SynopsisThe remote HP Integrated Lights-Out (iLO) server's web interface is affected by a remote code execution vulnerability.
DescriptionA remote command execution vulnerability exists in HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers prior to v1.35, HPE Integrated Lights-Out 4 (iLO 4) prior to v2.61, HPE Integrated Lights-Out 3 (iLO 3) prior to v1.90 could be remotely exploited to execute arbitrary code leading to disclosure of information. An authenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands.
SolutionUpgrade firmware of For iLO 3, upgrade firmware to 1.90 or later. For iLO 4, upgrade firmware to 2.61 or later. For iLO 5, upgrade firmware to 1.35 or later.
Alternatively, apply the workarounds outlined in the vendor advisory.