HPE warns of a critical zero-day flaw in server management software

There's a workaround for Windows customers, but nothing for Linux admins

HPE building with sign

HPE has announced a critical zero-day vulnerability in a key server management application that renders its Windows and Linux servers vulnerable to attack.

Trend Micro discovered the vulnerability, which has the ID CVE-2020-7200 in the MITRE vulnerability database. The vulnerability lies in HP's Systems Insight Manager (SIM), an application that allows administrators to check a server's health.

The bug has a base score of 9.8 in the CVSS v3 vulnerability scoring system, which measures a security flaw's severity on a scale of 1 to 10, putting it in the critical category. An attacker could exploit the problem to execute remote code on a Windows or Linux server, according to HPE’s security advisory issued this week.

As a zero-day bug, there’s no patch for this vulnerability, and HPE hasn't said when one will be available. Instead, HPE promises it in "a future release." In the meantime, HPE has issued a workaround for Windows systems.

Administrators must stop the HPE SIM service and delete a file named “simsearch.war” from the Java-based system. This removes the federated search capability that contains the flaw, making it unusable.

SIM manages hardware across an array of HPE servers, including its ProLiant and Integrity systems, along with storage and networking products. The system discovers devices in the host infrastructure and offers inventory management and reporting for them. It lets administrators monitor health without using software agents and configure policies to execute scripts and notify people of failures.

HP launched the federated search feature in 2011, allowing administrators to search the SIM Central Management Server (CMS) for things like static inventory data and installed software. Without this service, HP documents explain that companies with multiple CMS systems will have a fragmented view of company-wide inventory. 

"When large enterprises have CMSes spread across multiple geographic locations, this limitation becomes even more acute," HP’s product documents say.

This workaround only works for Windows servers. There doesn't appear to be an immediate plan for Linux server users.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Everything you need to know about HPE
Business strategy

Everything you need to know about HPE

14 Feb 2020
HPE ProLiant MicroServer Gen10 Plus review: Pint-sized perfection
Server & storage

HPE ProLiant MicroServer Gen10 Plus review: Pint-sized perfection

5 Jan 2021
Aruba Instant On AP12 review: An outstanding SMB solution
wifi & hotspots

Aruba Instant On AP12 review: An outstanding SMB solution

9 Dec 2020
Aruba Central receives FedRAMP "In Process" designation
Network & Internet

Aruba Central receives FedRAMP "In Process" designation

22 Oct 2020

Most Popular

IT retailer faces €10.4m GDPR fine for employee surveillance
General Data Protection Regulation (GDPR)

IT retailer faces €10.4m GDPR fine for employee surveillance

18 Jan 2021
Citrix buys Slack competitor Wrike in record $2.25bn deal
collaboration

Citrix buys Slack competitor Wrike in record $2.25bn deal

19 Jan 2021
Should IT departments call time on WhatsApp?
communications

Should IT departments call time on WhatsApp?

15 Jan 2021