Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
Document Version Release Date Details 2 March 15, 2023 Updated the Resolution with the permanent fix for the security issue, OV4VC 11.3. 1 Febrauary 17, 2023 Original Document Release. There exists a potential HPE OneView for VMware vCenter (OV4VC) security vulnerability that may disclose the HPE OneView Username and Password used in the OV4VC plugin "Add OneView Credentials" process. For more information about this vulnerability, refer to the Security Bulletin .
This potential vulnerability may affect the HPE OneView for VMware vCenter (OV4VC) versions 9.6. 10.0, 10.1, 10.2, 10.3, 10.4, 11.0, 11.1 and 11.2. Note : For information on other OneView Partner Integration releases, refer to Customer Notice a00118707.
This security vulnerability has been fixed in HPE OneView for VMware for vCenter (OV4VC) 11.3. For HPE OneView for VMware for vCenter (OV4VC) versions 9.6, 10.0 and 10.1, HPE strongly recommends updating to OV4VC 11.3 or later. The OV4VC 9.6, 10.0, and 10.1 downloads for have been removed from the HPE download sites and security patches are available. HPE has made available security patches for 10.2, 10.3, 10.4, 11.0, 11.1 and 11.2. Please refer to the respective Release Notes which contain the installation steps and the patch file from My HPE Software Center. Additionally, any updates to OV4VC will require a corresponding patch to be applied. Note: In all versions, change the "HPE OneView Account" password in both HPE OneView and in OV4VC’s plugin "HPE OneView Credentials". To verify the OV4VC Plugin Version loaded: Enter https://<IPv4 HPE OneView for VMware vCenter>:3512/rest/service Match the version and patch that need to be applied only if the site shows "OV4VC service is up and running" from the HPE OneView Partner Integrations and download from Software Center Downloads. Use the information below after the Rest call: OneView for VMware vCenter 11.2.0.9 11.2.0.9a Patch OV4VC service is up and running 11.1.0.22 11.1.0.22a Patch OV4VC service is up and running 11.0.0.14 11.0.0.14a Patch OV4VC service is up and running 10.4.0.10 10.4.0.10a Patch OV4VC service is up and running 10.3.0.16 10.3.0.16a Patch OV4VC service is up and running 10.2.0.21 10.2.0.21a Patch OV4VC service is up and running Note: When performing a Log Collection for OV4VC that have not applied a patch, perform the following steps to remove credentials: Extract the zip file contents. In the proactiveha.log , replace all references to HPE OneView username"s password. Zip up the files RECEIVE PROACTIVE UPDATES : Receive support alerts (such as Customer Advisories), as well as updates on drivers, software, firmware, and customer replaceable components, proactively in your e-mail through HPE Support Alerts.Sign up for Support Alerts at the following URL: HPE Email Preference Center NAVIGATION TIP: For hints on navigating HPE.com to locate the latest drivers, patches and other support software downloads, refer to the Navigation Tips document. SEARCH TIP: For hints on locating similar documents on HPE.com, refer to the Search Tips document.