Print | Rate this content

HPESBHF03856 rev.1 - Comware v7 and Intelligent Management Center Products, Remote Denial of Service

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: hpesbhf03856en_us

Version: 1

HPESBHF03856 rev.1 - Comware v7 and Intelligent Management Center Products, Remote Denial of Service
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2018-07-10

Last Updated: 2018-07-10


Potential Security Impact: Remote: Denial of Service (DoS)

Source: Hewlett Packard Enterprise, HPE Product Security Response Team

VULNERABILITY SUMMARY

Security vulnerabilities in HPE Comware v7 and Intelligent Management Center (iMC) products could be remotely exploited to allow a Denial of Service (DoS).

References:
  • CVE-2016-2177
  • CVE-2016-2178
  • CVE-2016-2179
  • CVE-2016-2180
  • CVE-2016-2182
  • CVE-2016-6306
  • CVE-2016-6309
  • CVE-2016-7052

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  • HPE Intelligent Management Center (iMC) iMC 7.3 - IMC PLAT
  • HPE FlexFabric 12500 Switch Series Comware 7 - Detailed list of switches provided below
  • HPE FlexNetwork 10500 Switch Series Comware 7 - Detailed list of switches provided
  • HPE FlexNetwork 7500 Switch Series Comware 7 - Detailed list of switches provided
  • HPE FlexFabric 5900 Switch Series Comware 7 - Detailed list of switches provided
  • HPE FlexNetwork VSR1000 Virtual Services Router Series Comware 7 - Detailed list of switches provided
  • HPE FlexFabric 7900 Switch Series Comware 7 - Detailed list of switches provided below
  • HPE FlexNetwork 5130 EI Brazil Switch Series Comware 7 - Detailed list of switches provided below
  • HPE FlexNetwork 5130 EI Switch Series Comware 7 - Detailed list of switches provided below
  • HPE 6125XLG Ethernet Blade Switch Comware 7 - Detailed list of switches provided below
  • HPE 6127XLG Blade Switch Comware 7 - Detailed list of switches provided below
  • HPE Moonshot-180XGc Switch Module Comware 7 - Detailed list of switches provided below
  • HPE Moonshot-45Gc Switch Module Comware 7 - Detailed list of switches provided below
  • HPE Moonshot-45XGc Switch Module Comware 7 - Detailed list of switches provided below
  • HPE FlexFabric 5930 Switch Series Comware 7 - Detailed list of switches provided below
  • HPE FlexFabric 5940 Switch Series Comware 7 - Detailed list of switches provided below
  • HPE FlexFabric 5950 Switch Series Comware 7 - Detailed list of switches provided below
  • HPE FlexFabric 5700 Switch Series Comware 7 - Detailed list of switches provided below
  • HPE FlexNetwork 5130 HI Switch Series Comware 7 - Detailed list of switches provided below
  • HPE FlexNetwork 5510 HI Switch Series Comware 7 - Detailed list of switches provided below
  • HPE IMC User Access Management Software iMC UAM_TAM 7.3 E0504

BACKGROUND

CVSS Version 3.0 and Version 2.0 Base Metrics
Reference
V3 Vector
V3 Base Score
V2 Vector
V2 Base Score
CVE-2016-2177
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
7.3
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
7.5
CVE-2016-2178
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0
(AV:L/AC:L/Au:N/C:P/I:N/A:N)
2.1
CVE-2016-2179
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5.3
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
5.0
CVE-2016-2180
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5.3
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
5.0
CVE-2016-2182
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
7.3
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
7.5
CVE-2016-6306
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
5.6
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
4.3
CVE-2016-6309
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2016-7052
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5.3
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
5.0
Information on CVSS is documented in HPE Customer Notice: HPSN-2008-002

RESOLUTION

HPE has provided software updates to address the vulnerabilities in the following HPE Intelligent Management Center (iMC) and Comware 7 products:

  • 12500 (Comware 7) - Version: R7377P03
    • HP Network Products
      • JC072B HP 12500 Main Processing Unit
      • JC085A HP A12518 Switch Chassis
      • JC086A HP A12508 Switch Chassis
      • JC652A HP 12508 DC Switch Chassis
      • JC653A HP 12518 DC Switch Chassis
      • JC654A HP 12504 AC Switch Chassis
      • JC655A HP 12504 DC Switch Chassis
      • JF430A HP A12518 Switch Chassis
      • JF430B HP 12518 Switch Chassis
      • JF430C HP 12518 AC Switch Chassis
      • JF431A HP A12508 Switch Chassis
      • JF431B HP 12508 Switch Chassis
      • JF431C HP 12508 AC Switch Chassis
      • JG497A HP 12500 MPU w/Comware V7 OS
      • JG782A HP FF 12508E AC Switch Chassis
      • JG783A HP FF 12508E DC Switch Chassis
      • JG784A HP FF 12518E AC Switch Chassis
      • JG785A HP FF 12518E DC Switch Chassis
      • JG802A HP FF 12500E MPU
    • CVEs
      • CVE-2016-2177
    • 10500 (Comware 7) R75XX - Version: R7524P02
    • HP Network Products
      • JC611A HP 10508-V Switch Chassis
      • JC612A HP 10508 Switch Chassis
      • JC613A HP 10504 Switch Chassis
      • JC748A HP 10512 Switch Chassis
      • JG608A HP FlexFabric 11908-V Switch Chassis
      • JG609A HP FlexFabric 11900 Main Processing Unit
      • JG820A HP 10504 TAA Switch Chassis
      • JG821A HP 10508 TAA Switch Chassis
      • JG822A HP 10508-V TAA Switch Chassis
      • JG823A HP 10512 TAA Switch Chassis
      • JG496A HP 10500 Type A MPU w/Comware v7 OS
      • JH198A HP 10500 Type D Main Processing Unit with Comware v7 Operating System
      • JH206A HP 10500 Type D TAA-compliant with Comware v7 Operating System Main Processing Unit
    • CVEs
      • CVE-2016-2177
    • 7500 (Comware 7) - Version: R7524P02
    • HP Network Products
      • JD238C HP 7510 Switch Chassis
      • JD239C HP 7506 Switch Chassis
      • JD240C HP 7503 Switch Chassis
      • JD242C HP 7502 Switch Chassis
      • JH207A HP 7500 1.2Tbps Fabric with 2-port 40GbE QSFP+ for IRF-Only Main Processing Unit
      • JH208A HP 7502 Main Processing Unit
      • JH209A HP 7500 2.4Tbps Fabric with 8-port 1/10GbE SFP+ and 2-port 40GbE QSFP+ Main Processing Unit
    • CVEs
      • CVE-2016-2177
    • 5900 (Comware 7) - Version: R2432P01
    • HP Network Products
      • JC772A HP 5900AF-48XG-4QSFP+ Switch
      • JG296A HP 5920AF-24XG Switch
      • JG336A HP 5900AF-48XGT-4QSFP+ Switch
      • JG510A HP 5900AF-48G-4XG-2QSFP+ Switch
      • JG554A HP 5900AF-48XG-4QSFP+ TAA Switch
      • JG555A HP 5920AF-24XG TAA Switch
      • JG838A HP FF 5900CP-48XG-4QSFP+ Switch
      • JH036A HP FlexFabric 5900CP 48XG 4QSFP+ TAA-Compliant
      • JH037A HP 5900AF 48XGT 4QSFP+ TAA-Compliant Switch
      • JH038A HP 5900AF 48G 4XG 2QSFP+ TAA-Compliant
    • CVEs
      • CVE-2016-2177
    • VSR (Comware 7) - Version: VSR E0325
    • HP Network Products
      • JG810AAE HP VSR1001 Virtual Services Router 60 Day Evaluation Software
      • JG811AAE HP VSR1001 Comware 7 Virtual Services Router
      • JG812AAE HP VSR1004 Comware 7 Virtual Services Router
      • JG813AAE HP VSR1008 Comware 7 Virtual Services Router
    • CVEs
      • CVE-2016-2177
    • 7900 (Comware 7) - Version: R2710
    • HP Network Products
      • JG682A HP FlexFabric 7904 Switch Chassis
      • JG841A HP FlexFabric 7910 Switch Chassis
      • JG842A HP FlexFabric 7910 7.2Tbps Fabric / Main Processing Unit
      • JH001A HP FlexFabric 7910 2.4Tbps Fabric / Main Processing Unit
      • JH122A HP FlexFabric 7904 TAA-compliant Switch Chassis
      • JH123A HP FlexFabric 7910 TAA-compliant Switch Chassis
      • JH124A HP FlexFabric 7910 7.2Tbps TAA-compliant Fabric/Main Processing Unit
      • JH125A HP FlexFabric 7910 2.4Tbps TAA-compliant Fabric/Main Processing Unit
    • CVEs
      • CVE-2016-2177
    • 5130EI (Comware 7) - Version: R3115P05
    • HP Network Products
      • JG932A HP 5130-24G-4SFP+ EI Switch
      • JG933A HP 5130-24G-SFP-4SFP+ EI Switch
      • JG934A HP 5130-48G-4SFP+ EI Switch
      • JG936A HP 5130-24G-PoE+-4SFP+ (370W) EI Switch
      • JG937A HP 5130-48G-PoE+-4SFP+ (370W) EI Switch
      • JG938A HP 5130-24G-2SFP+-2XGT EI Switch
      • JG939A HP 5130-48G-2SFP+-2XGT EI Switch
      • JG940A HP 5130-24G-PoE+-2SFP+-2XGT (370W) EI Switch
      • JG941A HP 5130-48G-PoE+-2SFP+-2XGT (370W) EI Switch
      • JG975A HP 5130-24G-4SFP+ EI Brazil Switch
      • JG976A HP 5130-48G-4SFP+ EI Brazil Switch
      • JG977A HP 5130-24G-PoE+-4SFP+ (370W) EI Brazil Switch
      • JG978A HP 5130-48G-PoE+-4SFP+ (370W) EI Brazil Switch
    • CVEs
      • CVE-2016-2177
    • 6125XLG - Version: R2432P01
    • HP Network Products
      • 711307-B21 HP 6125XLG Blade Switch
      • 737230-B21 HP 6125XLG Blade Switch with TAA
    • CVEs
      • CVE-2016-2177
    • 6127XLG - Version: R2432P01
    • HP Network Products
      • 787635 HP 6127XLG Blade Switch Opt Kit
    • CVEs
      • CVE-2016-2177
    • Moonshot - Version: R2432P01
    • HP Network Products
      • 786617-B21 - HP Moonshot-45Gc Switch Module
      • 704654-B21 - HP Moonshot-45XGc Switch Module
      • 786619-B21 - HP Moonshot-180XGc Switch Module
    • CVEs
      • CVE-2016-2177
    • 5700 (Comware 7) - Version: R2432P01
    • HP Network Products
      • JG894A HP FlexFabric 5700-48G-4XG-2QSFP+ Switch
      • JG895A HP FlexFabric 5700-48G-4XG-2QSFP+ TAA-compliant Switch
      • JG896A HP FlexFabric 5700-40XG-2QSFP+ Switch
      • JG897A HP FlexFabric 5700-40XG-2QSFP+ TAA-compliant Switch
      • JG898A HP FlexFabric 5700-32XGT-8XG-2QSFP+ Switch
      • JG899A HP FlexFabric 5700-32XGT-8XG-2QSFP+ TAA-compliant Switch
    • CVEs
      • CVE-2016-2177
    • 5930 (Comware 7) - Version: R2432P01
    • HP Network Products
      • JG726A HP FlexFabric 5930 32QSFP+ Switch
      • JG727A HP FlexFabric 5930 32QSFP+ TAA-compliant Switch
      • JH178A HP FlexFabric 5930 2QSFP+ 2-slot Switch
      • JH179A HP FlexFabric 5930 4-slot Switch
      • JH187A HP FlexFabric 5930 2QSFP+ 2-slot TAA-compliant Switch
      • JH188A HP FlexFabric 5930 4-slot TAA-compliant Switch
    • CVEs
      • CVE-2016-2177
    • 5950 (Comware 7) - Version: R6125
    • HP Network Products
      • JH321A HPE FlexFabric 5950 32QSFP28 Switch
      • JH402A HPE FlexFabric 5950 48SFP28 8QSFP28 Switch
      • JH404A HPE FlexFabric 5950 4-slot Switch
      • JH321A HPE FlexFabric 5950 32QSFP28 Switch
    • CVEs
      • CVE-2016-2177
    • 5940 (Comware 7) - Version: R2609
    • HP Network Products
      • JH390A HPE FlexFabric 5940 48SFP+ 6QSFP28 Switch
      • JH391A HPE FlexFabric 5940 48XGT 6QSFP28 Switch
      • JH394A HPE FlexFabric 5940 48XGT 6QSFP+ Switch
      • JH395A HPE FlexFabric 5940 48SFP+ 6QSFP+ Switch
      • JH396A HPE FlexFabric 5940 32QSFP+ Switch
      • JH397A HPE FlexFabric 5940 2-slot Switch
      • JH398A HPE FlexFabric 5940 4-slot Switch
    • CVEs
      • CVE-2016-2177
    • 5510HI (Comware 7) - Version: R1121P01
    • HP Network Products
      • JH145A HPE 5510 24G 4SFP+ HI 1-slot Switch
      • JH146A HPE 5510 48G 4SFP+ HI 1-slot Switch
      • JH147A HPE 5510 24G PoE+ 4SFP+ HI 1-slot Switch
      • JH148A HPE 5510 48G PoE+ 4SFP+ HI 1-slot Switch
      • JH149A HPE 5510 24G SFP 4SFP+ HI 1-slot Switch
    • CVEs
      • CVE-2016-2177
    • 5130HI (Comware 7) - Version: R1121P02
    • HP Network Products
      • JH323A HPE 5130 24G 4SFP+ 1-slot HI Switch
      • JH324A HPE 5130 48G 4SFP+ 1-slot HI Switch
      • JH325A HPE 5130 24G PoE+ 4SFP+ 1-slot HI Switch
      • JH326A HPE 5130 48G PoE+ 4SFP+ 1-slot HI Switch
    • CVEs
      • CVE-2016-2177
    • IMC PLAT - Version: iMC PLAT 7.3 E0504P04
    • HP Network Products
      • JD125A HP IMC Std S/W Platform w/100-node
      • JD126A HP IMC Ent S/W Platform w/100-node
      • JD808A HP IMC Ent Platform w/100-node License
      • JD814A HP A-IMC Enterprise Edition Software DVD Media
      • JD815A HP IMC Std Platform w/100-node License
      • JD816A HP A-IMC Standard Edition Software DVD Media
      • JF288AAE HP Network Director to Intelligent Management Center Upgrade E-LTU
      • JF289AAE HP Enterprise Management System to Intelligent Management Center Upgrade E-LTU
      • JF377A HP IMC Std S/W Platform w/100-node Lic
      • JF377AAE HP IMC Std S/W Pltfrm w/100-node E-LTU
      • JF378A HP IMC Ent S/W Platform w/200-node Lic
      • JF378AAE HP IMC Ent S/W Pltfrm w/200-node E-LTU
      • JG546AAE HP IMC Basic SW Platform w/50-node E-LTU
      • JG548AAE HP PCM+ to IMC Bsc Upgr w/50-node E-LTU
      • JG549AAE HP PCM+ to IMC Std Upgr w/200-node E-LTU
      • JG747AAE HP IMC Std SW Plat w/ 50 Nodes E-LTU
      • JG748AAE HP IMC Ent SW Plat w/ 50 Nodes E-LTU
      • JG768AAE HP PCM+ to IMC Std Upg w/ 200-node E-LTU
      • JG550AAE HPE PCM+ Mobility Manager to IMC Basic WLAN Platform Upgrade 50-node and 150-AP E-LTU
      • JG590AAE HPE IMC Basic WLAN Manager Software Platform 50 Access Point E-LTU
      • JG660AAE HP IMC Smart Connect with Wireless Manager Virtual Appliance Edition E-LTU
      • JG766AAE HP IMC Smart Connect Virtual Appliance Edition E-LTU
      • JG767AAE HP IMC Smart Connect with Wireless Manager Virtual Appliance Edition E-LTU
      • JG768AAE HPE PCM+ to IMC Standard Software Platform Upgrade with 200-node E-LTU
      • JH704AAE Aruba IMC Std SW Plat w/50-node E-LTU
      • JH705AAE Aruba IMC Ent SW Plat w/50-node E-LTU
    • CVEs
      • CVE-2016-2177
      • CVE-2016-2178
      • CVE-2016-2179
      • CVE-2016-2180
      • CVE-2016-2182
      • CVE-2016-6306
      • CVE-2016-6309
      • CVE-2016-7052
    • IMC UAM_TAM - Version: iMC UAM_TAM 7.3 E0504
    • HP Network Products
      • JF388A HP IMC UAM S/W MODULE W/200-USER LICENSE
      • JF388AAE HP IMC UAM S/W MODULE W/200-USER E-LTU
      • JG752AAE HP IMC UAM SW MOD W/ 50-USER E-LTU
      • JG483A HP IMC TAM S/W MODULE W/100-NODE LIC
      • JG483AAE HP IMC TAM S/W MODULE W/100-NODE E-LTU
      • JG764AAE HP IMC TAM SW MOD W/ 50-NODE E-LTU
    • CVEs
      • CVE-2016-2177
      • CVE-2016-2178
      • CVE-2016-2179
      • CVE-2016-2180
      • CVE-2016-2182
      • CVE-2016-6306
      • CVE-2016-6309
      • CVE-2016-7052

HISTORY
Version:1 (rev.1) - 10 July 2018 Initial release

Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com.

Report: To report a potential security vulnerability for any HPE supported product:

Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice

Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive

Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PV = ProCurve
ST = Storage Software
UX = HP-UX

©Copyright 2018 Hewlett Packard Enterprise Development LP
Hewlett Packard Enterprise Development shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HPE nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise Development and the names of Hewlett Packard Enterprise Development products referenced herein are trademarks of Hewlett Packard Enterprise Development in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

Provide feedback

Please rate the information on this page to help us improve our content. Thank you!
Document title: HPESBHF03856 rev.1 - Comware v7 and Intelligent Management Center Products, Remote Denial of Service
Document ID: emr_na-hpesbhf03856en_us-1
How helpful was this document?
How can we improve this document?
Note: Only English language comments can be accepted at this time.
Please wait while we process your request.