPE ProLiant DL560 Gen10 Server: before 2.71
HPE ProLiant DL580 Gen10 Server: before 2.71
HPE ProLiant DX170r Gen10 server: before 2.71
HPE ProLiant DX190r Gen10 server: before 2.71
HPE ProLiant DX220n Gen10 Plus server: before 2.71
HPE ProLiant DX325 Gen10 Plus v2 server: before 2.71
HPE ProLiant DX360 Gen10 Plus server: before 2.71
HPE ProLiant DX360 Gen10 server: before 2.71
HPE ProLiant DX380 Gen10 Plus server: before 2.71
HPE ProLiant DX380 Gen10 server: before 2.71
HPE ProLiant DX385 Gen10 Plus server: before 2.71
HPE ProLiant DX385 Gen10 Plus v2 server: before 2.71
HPE ProLiant DX4200 Gen10 server: before 2.71
HPE ProLiant DX560 Gen10 server: before 2.71
HPE ProLiant e910 Server Blade: before 2.71
HPE ProLiant e910t Server Blade: before 2.71
HPE ProLiant m750 Server Blade: before 2.71
HPE ProLiant MicroServer Gen10 Plus: before 2.71
HPE ProLiant ML30 Gen10 Plus server: before 2.71
HPE ProLiant ML30 Gen10 Server: before 2.71
HPE ProLiant ML110 Gen10 Server: before 2.71
HPE ProLiant ML350 Gen10 Server: before 2.71
HPE ProLiant XL170r Gen10 Server: before 2.71
HPE ProLiant XL190r Gen10 Server: before 2.71
HPE ProLiant XL220n Gen10 Plus Server: before 2.71
HPE ProLiant XL225n Gen10 Plus 1U Node: before 2.71
HPE ProLiant XL230k Gen10 Server: before 2.71
HPE ProLiant XL270d Gen10 Server: before 2.71
HPE ProLiant XL290n Gen10 Plus Server: before 2.71
HPE ProLiant XL450 Gen10 Server: before 2.71
HPE ProLiant XL645d Gen10 Plus Server: before 2.71
HPE ProLiant XL675d Gen10 Plus Server: before 2.71
HPE ProLiant XL925g Gen10 Plus 1U 4-node Configure-to-order Server: before 2.71
HPE Storage File Controller: before 2.71
HPE Storage Performance File Controller: before 2.71
HPE StoreEasy 1460 Storage: before 2.71
HPE StoreEasy 1560 Storage: before 2.71
HPE StoreEasy 1660 Expanded Storage: before 2.71
HPE StoreEasy 1660 Performance Storage: before 2.71
HPE StoreEasy 1660 Storage: before 2.71
HPE StoreEasy 1860 Performance Storage: before 2.71
HPE StoreEasy 1860 Storage: before 2.71
External links
https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbhf04333en_us
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
