Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
Document Subtype: Security Bulletin Document ID: hpesbhf04149en_us Last Updated: 2021-05-21 Release Date: 2021-05-20 Document Version: 1 Potential Security Impact: Local: Buffer Overflow; Remote: Cross-Site Scripting (XSS), Carriage Return Line Feed (CRLF) Injection Source: Hewlett Packard Enterprise, HPE Product Security Response Team VULNERABILITY SUMMARY Multiple potential security vulnerabilities have been identified in HPE Integrated Lights-Out 5 (iLO 5) that is used by HPE StoreOnce systems. The vulnerabilities are XSS, CR-LF injection, DOM XSS and several buffer overflow vulnerabilities. The XSS, CR-LF injection and DOM XSS are against authenticated privileged iLO users of the iLO web interface. The iLO buffer overflow vulnerabilities can be exploited by a privileged user on a host OS to execute code on the iLO as a privileged user. HPE has released iLO5 firmware version 2.44 to mitigate these vulnerabilities. For more information, refer to https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=emr_na-hpesbhf04133en_us References: CVE-2021-29201 - XSS CVE-2021-29205 - XSS CVE-2021-29204 - XSS CVE-2021-29206 - XSS CVE-2021-29207 - XSS CVE-2021-29211 - XSS CVE-2021-29202 - local buffer overflow CVE-2021-29208 - DOM XSS, CRLF injection CVE-2021-29209 - DOM XSS, CRLF injection CVE-2021-29210 - DOM XSS, CRLF injection SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HPE StoreOnce 5650 - Prior to 4.3.0 HPE StoreOnce 5200 - Prior to 4.3.0 HPE StoreOnce 3640 - Prior to 4.3.0 HPE StoreOnce 5250 - Prior to 4.3.0 HPE StoreOnce 3620 - Prior to 4.3.0 BACKGROUND HPE calculates CVSS using CVSS Version 3.1. If the score is provided from NIST, we will display Version 2.0, 3.0, or 3.1 as provided from NVD. Reference V3 Vector V3 Base Score V2 Vector V2 Base Score CVE-2021-29201 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L 3.1 (AV:N/AC:H/Au:M/C:N/I:P/A:P) 3.2 CVE-2021-29202 CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:L 6.4 (AV:L/AC:H/Au:M/C:C/I:C/A:C) 5.9 CVE-2021-29204 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L 3.1 (AV:N/AC:H/Au:M/C:N/I:P/A:P) 3.2 CVE-2021-29205 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L 3.1 (AV:N/AC:H/Au:M/C:N/I:P/A:P) 3.2 CVE-2021-29206 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L 3.1 (AV:N/AC:H/Au:M/C:N/I:P/A:P) 3.2 CVE-2021-29207 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L 3.1 (AV:N/AC:H/Au:M/C:N/I:P/A:P) 3.2 CVE-2021-29208 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H 7.6 (AV:N/AC:H/Au:S/C:C/I:C/A:C) 7.1 CVE-2021-29209 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H 7.6 (AV:N/AC:H/Au:S/C:C/I:C/A:C) 7.1 CVE-2021-29210 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H 7.6 (AV:N/AC:H/Au:S/C:C/I:C/A:C) 7.1 CVE-2021-29211 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L 3.1 (AV:N/AC:H/Au:M/C:N/I:P/A:P) 3.2 Information on CVSS is documented in HPE Customer Notice: HPSN-2008-002 Hewlett Packard Enterprise acknowledges Fabien Perigaud of Synacktiv and Alexandre Gazet of Airbus Security Team for reporting CVE-2021-29202 to security-alert@hpe.com. Hewlett Packard Enterprise acknowledges Tomasz Holeksa for reporting CVE-2021-29201, CVE-2021-29204, CVE-2021-29205, CVE-2021-29206, CVE-2021-29207 to security-alert@hpe.com. Hewlett Packard Enterprise acknowledges Kajetan Rostojek for reporting CVE-2021-29208, CVE-2021-29209, CVE-2021-29210 to security-alert@hpe.com. RESOLUTION The HPE StoreOnce 4.3.0 release, expected in the second half of 2021, contains iLO 5 firmware version 2.44 or later. Workaround Until the HPE StoreOnce 4.3.0 release is available, follow the steps below to upgrade the iLO firmware on HPE StoreOnce systems to iLO 5 firmware version 2.44. NOTE: The HPE StoreOnce system must be running software version 4.2.3 or later before upgrading the iLO 5 firmware to version 2.44. NOTE: After upgrading to iLO 5 firmware version 2.44, alerts will be generated in the HPE StoreOnce GUI, at regular intervals, to request the downgrade of the iLO firmware. This is due to the HPE StoreOnce Firmware Management Tool expecting an iLO firmware version earlier than 2.44. If a firmware downgrade is performed, the firmware will be rolled back to a version that is vulnerable to listed CVEs mentioned in this bulletin. The alerts should be ignored. Download the iLO 5 Online ROM Flash Firmware Package Extract the contents of the downloaded file ilo5_244.fwpkg. A file named ilo5_244.bin should be one of the extracted files. Launch the iLO Web GUI and navigate to the Firmware & OS Software page. Click on the Update Firmware link. Select Local file as the file location. Click Browse, and navigate to the location of the ilo5_244.bin file on your device, then click Open. Click on the Flash button. When the Flash Firmware warning appears, click OK. HISTORY Version:1 (rev.1) - 20 May 2021 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com. Report: To report a potential security vulnerability for any HPE supported product: Web Form: https://www.hpe.com/info/report-security-vulnerability Email: security-alert@hpe.com Hewlett Packard Enterprise Product Security Response Policy: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00100637en_us Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive System management and security procedures must be reviewed frequently to maintain system integrity. HPE is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HPE is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HPE products the important security information contained in this Bulletin. HPE recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HPE does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HPE will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HPE disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." ©Copyright 2025 Hewlett Packard Enterprise Development LP Hewlett Packard Enterprise Development shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HPE nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise Development and the names of Hewlett Packard Enterprise Development products referenced herein are trademarks of Hewlett Packard Enterprise Development in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
None
The HPE StoreOnce 4.3.0 release, expected in the second half of 2021, contains iLO 5 firmware version 2.44 or later. Workaround Until the HPE StoreOnce 4.3.0 release is available, follow the steps below to upgrade the iLO firmware on HPE StoreOnce systems to iLO 5 firmware version 2.44. NOTE: The HPE StoreOnce system must be running software version 4.2.3 or later before upgrading the iLO 5 firmware to version 2.44. NOTE: After upgrading to iLO 5 firmware version 2.44, alerts will be generated in the HPE StoreOnce GUI, at regular intervals, to request the downgrade of the iLO firmware. This is due to the HPE StoreOnce Firmware Management Tool expecting an iLO firmware version earlier than 2.44. If a firmware downgrade is performed, the firmware will be rolled back to a version that is vulnerable to listed CVEs mentioned in this bulletin. The alerts should be ignored. Download the iLO 5 Online ROM Flash Firmware Package Extract the contents of the downloaded file ilo5_244.fwpkg. A file named ilo5_244.bin should be one of the extracted files. Launch the iLO Web GUI and navigate to the Firmware & OS Software page. Click on the Update Firmware link. Select Local file as the file location. Click Browse, and navigate to the location of the ilo5_244.bin file on your device, then click Open. Click on the Flash button. When the Flash Firmware warning appears, click OK. HISTORY Version:1 (rev.1) - 20 May 2021 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com. Report: To report a potential security vulnerability for any HPE supported product: Web Form: https://www.hpe.com/info/report-security-vulnerability Email: security-alert@hpe.com Hewlett Packard Enterprise Product Security Response Policy: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00100637en_us Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive