Support Center
English
0 result(s) found
No result found
HPESBHF04593 rev.6 - HPE ProLiant DL/DX/ML/SY/RL/XL/Edgeline Servers Using BIOS (PixieFail), Multiple Vulnerabilities

HPESBHF04593 rev.6 - HPE ProLiant DL/DX/ML/SY/RL/XL/Edgeline Servers Using BIOS (PixieFail), Multiple Vulnerabilities

Document Subtype: Security Bulletin|Document ID: hpesbhf04593en_us|Last Updated: 2024-07-10|Release Date: 2024-04-02|Document Version: 6

Potential Security Impact: Local: Unauthorized Access; Remote: Code Execution, Denial of Service (DoS), Buffer Overflow

Source: Hewlett Packard Enterprise, HPE Product Security Response Team

VULNERABILITY SUMMARY

Potential security vulnerabilities have been identified in HPE ProLiant DL/DX/ML/SY/RL/XL/Edgeline Servers. These vulnerabilities could be remotely exploited to allow remote code execution, denial of service, information disclosure and local unauthorized access.

References:
  • CVE-2023-45229
  • CVE-2023-45230
  • CVE-2023-45231
  • CVE-2023-45232
  • CVE-2023-45233
  • CVE-2023-45234
  • CVE-2023-45235
  • CVE-2023-45236
  • CVE-2023-45237

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  • HPE ProLiant DL20 Gen11 - Prior to v1.48_03-14-2024
  • HPE ProLiant DL110 Gen11 - Prior to v2.16_03-01-2024
  • HPE ProLiant DL320 Gen11 Server - Prior to v2.16_03-01-2024
  • HPE ProLiant DL360 Gen11 Server - Prior to v2.16_03-01-2024
  • HPE ProLiant DL380 Gen11 Server - Prior to v2.16_03-01-2024
  • HPE ProLiant DL380a Gen11 - Prior to v2.16_03-01-2024
  • HPE ProLiant DL560 Gen11 - Prior to v2.16_03-01-2024
  • HPE ProLiant ML30 Gen11 - Prior to v1.48_03-14-2024
  • HPE ProLiant ML110 Gen11 - Prior to v2.16_03-01-2024
  • HPE ProLiant ML350 Gen11 Server - Prior to v2.16_03-01-2024
  • HPE ProLiant MicroServer Gen11 - Prior to v1.48_03-14-2024
  • HPE Alletra 4110 - Prior to v2.16_03-01-2024
  • HPE Alletra 4120 - Prior to v2.16_03-01-2024
  • HPE ProLiant DL20 Gen10 Plus server - Prior to v2.10_05-16-2024
  • HPE ProLiant DL110 Gen10 Plus Telco server - Prior to v2.00_02-22-2024
  • HPE ProLiant DL360 Gen10 Plus server - Prior to v2.00_03-06-2024
  • HPE ProLiant DL380 Gen10 Plus server - Prior to v2.00_03-06-2024
  • HPE ProLiant ML30 Gen10 Plus server - Prior to v2.10_05-16-2024
  • HPE ProLiant MicroServer Gen10 Plus - Prior to v3.10_05-16-2024
  • HPE ProLiant MicroServer Gen10 Plus v2 - Prior to v2.10_05-16-2024
  • HPE ProLiant DL20 Gen10 Server - Prior to v3.10_03-21-2024
  • HPE ProLiant DL160 Gen10 Server - Prior to v3.10_02-22-2024
  • HPE ProLiant DL180 Gen10 Server - Prior to v3.10_02-22-2024
  • HPE ProLiant DL360 Gen10 Server - Prior to v3.10_02-22-2024
  • HPE ProLiant DL380 Gen10 Server - Prior to v3.10_02-22-2024
  • HPE ProLiant DL560 Gen10 Server - Prior to v3.10_02-22-2024
  • HPE ProLiant ML30 Gen10 Server - Prior to v3.10_05-16-2024
  • HPE ProLiant ML110 Gen10 Server - Prior to v3.10_02-22-2024
  • HPE ProLiant ML350 Gen10 Server - Prior to v3.10_02-22-2024
  • HPE ProLiant DL20 Gen9 Server - Prior to v3.40_03-21-2024
  • HPE ProLiant ML30 Gen9 Server - Prior to v3.40_03-21-2024
  • HPE Synergy 480 Gen11 Compute Module - Prior to v2.16_03-01-2024
  • HPE Synergy 480 Gen10 Plus Compute Module - Prior to v2.00_02-22-2024
  • HPE ProLiant BL460c Gen10 Server Blade - Prior to v3.10_02-22-2024
  • HPE Synergy 480 Gen10 Compute Module - Prior to v3.10_02-22-2024
  • HPE Synergy 660 Gen10 Compute Module - Prior to v3.10_02-22-2024
  • HPE Apollo 4200 Gen10 Plus System - Prior to v2.00_02-22-2024
  • HPE ProLiant XL220n Gen10 Plus Server - Prior to v2.00_02-22-2024
  • HPE ProLiant XL290n Gen10 Plus Server - Prior to v2.00_02-22-2024
  • HPE Apollo 2000 Gen10 Plus System - Prior to v2.00_02-22-2024
  • HPE ProLiant XL170r Gen10 Server - Prior to v3.10_02-22-2024
  • HPE ProLiant XL190r Gen10 Server - Prior to v3.10_02-22-2024
  • HPE Apollo 2000 System - Prior to v3.10_02-22-2024
  • HPE ProLiant e910 Server Blade - Prior to v3.10_02-22-2024
  • HPE ProLiant e910t Server Blade - Prior to v3.10_02-22-2024
  • HPE Edgeline e920 Server Blade - Prior to v2.00_02-22-2024
  • HPE Edgeline e920d Server Blade - Prior to v2.00_02-22-2024
  • HPE Edgeline e920t Server Blade - Prior to v2.00_02-22-2024
  • HPE Compute Edge Server e930t - Prior to v2.16_03-01-2024
  • HPE ProLiant RL300 Gen11 - Prior to v1.60_03-07-2024
  • HPE ProLiant DX170r Gen10 server - Prior to v3.10_02-22-2024
  • HPE ProLiant DX190r Gen10 server - Prior to v3.10_02-22-2024
  • HPE ProLiant DX360 Gen10 Plus server - Prior to v2.00_03-06-2024
  • HPE ProLiant DX380 Gen10 Plus server - Prior to v2.00_03-06-2024
  • HPE ProLiant DX220n Gen10 Plus server - Prior to v2.00_02-22-2024
  • HPE ProLiant DX360 Gen10 server - Prior to v3.10_02-22-2024
  • HPE ProLiant DX380 Gen10 server - Prior to v3.10_02-22-2024
  • HPE ProLiant DX560 Gen10 server - Prior to v3.10_02-22-2024
  • HPE ProLiant DX4200 Gen10 server - Prior to v2.00_02-22-2024

BACKGROUND

HPE calculates CVSS using CVSS Version 3.1. If the score is provided from NIST, we will display Version 3.1 as provided from NVD.
Reference
V3 Vector
V3 Base Score
CVE-2023-45229
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
6.5
CVE-2023-45230
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
8.3
CVE-2023-45231
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
6.5
CVE-2023-45232
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5
CVE-2023-45233
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5
CVE-2023-45234
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
8.3
CVE-2023-45235
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
8.3
CVE-2023-45236
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
5.8
CVE-2023-45237
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3
Information on CVSS is documented in HPE Customer Notice: HPSN-2008-002

RESOLUTION

HPE has made the following software updates to resolve these vulnerabilities in HPE DL/DX/ML/SY/RL/XL/Edgeline Server BIOS.

  • Gen11 BIOS Version 2.16_03-01-2024 or later for E5, 1.48_03-14-2024 or later for E3
  • Gen10 Plus BIOS Version 2.00_03-06-2024, 2.00_02-22-2024 or later for E5, 2.10_05-16-2024, 3.10_05-16-2024 or later for E3
  • Gen10 BIOS Version 3.10_02-22-2024 or later for E5, 3.10_05-16-2024 or later for E3
  • Gen9 BIOS Version 3.40_03-21-2024 or later for E3
  • Edgeline e930t BIOS Version 2.16_03-01-2024 or later
  • Edgeline e920 BIOS Version 2.00_02-22-2024 or later
  • Edgeline e910x BIOS Version 3.10_02-22-2024 or later
  • RL300 Gen11 BIOS Version 1.60_03-07-2024 or later

Download the firmware for your product on HPE Support Center.

To locate the download for a certain component please perform the following steps:

  1. Click the following link:

    Hewlett Packard Enterprise Support Center

  2. Enter a product name from the list of impacted products above in the text search field and wait for a list of Suggested Products to display. From the Suggested Products list displayed, identify the desired product and select it.
  3. The page should refresh to include a selection for the "DRIVERS AND SOFTWARE" tab.
  4. Select the “DRIVERS AND SOFTWARE tab to find the components that you need and download them.

Note: To ensure that you have selected the latest version of the firmware/driver, click the Revision History tab to check if a new version of the firmware/driver is available.

HISTORY
  • Version:1 (rev.1) - 2 April 2024 Initial release
  • Version:2 (rev.2) - 18 April 2024 Added DX Servers
  • Version:3 (rev.3) - 14 May 2024 Updated DX Servers
  • Version:4 (rev.4) - 3 June 2024 Added E3 processor servers.
  • Version:5 (rev.5) - 11 June 2024 Added CVE-2021-38578.
  • Version:6 (rev.6) - 9 July 2024 Removed CVE-2021-38575 and CVE-2021-38578

Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com.

Report: To report a potential security vulnerability for any HPE supported product:

Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice

Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive

©Copyright 2025 Hewlett Packard Enterprise Development LP
Hewlett Packard Enterprise Development shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HPE nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise Development and the names of Hewlett Packard Enterprise Development products referenced herein are trademarks of Hewlett Packard Enterprise Development in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
CVSS Severity from NVD
View CVE details
Related Products
  • HPE ProLiant DL360 Gen11
  • HPE ProLiant DL20 Gen11
  • HPE ProLiant DL110 Gen11
    • View All
    On This Page
    • HPESBHF04593 rev.6 - HPE ProLiant DL/DX/ML/SY/RL/XL/Edgeline Servers Using BIOS (PixieFail), Multiple Vulnerabilities
      • VULNERABILITY SUMMARY
      • SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
      • BACKGROUND
      • RESOLUTION
    Legal Disclaimer: Products sold prior to the November 1, 2015 separation of Hewlett-Packard Company into Hewlett Packard Enterprise Company and HP Inc. may have older product names and model numbers that differ from current models.
    Hewlett Packard Enterprise believes in being unconditionally inclusive. Efforts to replace noninclusive terms in our active products are ongoing.
    This page has an error. You might just need to refresh it. [NoErrorObjectAvailable] lightningout:client-error:script-setup:https://support.hpe.com/connect/l/%7B%22mode%22%3A%22PROD%22%2C%22dfs%22%3A%228%22%2C%22app%22%3A%22c%3AdceLightningOutApp%22%2C%22loaded%22%3A%7B%22APPLICATION%40markup%3A%2F%2Fc%3AdceLightningOutApp%22%3A%22739_dzZllEEIH7iFM5YnuoPToQ%22%7D%2C%22styleContext%22%3A%7B%22c%22%3A%22other%22%2C%22x%22%3A%5B%223%22%2C%22SLDS%22%2C%22isDesktop%22%5D%2C%22tokens%22%3A%5B%22markup%3A%2F%2Fforce%3AsldsTokens%22%2C%22markup%3A%2F%2Fforce%3Abase%22%2C%22markup%3A%2F%2Fforce%3AformFactorLarge%22%5D%2C%22tuid%22%3A%22614bpEEa2TzAg8-fXeYADg%22%2C%22cuid%22%3A547826658%7D%2C%22pathPrefix%22%3A%22%2Fconnect%22%7D/app.css?3=
    wiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwiwi