HPE has announced a critical zero-day vulnerability in a key server management application that renders its Windows and Linux servers vulnerable to attack.
Trend Micro discovered the vulnerability, which has the ID CVE-2020-7200 in the MITRE vulnerability database. The vulnerability lies in HP's Systems Insight Manager (SIM), an application that allows administrators to check a server's health.
The bug has a base score of 9.8 in the CVSS v3 vulnerability scoring system, which measures a security flaw's severity on a scale of 1 to 10, putting it in the critical category. An attacker could exploit the problem to execute remote code on a Windows or Linux server, according to HPE’s security advisory issued this week.
As a zero-day bug, there’s no patch for this vulnerability, and HPE hasn't said when one will be available. Instead, HPE promises it in "a future release." In the meantime, HPE has issued a workaround for Windows systems.
Administrators must stop the HPE SIM service and delete a file named “simsearch.war” from the Java-based system. This removes the federated search capability that contains the flaw, making it unusable.
SIM manages hardware across an array of HPE servers, including its ProLiant and Integrity systems, along with storage and networking products. The system discovers devices in the host infrastructure and offers inventory management and reporting for them. It lets administrators monitor health without using software agents and configure policies to execute scripts and notify people of failures.
HP launched the federated search feature in 2011, allowing administrators to search the SIM Central Management Server (CMS) for things like static inventory data and installed software. Without this service, HP documents explain that companies with multiple CMS systems will have a fragmented view of company-wide inventory.
"When large enterprises have CMSes spread across multiple geographic locations, this limitation becomes even more acute," HP’s product documents say.
This workaround only works for Windows servers. There doesn't appear to be an immediate plan for Linux server users.
-
Hounslow Council partners with Amazon Web Services (AWS) to build resilience and transition away from legacy techSpomsored One of the most diverse and fastest-growing boroughs in London has completed a massive cloud migration project. Supported by AWS, it was able to work through any challenges
-
Salesforce targets better data, simpler licensing to spur Agentforce adoptionNews The combination of Agentforce 360, Data 360, and Informatica is more context for enterprise AI than ever before
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
-
Critical Dell Storage Manager flaws could let hackers access sensitive data – patch nowNews A trio of flaws in Dell Storage Manager has prompted a customer alert
-
Flaw in Lenovo’s customer service AI chatbot could let hackers run malicious code, breach networksNews Hackers abusing the Lenovo flaw could inject malicious code with just a single prompt
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
