CVE-2019-11994

Name of the Vulnerable Software and Affected Versions HPE SimpliVity 380 Gen 9 HPE SimpliVity 380 Gen 10 HPE SimpliVity 380 Gen 10 G HPE SimpliVity 2600 Gen 10 SimpliVity OmniCube SimpliVity OmniStack for Cisco SimpliVity OmniStack for Lenovo SimpliVity OmniStack for Dell nodes HPE OmniStack versions prior to 3.7.10

Description A security issue has been identified where an API used for executing a command manifest file during an upgrade does not correctly prevent directory traversal. This allows for the execution of manifest files in arbitrary locations on the node. The API does not require user authentication and is accessible over the management network, resulting in the potential for unauthenticated remote execution of manifest files.

Recommendations For HPE OmniStack versions prior to 3.7.10, upgrade the OmniStack software to version 3.7.10 or later. If unable to upgrade to version 3.7.10, implement the Temporary Workaround provided by HPE. All customers should upgrade to the recommended 3.7.10 or later version at the earliest convenience.