Print | Rate this content

HPESBHF03930 rev.3 - HPE Intelligent Management Center (IMC) PLAT Remote Arbitrary Code Execution, Disclosure of Information, Denial of Service and Buffer Overflow

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: hpesbhf03930en_us

Version: 1

HPESBHF03930 rev.3 - HPE Intelligent Management Center (IMC) PLAT Remote Arbitrary Code Execution, Disclosure of Information, Denial of Service and Buffer Overflow
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2019-05-09

Last Updated: 2019-05-10


Potential Security Impact: Remote: Arbitrary Code Execution, Denial of Service (DoS), Disclosure of Information, Buffer Overflow

Source: Hewlett Packard Enterprise, HPE Product Security Response Team

VULNERABILITY SUMMARY

Security vulnerabilities in HPE Intelligent Management Center (IMC) PLAT version 7.3 E0506P09 and earlier may allow remote code execution, disclosure of information, and denial of service.

References:
  • CVE-2019-5393 - dbman Opcode 10002 Arbitrary Backup
  • CVE-2019-5392 - dbman Opcode 10001 Information Disclosure
  • CVE-2018-7121 - JMX Insecure Config Unauthenticated Remote Code Execution
  • CVE-2018-7122 - JMX Insecure Configuration Remote Unauthenticated Information Disclosure
  • CVE-2018-7123 - Tenable - dbman Opcode 10014 Unauthenticated 'kill' DoS
  • CVE-2018-7124 - ZDI-CAN-6856 - iccSelectCommand Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2018-7125 - ZDI-CAN-6805 - PrimeFaces Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-5338 - ZDI-CAN-6758 - addVsiInterfaceInfo Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-5339 - ZDI-CAN-6765 - devGroupSelect Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-5340 - ZDI-CAN-6766 - actionSelectContent Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-5341 - ZDI-CAN-6767 - SyslogTempletSelectWin Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-5342 - ZDI-CAN-6768 - legend Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-5343 - ZDI-CAN-6861 - compareFilesResult Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-5344 - ZDI-CAN-6763 - faultDevParasSet Expression Language Injection Remote Code Execution
  • CVE-2019-5345 - ZDI-CAN-6762 - eventInfo_content Expression Language Injection Remote Code Execution
  • CVE-2019-5346 - ZDI-CAN-6764 - faultInfo_content Expression Language Injection Remote Code Execution
  • CVE-2019-5347 - ZDI-CAN-6769 - UrlAccessController Authentication Bypass Vulnerability
  • CVE-2019-5348 - ZDI-CAN-7009 - GWT deviceservice queryCustomCondition Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-5349 - ZDI-CAN-7035 - TopoDebugServlet Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-5350 - ZDI-CAN-7036 - TopoDebugServlet Deserialization of Untrusted Data Remote Code Execution Vulnerability
  • CVE-2019-5351 - ZDI-CAN-7010 - GWT deviceservice saveSelectedInterfaces Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-5352 - ZDI-CAN-7018 - GWT perfAddFormServer getAddFormBean Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-5353 - ZDI-CAN-6962 - reportpage index Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-5354 - ZDI-CAN-7011 - GWT perfInsListServer getInsListBean Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-5355 - Tenable - dbman Opcode 10003 'Filename' Denial of Service
  • CVE-2019-5356 - ZDI-CAN-7049 - CommonUtils unzip Directory Traversal Remote Code Execution Vulnerability
  • CVE-2019-5357 - ZDI-CAN-7050 - FileUploadServlet Unrestricted File Upload Remote Code Execution Vulnerability
  • CVE-2019-5358 - ZDI-CAN-6907 - viewTaskResultDetailFact Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-5359 - ZDI-CAN-6872 - select Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-5360 - ZDI-CAN-6865 - perfAddorModDeviceMonitor Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-5361 - ZDI-CAN-6909 - faultParasSet Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-5362 - ZDI-CAN-7034 - TopoDebugServlet Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-5363 - ZDI-CAN-7008 - GWT deviceservice saveSelectedDevices Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-5364 - ZDI-CAN-6868 - quickTemplateSelect Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-5365 - ZDI-CAN-6860 - deviceSelect Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-5366 - ZDI-CAN-6882 - guiDataDetail Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-5367 - ZDI-CAN-6806 - MyFaces Static Key ViewState Use of Default Credentials Remote Code Execution Vulnerability
  • CVE-2019-5368 - ZDI-CAN-6867 - reportTaskSelect Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-5369 - ZDI-CAN-6871 - tvxlanLegend Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-5370 - ZDI-CAN-6759, ZDI-CAN-6755, ZDI-CAN-6760 - ictExpertCSVDownload Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-5371 - ZDI-CAN-6910 - addDeviceToView Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-5372 - ZDI-CAN-6884 - iccSelectRules Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-5373 - ZDI-CAN-6864 - customTemplateSelect Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-5374 - ZDI-CAN-6854 - operatorGroupTreeSelectContent Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-5375 - ZDI-CAN-6855 - ictExpertDownload Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-5376 - ZDI-CAN-6914 - TopoMsgServlet Java Reflection Remote Code Execution Vulnerability
  • CVE-2019-5377 - ZDI-CAN-6862 - sshConfig Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-5378 - ZDI-CAN-6869 - userSelectPagingContent Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-5379 - ZDI-CAN-6858 - deploySelectSoftware Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-5380 - ZDI-CAN-6756 - selViewNavContent Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-5381 - ZDI-CAN-6875 - faultStatChooseFaultType Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-5382 - ZDI-CAN-6876 - faultFlashEventSelectFact Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-5383 - ZDI-CAN-6880 - wmiConfigContent Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-5384 - ZDI-CAN-6886 - iccSelectDymicParam Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-5385 - ZDI-CAN-6889 - perfSelectTask Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-5386 - ZDI-CAN-6908 - viewBatchTaskResultDetailFact Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-5387 - ZDI-CAN-6754 - navigationTo Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-5388 - ZDI-CAN-7016 - Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-5389 - ZDI-CAN-7017 - Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-5390 - Tenable - dbman command 10018 (hostRoleSwitch) injection vulnerability
  • CVE-2019-5391 - Tenable - dbman command 10018 (hostRoleSwitch) Remote Stack Buffer Overflow
  • CVE-2019-11941 - ZDI-CAN-6857 - iccSelectDevType expression language injection remote code execution
  • CVE-2019-11942 - ZDI-CAN-6911 - TopoMsgServlet Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-11943 - ZDI-CAN-6757 - soapConfigContent Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-11944 - ZDI-CAN-6807 - AMF3 Externalizable Deserialization of Untrusted Data Remote Code Execution Vulnerability
  • CVE-2019-11945 - ZDI-CAN-6885 - AccessMgrServlet className Deserialization of Untrusted Data Remote Code Execution Vulnerability
  • CVE-2019-11946 - ZDI-CAN-6932 - Standard ImcLoginMgrImpl Hard-coded Cryptographic Key Credentials Disclosure Vulnerability
  • CVE-2019-11947 - ZDI-CAN-7033 - dbman Use of Hard-coded Credentials Remote Code Execution Vulnerability
  • CVE-2019-11948 - ZDI-CAN-6878 - ifViewSelectPage Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-11949 - ZDI-CAN-6761 - powershellConfigContent Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-11950 - ZDI-CAN-6804 - WebSocket Shape3DWebSocketServlet Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-11951 - ZDI-CAN-6873 - faultEventSelectFact Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-11952 - ZDI-CAN-6874 - faultTrapGroupSelect Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-11953 - ZDI-CAN-6877- smsRulesDownload Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-11954 - ZDI-CAN-6887 - operationSelect Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-11955 - ZDI-CAN-6888 - devSoftSel Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-11956 - ZDI-CAN-6943 - ByteMessageResource transformEntity Deserialization of Untrusted Data Remote Code Execution Vulnerability
  • CVE-2019-11957 - ZDI-CAN-6108 - dbman decryptMsgAes Stack-based Buffer Overflow Remote Code Execution Vulnerability
  • CVE-2019-11958 - ZDI-CAN-6883 - operatorGroupSelectContent Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-11959 - ZDI-CAN-6879 - thirdPartyPerfSelectTask Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-11960 - ZDI-CAN-6870 - select Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-11961 - ZDI-CAN-6866 - templateSelect Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-11962 - ZDI-CAN-6863- selectUserGroup Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-11963 - ZDI-CAN-6859 - deploySelectBootrom Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-11964 - ZDI-CAN-6853 - iccSelectDeviceSeries Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-11965 - ZDI-CAN-6852 - deviceThresholdConfig Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-11966 - ZDI-CAN-6753 - operatorOnlineList_contentOnly Cleartext Storage of Sensitive Information Privilege Escalation Vulnerability
  • CVE-2019-11986 - ZDI-CAN-7007 - GWT perfSelItemServer getSelItemBean Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-11985 - ZDI-CAN-6906 - choosePerfView Expression Language Injection Remote Code Execution Vulnerability
  • CVE-2019-11967 - iDefense - ConfFileResource renameFile Input Validation Code Execution Vulnerability
  • CVE-2019-11968 - iDefense - ConfFileResource Input Validation Code Execution Vulnerability
  • CVE-2019-11969 - iDefense - ForwardRedirect Expression Language Injection Code Execution Vulnerability
  • CVE-2019-11970 - iDefense - ImcplatResServiceSkeleton SQL Injection Code Execution Vulnerability
  • CVE-2019-11971 - iDefense - isAccountBindingWithOperator SQL Injection Code Execution Vulnerability
  • CVE-2019-11972 - iDefense - OperatorMgrImpl SQL Injection Code Execution Vulnerability
  • CVE-2019-11973 - iDefense - queryDataBySQL SQL Injection Code Execution Vulnerability
  • CVE-2019-11974 - iDefense - queryIpAllocateInfoBySubnetIp SQL Injection Code Execution Vulnerability
  • CVE-2019-11975 - iDefense - queryOptionInfosByIp" SQL Injection Code Execution Vulnerability
  • CVE-2019-11976 - iDefense - queryServerByIp SQL Injection Code Execution Vulnerability
  • CVE-2019-11977 - iDefense - readListBySql SQL Injection Code Execution Vulnerability
  • CVE-2019-11978 - iDefense - SmscCfgDaoImpl SQL Injection Code Execution Vulnerability
  • CVE-2019-11979 - iDefense - S-queryIpAllocateInfoByServerIp SQL Injection Code Execution Vulnerability
  • CVE-2019-11980 - iDefense - SSHParameterResource InputValidation Code Execution Vulnerability
  • CVE-2019-11984 - iDefense - updateEmailSuffix SQL Injection Code Execution Vulnerability

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

HPE Intelligent Management Center (iMC) iMC Plat 7.3 E0506P09 and earlier

BACKGROUND

CVSS Version 3.0 and Version 2.0 Base Metrics
Reference
V3 Vector
V3 Base Score
V2 Vector
V2 Base Score
CVE-2018-7121
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2018-7122
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
5.0
CVE-2018-7123
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5
(AV:N/AC:L/Au:N/C:N/I:N/A:C)
7.8
CVE-2018-7124
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2018-7125
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
6.3
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
7.5
CVE-2019-11941
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-11942
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-11943
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-11944
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2019-11945
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2019-11946
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5
(AV:N/AC:L/Au:S/C:C/I:N/A:N)
6.8
CVE-2019-11947
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-11948
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-11949
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-11950
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-11951
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-11952
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-11953
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-11954
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-11955
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-11956
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-11957
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
8.1
(AV:N/AC:M/Au:N/C:C/I:C/A:C)
9.3
CVE-2019-11958
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-11959
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-11960
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-11961
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-11962
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-11963
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-11964
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-11965
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-11966
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-11967
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-11968
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-11969
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-11970
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-11971
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-11972
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-11973
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-11974
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-11975
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-11976
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-11977
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-11978
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-11979
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-11980
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-11984
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-11985
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-11986
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5338
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5339
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5340
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5341
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5342
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5343
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5344
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5345
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5346
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5347
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2019-5348
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5349
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5350
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5351
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5352
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2019-5353
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5354
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5355
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
0.0
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
7.2
CVE-2019-5356
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2019-5357
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5358
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2019-5359
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5360
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5361
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5362
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5363
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5364
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5365
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5366
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5367
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2019-5368
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5369
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5370
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5371
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5372
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5373
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5374
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5375
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5376
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5377
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5378
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5379
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5380
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5381
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5382
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5383
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5384
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5385
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5386
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5387
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
0.0
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
7.2
CVE-2019-5388
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5389
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
9.0
CVE-2019-5390
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2019-5391
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2019-5392
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
5.0
CVE-2019-5393
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
5.0
Information on CVSS is documented in HPE Customer Notice: HPSN-2008-002

Hewlett Packard Enterprise would like to thank Matthias Kaiser and Steven Seeley of Incite Team (Source Incite) working with Trend Micro's Zero Day Initiative and Chris Lyne and Jacob Baines of Tenable Inc. for reporting these issues to security-alert@hpe.com.

RESOLUTION

HPE has provided updates to HPE Intelligent Management Center (IMC) PLAT to address these vulnerabilities.

Please visit HPE Support Center to download the latest software for your product.

HISTORY
  • Version:1 (rev.1) - 10 May 2019 Initial release, not published
  • Version:2 (rev.2) - 16 May 2019 Revised Initial release
  • Version:3 (rev.3) - 29 May 2019 Added CVEs for ZDI-CAN-7007 and ZDI-CAN-6906

Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com.

Report: To report a potential security vulnerability for any HPE supported product:

Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice

Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive

Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PV = ProCurve
ST = Storage Software
UX = HP-UX

©Copyright 2019 Hewlett Packard Enterprise Development LP
Hewlett Packard Enterprise Development shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HPE nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise Development and the names of Hewlett Packard Enterprise Development products referenced herein are trademarks of Hewlett Packard Enterprise Development in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

Legal Disclaimer: Products sold prior to the November 1, 2015 separation of Hewlett-Packard Company into Hewlett Packard Enterprise Company and HP Inc. may have older product names and model numbers that differ from current models.

Provide feedback

Please rate the information on this page to help us improve our content. Thank you!
Document title: HPESBHF03930 rev.3 - HPE Intelligent Management Center (IMC) PLAT Remote Arbitrary Code Execution, Disclosure of Information, Denial of Service and Buffer Overflow
Document ID: emr_na-hpesbhf03930en_us-2
How helpful was this document?
How can we improve this document?
Note: Only English language comments can be accepted at this time.
Please wait while we process your request.