IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

HPE warns of a critical zero-day flaw in server management software

There's a workaround for Windows customers, but nothing for Linux admins

HPE building with sign

HPE has announced a critical zero-day vulnerability in a key server management application that renders its Windows and Linux servers vulnerable to attack.

Trend Micro discovered the vulnerability, which has the ID CVE-2020-7200 in the MITRE vulnerability database. The vulnerability lies in HP's Systems Insight Manager (SIM), an application that allows administrators to check a server's health.

The bug has a base score of 9.8 in the CVSS v3 vulnerability scoring system, which measures a security flaw's severity on a scale of 1 to 10, putting it in the critical category. An attacker could exploit the problem to execute remote code on a Windows or Linux server, according to HPE’s security advisory issued this week.

As a zero-day bug, there’s no patch for this vulnerability, and HPE hasn't said when one will be available. Instead, HPE promises it in "a future release." In the meantime, HPE has issued a workaround for Windows systems.

Administrators must stop the HPE SIM service and delete a file named “simsearch.war” from the Java-based system. This removes the federated search capability that contains the flaw, making it unusable.

SIM manages hardware across an array of HPE servers, including its ProLiant and Integrity systems, along with storage and networking products. The system discovers devices in the host infrastructure and offers inventory management and reporting for them. It lets administrators monitor health without using software agents and configure policies to execute scripts and notify people of failures.

HP launched the federated search feature in 2011, allowing administrators to search the SIM Central Management Server (CMS) for things like static inventory data and installed software. Without this service, HP documents explain that companies with multiple CMS systems will have a fragmented view of company-wide inventory. 

"When large enterprises have CMSes spread across multiple geographic locations, this limitation becomes even more acute," HP’s product documents say.

This workaround only works for Windows servers. There doesn't appear to be an immediate plan for Linux server users.

Featured Resources

The COO's pocket guide to enterprise-wide intelligent automation

Automating more cross-enterprise and expert work for a better value stream for customers

Free Download

Introducing IBM Security QRadar XDR

A comprehensive open solution in a crowded and confusing space

Free Download

2021 Gartner critical capabilities for data integration tools

How to identify the right tool in support of your data management solutions

Free Download

Unified endpoint management solutions 2021-22

Analysing the UEM landscape

Free Download

Recommended

Selecting a fit-for-purpose server platform for datacentre infrastructure
Whitepaper

Selecting a fit-for-purpose server platform for datacentre infrastructure

15 Jun 2022
What is the semantic web?
Business strategy

What is the semantic web?

8 Jun 2022
HPE and Nvidia unveil 'Champollion' AI supercomputer
Server & storage

HPE and Nvidia unveil 'Champollion' AI supercomputer

27 May 2022
HPE's new platform lets customers build machine learning models quickly and at scale
machine learning

HPE's new platform lets customers build machine learning models quickly and at scale

28 Apr 2022

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Samsung proposes 11 Texas semiconductor plants worth $191 billion
Hardware

Samsung proposes 11 Texas semiconductor plants worth $191 billion

21 Jul 2022
Should you take your password manager off the internet?
Sponsored

Should you take your password manager off the internet?

28 Jul 2022