Advisory No: TZCERT/SA/2024/07/26-1

Date of First Release: 26^th July 2024

Source: Hewlett-Packard (HP)

Software Affected:  HPE ProLiant DL/ML/SY/XL, Alletra Servers, HPE Synergy, HPE Edgeline, HPE Compute Edge Server

Overview:

HPE ProLiant DL/ML/SY/XL, Alletra Servers, HPE Synergy, HPE Edgeline, and HPE Compute Edge Server are vulnerable to critical severity vulnerability. The attackers can leverage the vulnerability to cause a buffer overflow.

Description:

The critical-severity vulnerability affecting several HP products has a CVSS score of 9.8 and is tracked as CVE-2021-38578. The vulnerability results from existing CommBuffer checks in SmmEntryPoint not catching underflow when computing BufferSize. Successful exploitation of this vulnerability could allow the attacker to cause a buffer overflow which may lead to code execution of the affected device.

Impact:

Successful exploitation of this vulnerability may allow an attacker to take control of the vulnerable system

Solution:

HP has released security patches to address the vulnerability. Users and administrators are encouraged to apply necessary updates.

References:

1. https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbhf04671en_us&docLocale=en_US

Ubuntu has released security updates to address vulnerabilities in python-zipp, poppler, OCS Inventory, phpCAS and provd. Exploitation of these vulnerabilities may allow an attacker to cause denial of service condition.

Users and administrators are encouraged to review Ubuntu Security Advisories USN-6906-1, USN-6915-1, USN-6914-1, USN-6913-1, and USN-6912-1 and apply necessary updates.

Broadcom has released security updates to address vulnerabilities in VMware ESXi, vCenter Server, and VMware Tanzu. Exploitation of these vulnerabilities may allow an attacker to cause a denial of service condition.

Users and administrators are encouraged to review Broadcom Security Advisories SecurityAdvisories-24505 and security-advisory-tanzu and apply necessary updates.

Oracle has released security updates to address vulnerabilities in multiple Oracle Products. Exploitation of these vulnerabilities may allow an attacker to take control of affected system.

Users and administrators are encouraged to review Oracle Security Advisories cpujul2024, ELSA-2024-4761 and ELSA-2024-4749 and apply necessary updates.

Google has released security updates to address vulnerabilities in Chrome for iOS and Chrome for Android. Exploitation of these vulnerabilities may allow an attacker to take control of affected system.

Users and administrators are encouraged to review Chrome Security Advisories chrome-for-ios and chrome-for-android and apply necessary updates.