OPERATIONAL DEFECT DATABASE
...
...
Document Subtype: Security Bulletin Document ID: hpesbns04334en_us Last Updated: 2023-10-25 Release Date: 2022-07-18 Document Version: 4 Potential Security Impact: Remote: Denial of Service (DoS) Source: Hewlett Packard Enterprise, HPE Product Security Response Team VULNERABILITY SUMMARY This document describes the impact of OpenSSL vulnerability CVE-2022-0778 on HPE products for NonStop platform. The information is provided according to our analysis so far. We plan to continue our research and update this information if we come across more products that are vulnerable or learn more about the potential impact of this vulnerability. For impact on products you licensed from Independent Software Vendors (ISVs), please contact the vendor for information. CVE-2022-0778 is a vulnerability in OpenSSL, a popular toolkit for general-purpose cryptography and secure communication. With this vulnerability, a remote attacker could launch a Denial-of-Service (DoS) attack on applications using OpenSSL. The vulnerability stems from a bug in the BN_mod_sqrt() function, which computes a modular square root. The bug can cause the function to loop forever for non-prime moduli. The vulnerable situations include: TLS clients consuming server certificates TLS servers consuming client certificates Hosting providers taking certificates or private keys from customers Certificate authorities parsing certification requests from subscribers Anything else which parses ASN.1 elliptic curve parameters This issue affects OpenSSL versions 1.0.2, 1.1.0, 1.1.1 and 3.0. For more information, see the National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2022-0778 The table below summarizes the impact of the vulnerability: Product# Version Affected SPRs Affected RVUs Likelihood T2813 L02 T2813L02 - L20.05.00 - Likely T2813L02^AAR L21.11.02 T0682 L02 T0682L02^ADM - L15.02.00 - Somewhat T0682L02^BBG L21.11.02 Likely H02 T0682H02^ADT - J06.03.00 - Somewhat T0682H02^AET J06.23.01 Likely T1144 L02 T1144L24 - L20.05.00 - Most T1144L24^AAE L21.11.02 Likely T7969 L38 T7969L38 L21.11.01 - Certain L21.11.02 L37 T7969L37 - L19.08.00 - Certain T7969L37^AOQ L21.06.02 L36 T7969L36 - L18.02.00 - Certain T7969L36^AOL L19.08.00 H34 T7969H34 - J06.21.00 - Certain T7969H34^AOO J06.23.01 T7970 L38 T7970L38 L21.11.01 - Certain L21.11.02 L37 T7970L37 - L19.08.00 - Certain T7970L37^AOQ L21.06.02 L36 T7970L36 - L18.02.00 - Certain T7970L36^AOL L19.08.00 H34 T7970H34 - J06.21.00 - Certain T7970H34^AOO J06.23.01 T1056 L38 T1056L38 L21.11.01 - Certain L21.11.02 L37 T1056L37^ATP - L19.08.00 - Certain T1056L37^ATU L21.06.02 T0607 L38 T0607L38 L21.11.01 - Certain L21.11.02 L37 T0607L37^ATP - L19.08.00 - Certain T0607L37^ATU L21.06.02 T0610 L38 T0610L38 L21.11.01 - Certain L21.11.02 L37 T0610L37^ATP - L19.08.00 - Certain T0610L37^ATU L21.06.02 T0910 L02 T0910L02^AAW - L15.02.00 - Certain T0910L02^ABN L21.11.02 H01 T0910H01^AAV - J06.03.00 - Certain T0910H01^ABL J06.23.01; H06.03.00 - H06.29.01 T1325 L01 T1325L01 - L15.02.00 - Likely, if T1325L01^ABJ L21.11.02 XUA refers to a H01 T1325H01 - J06.16.00 - compromised T1325H01^ABK J06.23.01; LDAP server H06.27.00 - H06.29.01 T0993 L01 T0993L01^AAA - L18.02.00 - Certain T0993L01^AAD L21.11.02 T1383 L01 T1383L01 - L15.02.00 - Likely, if T1383L01^AAA L21.11.02 XIC refers to a J06 T1383J06 - J06.11.00 - compromised T1383J06^AAB J06.23.01 CyberArk or Sailpoint server T0992 L01 T0992L01 - L15.02.00 - Certain T0992L01^ABD L21.11.02 J01 T0992J01^ABA J06.19.00 - Certain J06.23.01 T0954 V04 T0954V04 - See NOTE-1 Likely T0954V04^AAQ T1137 V01 T1137V01 - See NOTE-2 Likely T1137V01^AAA T1153 L01 T1153L01 L21.11.01 - Likely L21.11.02 J01 T1153J01 J06.23.00 - Likely J06.23.01 T1154 L01 T1154L01 L21.11.01 - Likely L21.11.02 J01 T1154J01 J06.23.00 - Likely J06.23.01 T0853 L03 T0853L03 - L16.05.00 - Somewhat T0853L03^DCI L22.09.01 Likely J03 T0853J03 - J06.20.00 - Somewhat T0853J03^CEC J06.23.01 Likely References: CVE-2022-0778 HS03495 - NonStop Hotstuff document SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. SSL TOOLKIT T2813 - See Vulnerability Summary section OSM Service Connection Suite T0682 - See Vulnerability Summary section NONSTOP HTTP WEBSERVER T1144 - See Vulnerability Summary section ODBC/MX Services T7969 - See Vulnerability Summary section ODBC/MX Server T7970 - See Vulnerability Summary section ANSI SQLUTIL T1056 - See Vulnerability Summary section NT HOSTED SQL/MX Preprocessor for Cobol T0610 - See Vulnerability Summary section NATIVE C/C++ PREPROCESSOR NT T0607 - See Vulnerability Summary section NonStop SSL T0910 - See Vulnerability Summary section XYGATE Identity Connector T1383 - See Vulnerability Summary section Python 2 T0992 - See Vulnerability Summary section HPE BackBox Software T0954 - See Vulnerability Summary section HPE NonStop QRSTR software T1137 - See Vulnerability Summary section HPE NONSTOP LIGHTWAVE CLIENT T1153 - See Vulnerability Summary section HPE NONSTOP LIGHTWAVE SERVER T1154 - See Vulnerability Summary section CLIM DVD Installation Software T0853 - See Vulnerability Summary section XYGATE User Authentication T1325 - See Vulnerability Summary section Python 3 T0993 - See Vulnerability Summary section BACKGROUND HPE calculates CVSS using CVSS Version 3.1. If the score is provided from NIST, we will display Version 2.0, 3.0, or 3.1 as provided from NVD. Reference V3 Vector V3 Base Score V2 Vector V2 Base Score CVE-2022-0778 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) 7.5 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5 Information on CVSS is documented in HPE Customer Notice: HPSN-2008-002 RESOLUTION Product # Version Fix SPR(s), Installation Impact Usable with RVUs Availability T2813 L02 T2813L02^AAU; L20.05.00 - Available Minimal L21.11.02 system impact T0682 L02 T0682L02^BBJ; L19.03.00 - Available Minimal L21.11.02 system impact H02 T0682H02^AEV; J06.08.00 - Available Minimal J06.23.01 system impact T1144 L02 T2813L02^AAU; L20.05.00 - Available Minimal L21.11.02 system impact T7969 L38 T7969L38^AOV; L21.11.01 - Available Minimal L21.11.02 system impact L37 T7969L37^AOX; L19.08.00 - Available Minimal L21.06.02 system impact H34 T7969H34^AOW; J06.21.00 - Available Minimal J06.23.01 system impact T7970 L38 T7970L38^AOV; L21.11.01 - Available Minimal L21.11.02 system impact L37 T7970L37^AOX; L19.08.00 - Available Minimal L21.06.02 system impact H34 T7970H34^AOW; J06.21.00 - Available Minimal J06.23.01 system impact T1056 L38 T1056L38^AUC; L21.11.01 - Available Minimal L21.11.02 system impact L37 T1056L37^AUD; L20.10.00 - Available Minimal L21.06.02 system impact T0607 L38 T0607L38^AUC; L21.11.01 - Available Minimal L21.11.02 system impact L37 T0607L37^AUD; L20.10.00 - Available Minimal L21.06.02 system impact T0610 L38 T0610L38^AUC; L21.11.01 - Available Minimal L21.11.02 system impact L37 T0610L37^AUD; L20.10.00 - Available Minimal L21.06.02 system impact T0910 L02 T0910L02^ABP; L16.05.00 - Available Subsystem L21.11.02 interruption required H01 T0910H01^ABO; J06.07.00 - Available Subsystem J06.23.01; interruption H06.15.00 - required H06.29.01 T1383 L01 T1383L01^AAC; L15.02.00 - Available Minimal L22.09.00 system impact J06 T1383J06^AAD; J06.11.00 - Available Minimal J06.23.01 system impact T0992 L01 In Limited Support; no plan to release the fix J01 In Limited Support; no plan to release the fix T0954 V04 T0954V04^AAR; All server models Available Minimal listed in NOTE-1 system impact T1137 V01 T1137V01^AAB; All server models Available Minimal listed in NOTE-2 system impact T1153 L01 T1153L01^AAA; L15.08.00 Available Subsystem onwards interruption required J01 T1153J01^AAB; J06.03.00 - Available Subsystem onwards interruption required T1154 L01 T1154L01^AAA; L15.08.00 Available Subsystem onwards interruption required J01 T1154J01^AAB; J06.03.00 - Available Subsystem onwards interruption required T0853 L03 T0853L03^DCL; L20.05.00 Available Minimal onwards system impact J03 T0853J03^CEE; J06.23- Dec'23 Minimal onwards system impact T1325 L01 T1325L01^ABR; L15.02.00 - Available Minimal onwards system impact H01 T1325H01^ABQ; J06.11.00 - Available Minimal onwards system impact T0993 L01 T0993L01^AAF; L22.09.00 - Available Minimal onwards system impact NOTE-1: The table of affected products below shows the base HPE server models that are used in various BackBox VTC product versions running SPR T0954V04^AAQ and under. Base HPE Server Model BackBox VTC Product Versions DL360 Gen9 BBHWE-02 DL380 Gen9 BBHWH-02 DL380 Gen10 BBHWE-03 DL380 Gen10 BBHWE-04 NOTE-2: The table of affected products below shows the base HPE server models that are used in various BackBox VTC product versions running SPR T1137V01^AAA and under. Base HPE Server Model BackBox VTC Product Versions DL380 Gen10 BBHWE-04 NOTE-3: The affected RVUs list includes RVUs where one of the affected SPR is either present or is usable with. NOTE-4: T1144 uses OpenSSL as a DLL via T2813 SPR present on the server. Therefore, the fix is available in T2813 SPR. Please refer to the appropriate softdocs for detailed SPR information, including installation instructions, superseded SPRs, and requisite SPR lists. In some cases, requisite SPRs might have greater installation impact than the SPRs described in this document. This document will be updated when additional information on fix SPRs and release plans becomes available. HISTORY Version:1 (rev.1) - 18 July 2022 Initial release Version:2 (rev.2) - 13 January 2023 Revised to incorporate SPRs released since the last publication of this document. Version:3 (rev.3) - 30 March 2023 Revised to update T0853, T1137 and T1154 details. Version:4 (rev.4) - 24 October 2023 Revised to update T0993, T0853 and T1325 fix details. Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com. Report: To report a potential security vulnerability for any HPE supported product: Web Form: https://www.hpe.com/info/report-security-vulnerability Email: security-alert@hpe.com Hewlett Packard Enterprise Product Security Response Policy: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00100637en_us Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive System management and security procedures must be reviewed frequently to maintain system integrity. HPE is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HPE is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HPE products the important security information contained in this Bulletin. HPE recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HPE does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HPE will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HPE disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." ©Copyright 2025 Hewlett Packard Enterprise Development LP Hewlett Packard Enterprise Development shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HPE nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise Development and the names of Hewlett Packard Enterprise Development products referenced herein are trademarks of Hewlett Packard Enterprise Development in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
None
Product # Version Fix SPR(s), Installation Impact Usable with RVUs Availability T2813 L02 T2813L02^AAU; L20.05.00 - Available Minimal L21.11.02 system impact T0682 L02 T0682L02^BBJ; L19.03.00 - Available Minimal L21.11.02 system impact H02 T0682H02^AEV; J06.08.00 - Available Minimal J06.23.01 system impact T1144 L02 T2813L02^AAU; L20.05.00 - Available Minimal L21.11.02 system impact T7969 L38 T7969L38^AOV; L21.11.01 - Available Minimal L21.11.02 system impact L37 T7969L37^AOX; L19.08.00 - Available Minimal L21.06.02 system impact H34 T7969H34^AOW; J06.21.00 - Available Minimal J06.23.01 system impact T7970 L38 T7970L38^AOV; L21.11.01 - Available Minimal L21.11.02 system impact L37 T7970L37^AOX; L19.08.00 - Available Minimal L21.06.02 system impact H34 T7970H34^AOW; J06.21.00 - Available Minimal J06.23.01 system impact T1056 L38 T1056L38^AUC; L21.11.01 - Available Minimal L21.11.02 system impact L37 T1056L37^AUD; L20.10.00 - Available Minimal L21.06.02 system impact T0607 L38 T0607L38^AUC; L21.11.01 - Available Minimal L21.11.02 system impact L37 T0607L37^AUD; L20.10.00 - Available Minimal L21.06.02 system impact T0610 L38 T0610L38^AUC; L21.11.01 - Available Minimal L21.11.02 system impact L37 T0610L37^AUD; L20.10.00 - Available Minimal L21.06.02 system impact T0910 L02 T0910L02^ABP; L16.05.00 - Available Subsystem L21.11.02 interruption required H01 T0910H01^ABO; J06.07.00 - Available Subsystem J06.23.01; interruption H06.15.00 - required H06.29.01 T1383 L01 T1383L01^AAC; L15.02.00 - Available Minimal L22.09.00 system impact J06 T1383J06^AAD; J06.11.00 - Available Minimal J06.23.01 system impact T0992 L01 In Limited Support; no plan to release the fix J01 In Limited Support; no plan to release the fix T0954 V04 T0954V04^AAR; All server models Available Minimal listed in NOTE-1 system impact T1137 V01 T1137V01^AAB; All server models Available Minimal listed in NOTE-2 system impact T1153 L01 T1153L01^AAA; L15.08.00 Available Subsystem onwards interruption required J01 T1153J01^AAB; J06.03.00 - Available Subsystem onwards interruption required T1154 L01 T1154L01^AAA; L15.08.00 Available Subsystem onwards interruption required J01 T1154J01^AAB; J06.03.00 - Available Subsystem onwards interruption required T0853 L03 T0853L03^DCL; L20.05.00 Available Minimal onwards system impact J03 T0853J03^CEE; J06.23- Dec'23 Minimal onwards system impact T1325 L01 T1325L01^ABR; L15.02.00 - Available Minimal onwards system impact H01 T1325H01^ABQ; J06.11.00 - Available Minimal onwards system impact T0993 L01 T0993L01^AAF; L22.09.00 - Available Minimal onwards system impact NOTE-1: The table of affected products below shows the base HPE server models that are used in various BackBox VTC product versions running SPR T0954V04^AAQ and under. Base HPE Server Model BackBox VTC Product Versions DL360 Gen9 BBHWE-02 DL380 Gen9 BBHWH-02 DL380 Gen10 BBHWE-03 DL380 Gen10 BBHWE-04 NOTE-2: The table of affected products below shows the base HPE server models that are used in various BackBox VTC product versions running SPR T1137V01^AAA and under. Base HPE Server Model BackBox VTC Product Versions DL380 Gen10 BBHWE-04 NOTE-3: The affected RVUs list includes RVUs where one of the affected SPR is either present or is usable with. NOTE-4: T1144 uses OpenSSL as a DLL via T2813 SPR present on the server. Therefore, the fix is available in T2813 SPR. Please refer to the appropriate softdocs for detailed SPR information, including installation instructions, superseded SPRs, and requisite SPR lists. In some cases, requisite SPRs might have greater installation impact than the SPRs described in this document. This document will be updated when additional information on fix SPRs and release plans becomes available. HISTORY Version:1 (rev.1) - 18 July 2022 Initial release Version:2 (rev.2) - 13 January 2023 Revised to incorporate SPRs released since the last publication of this document. Version:3 (rev.3) - 30 March 2023 Revised to update T0853, T1137 and T1154 details. Version:4 (rev.4) - 24 October 2023 Revised to update T0993, T0853 and T1325 fix details. Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com. Report: To report a potential security vulnerability for any HPE supported product: Web Form: https://www.hpe.com/info/report-security-vulnerability Email: security-alert@hpe.com Hewlett Packard Enterprise Product Security Response Policy: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00100637en_us Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive
Click on a version to see all relevant bugs
Hewlett Packard Enterprise Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
