Operational Defect Database
BugZero found this defect 308 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
Hewlett Packard Enterprise | a00131740en_us
Bulletin: (Revision) HPE Multiple Legacy Server Platforms - System SoftPaq Vulnerability CVE-2019-16283
Last update date:
3/5/2024
Affected products:
HPE ProLiant BL10e G2 Server Blade
HPE ProLiant BL10e Server Blade
HPE ProLiant BL20p G2 Server Blade
HPE ProLiant BL20p G3 Server Blade
HPE ProLiant BL20p G4 Server Blade
HPE ProLiant BL260c G5 Server Blade
HPE ProLiant BL280c G6 Server Blade
HPE ProLiant BL2x220c G5 Server Blade
HPE ProLiant BL2x220c G6 Server Blade
HPE ProLiant BL30p Server Blade
HPE ProLiant BL420c Gen8 Server Blade
HPE ProLiant BL460c G5 Server Blade
Affected releases:
No affected releases provided.
Fixed releases:
No fixed releases provided.
Description:
Info
Document Version Release Date Details 2 July 17, 2023 Added reference CVE, and edited for clarity. 1 July 3, 2023 Original Document Release. A potential security vulnerability has been identified with HPE System SoftPaqs that can lead to arbitrary code execution. Important: This issue only applies to the SoftPaq installer for HPE Gen9 or earlier legacy systems.
Scope
Any products that use SoftPaq utilities to update HPE Legacy Server Platforms.
Resolution
HPE recommends that customers delete any downloaded SoftPaqs for legacy systems, so that vulnerable components cannot be exploited. Software installed by the affected SoftPaqs does not need to be reinstalled, the problem is with the installer itself, not the installed software. Vulnerable Softpaqs have been identified and removed from the HPE Support Center. Note: For every firmware version on the web, HPE offers different types of smart components for flashing the update. There is also a smart component with a Softpaq used to flash the firmware via a USB key. The smart component with the Softpaq has been removed from the portal and will not be rebuilt. The other components of the same version without the Softpaq are still available to customers for download. For example, the System ROMPaq Firmware Upgrade for HPE Apollo 4200 Gen9/HPE ProLiant XL420 Gen9 (U19) Servers (For USB Key-Media) has been removed from the portal, while Online ROM Flash Component for Windows x64 - HPE Apollo 4200 Gen9/HPE ProLiant XL420 Gen9 (U19) Servers is still available. RECEIVE PROACTIVE UPDATES : Receive support alerts (such as Customer Advisories), as well as updates on drivers, software, firmware, and customer replaceable components, proactively in your e-mail through HPE Support Alerts. Sign up for Support Alerts at the following URL: HPE Email Preference Center. NAVIGATION TIP: For hints on navigating HPE.com to locate the latest drivers, patches and other support software downloads, refer to the Navigation Tips document. SEARCH TIP: For hints on locating similar documents on HPE.com, refer to the Search Tips document.
