Operational Defect Database
BugZero found this defect 1329 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
Hewlett Packard Enterprise | a00106376en_us
Advisory: HPE Integrated Lights-Out 4 (iLO 4) - Qualys Scan Report Displaying iLO 4 Firmware v1.64 as Vulnerable to Ripple20 on HPE Integrity Superdome X Server Is a False Positive
Last update date:
3/8/2024
Affected products:
HPE Integrated Lights-Out 4 (iLO 4)
Affected releases:
No affected releases provided.
Fixed releases:
No fixed releases provided.
Description:
Info
The HPE Integrated Lights-Out 4 (iLO 4) firmware for the HPE Superdome X server includes a fix for Ripple20 vulnerabilities in the TCP/IP stack in iLO 4 firmware v1.64. The iLO 4 firmware that runs on HPE ProLiant Gen8 and HPE ProLiant Gen9 servers includes a fix for Ripple20 vulnerabilities in the TCP/IP stack in iLO 4 firmware v2.75. Qualys vulnerability scanner is currently using the value in the PN (Product Name) tag of the XML output of iLO 4 to identify the product and the platform. As the product name (PN) of iLO 4 is same in both HPE ProLiant servers and HPE Integrity Superdome X servers, the scanner is unable to distinguish between the two platforms and reports HPE Integrity Superdome X iLO 4 firmware v1.64 as vulnerable to Ripple20 vulnerabilities (CVE-2020-11896, CVE-2020-11898, CVE-2020-11900, CVE-2020-11906, CVE-2020-11907,CVE-2020-11911, CVE-2020-11912, CVE-2020-11914). Note : The iLO 4 firmware v1.64 in HPE Integrity Superdome X servers has the fix for these vulnerabilities and the report is false positive. Links to the HPE security bulletins: HPE ProLiant servers: HPESBHF04012 rev.3 - HPE Integrated Lights-Out 3 (iLO 3), Integrated Lights-Out 4 (iLO 4), and Integrated Lights-Out 5 (iLO 5), Ripple20 Multiple Vulnerabilities HPE Integrity Superdome X servers: (Link will be added before Customer Advisory releases.)
Scope
Any iLO 4 firmware and HPE Integrity Superdome X server.
Resolution
If the Qualys report for iLO 4 firmware v1.64 (or later) displays the firmware as vulnerable to Ripple20 on an HPE Integrity Superdome X server, consider the report as a false positive. Firmware versions used by iLO 4: HPE ProLiant Gen8 and HPE ProLiant Gen9 servers: iLO 4 v1.10 through iLO 4 v1.40 and iLO 4 v2.xx HPE Integrity Superdome X servers: iLO 4 v1.5x and iLO 4 v1.6x iLO 4 firmware versions that include fix for Ripple20 vulnerabilities HPE ProLiant Gen8 and HPE ProLiant Gen9 servers: iLO 4 v2.75 (and later) HPE Integrity Superdome X servers: iLO 4 v1.64 (and later), Superdome X bundle version 8.8.38 (and later). Either of the methods mentioned in the Customer Advisory HPE Superdome X- Identifying the Type of Server (HPE ProLiant or HPE Integrity Superdome X )That HPE Integrated Lights-Out 4 (iLO 4) Is Running On or the following method can be used to identify if the Integrated iLO 4 is part of a HPE ProLiant server or HPE Integrity Superdome X server. Browse URI: https://<ilo_ip>/xmldata?item=all In the XML output, if the value of <PN> XML tag (Product Name) under <MP> XML tag (Management Processor) is iLO 4 determine the server as follows: If the value of <SPN> XML tag (Server Product name) under <HSI> XML tag (Server Identification) is "ProLiant xxx Gen8/Gen9", then it is a HPE ProLiant server. If the value is "Superdome2 16s x86", then it is a HPE Integrity Superdome X server. If the Qualys vulnerability scan or similar scanners report iLO 4 v1.64 or later (firmware bundle 8.8.38 or later) in HPE Integrity Superdome X servers, the report is false positive and does not require a board replacement or firmware update. Refer to the advisory description for details. RECEIVE PROACTIVE UPDATES : Receive support alerts (such as Customer Advisories), as well as updates on drivers, software, firmware, and customer replaceable components, proactively via e-mail through HPE Subscriber's Choice. Sign up for Subscriber's Choice at the following URL: Proactive Updates Subscription Form. NAVIGATION TIP : For hints on navigating HPE.com to locate the latest drivers, patches, and other support software downloads for HPE systems and Options, refer to the Navigation Tips document . SEARCH TIP : For hints on locating similar documents on HPE.com, refer to the Search Tips Document . To search for additional advisories related to iLO 4, use the following search string: +Advisory +ProLiant -"Software and Drivers" +iLO 4
