BugZero | Hewlett Packard Enterprise BugID hpesbns04457en_us - HPESBNS04457 rev.5

Hewlett Packard Enterprise - Defect ID: hpesbns04457en_us

HPESBNS04457 rev.5 - HPE NonStop servers, multiple vulnerabilities

Hewlett Packard Enterprise - Defect ID: hpesbns04457en_us

HPESBNS04457 rev.5 - HPE NonStop servers, multiple vulnerabilities

Last updated on 3/4/2025

Overall: 0N/A

Severity: 0N/A

Community: 0N/A

Lifecycle: 0N/A

What is the BugZero Risk Score?

Vendor details

Priority: Security Bulletin

Overall: 0N/A

Severity: 0N/A

Community: 0N/A

Lifecycle: 0N/A

What is the BugZero Risk Score?

Vendor details

Priority: Security Bulletin

Info

Document Subtype: Security Bulletin Document ID: hpesbns04457en_us Last Updated: 2023-07-24 Release Date: 2023-03-14 Document Version: 5 Potential Security Impact: Local: Denial of Service (DoS), memory corruption; Remote: Denial of Service (DoS), Gain Unauthorized Access, memory corruption Source: Hewlett Packard Enterprise, HPE Product Security Response Team VULNERABILITY SUMMARY This document describes the impact of below mentioned OpenSSL vulnerabilities on HPE products for NonStop platform. CVE-2023-0286, CVE-2022-4304, CVE-2022-4203, CVE-2023-0215, CVE-2022-4450, CVE-2023-0216, CVE-2023-0217, CVE-2023-0401 The table below summarizes the impact of the vulnerabilities on different HPE products. Serial # Product # Likelihood CVE 01 T0607 Certain CVE-2022-4304 02 T0610 Certain CVE-2022-4304 03 T0682 Somewhat Likely CVE-2022-4450 CVE-2022-4304 04 T0865 Likely CVE-2023-0286 CVE-2022-4304 CVE-2023-0215 CVE-2022-4450 05 T0853 Somewhat Likely CVE-2023-0286 CVE-2022-4304 CVE-2023-0215 CVE-2022-4450 06 T0910 Certain CVE-2022-4450 CVE-2022-4304 07 T0954 Likely CVE-2023-0286 CVE-2022-4304 CVE-2023-0215 CVE-2022-4450 08 T0993 Likely CVE-2023-0286 CVE-2022-4304 CVE-2023-0215 CVE-2022-4450 09 T1056 Certain CVE-2022-4304 10 T1137 Likely CVE-2023-0286 CVE-2022-4304 CVE-2023-0215 11 T1144 Likely CVE-2023-0286 CVE-2022-4304 CVE-2023-0215 CVE-2022-4450 12 T1153 Somewhat Likely CVE-2022-4304 CVE-2022-4450 13 T1154 Somewhat Likely CVE-2022-4304 CVE-2022-4450 14 T1325 Likely CVE-2022-4304 15 T2813 Likely CVE-2023-0286 CVE-2022-4304 CVE-2023-0215 CVE-2022-4450 16 T7969 Certain CVE-2022-4304 CVE-2022-4450 17 T7970 Certain CVE-2022-4304 CVE-2022-4450 References: CVE-2023-0286 CVE-2022-4304 CVE-2023-0215 CVE-2022-4450 CVE-2023-0216 CVE-2023-0217 CVE-2023-0401 CVE-2022-4203 HS03507B - HPE Nonstop Hotstuff SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. NonStop SSL T0910 - T0910L02^AAW onwards, T0910H01^AAV Onwards ODBC/MX Server T7970 - T7970L38^AOV, T7970L37 to T7970L37^AOQ,T7970H34 to T7970H34^AOO ODBC/MX Services T7969 - T7969L38^AOV ,T7969L37 to T7969L37^AOQ, T7969H34 to T7969H34^AOO SSL TOOLKIT T2813 - T2813L02 to T2813L02^AAV XYGATE User Authentication T1325 - T1325L01^ABB Onwards, T1325H01^ABC Onwards NONSTOP HTTP WEBSERVER T1144 - T1144L24 to T1144L24^AAF ANSI SQLUTIL T1056 - T1056L38,T1056L38^AUB,T1056L38^AUC, T1056L37^ATP,T1056L37^ATU,T1056L37^AUD,T1056L37^AUE Python 3 T0993 - T0993L01^AAE HPE BackBox Software T0954 - T0954V04 to T0954V04^AAT CLIM DVD Installation Software T0853 - T0853L03 - T0853L03^DCO, T0853J03 -T0853J03^CEC NonStop SOAP 4.0 T0865 - T0865L01 onwards OSM Service Connection Suite T0682 - T0682L02^ADM - T0682L02^BBK NT HOSTED SQL/MX Preprocessor for Cobol T0610 - T0610L38,T0610L38^AUB,T0610L38^AUC,T0610L37^ATP,T0610L37^ATU,T0610L37^AUD,T0610L37^AUE NATIVE C/C++ PREPROCESSOR NT T0607 - T0607L38, T0607L38^AUB , T0607L38^AUC ,T0607L37^ATP ,T0607L37^ATU , T0607L37^AUD,T0607L37^AUE HPE NonStop QRSTR software T1137 - T1137V01 to T1137V01^AAB HPE NONSTOP LIGHTWAVE CLIENT T1153 - T1154L01 to T1154L01^AAE, T1154J01 to T1154J01^AAF HPE NONSTOP LIGHTWAVE SERVER T1154 - T1154L01 to T1154L01^AAE, T1154J01 to T1154J01^AAF BACKGROUND HPE calculates CVSS using CVSS Version 3.1. If the score is provided from NIST, we will display Version 2.0, 3.0, or 3.1 as provided from NVD. Reference V3 Vector V3 Base Score V2 Vector V2 Base Score CVE-2022-4203 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 4.9 (AV:N/AC:L/Au:M/C:N/I:N/A:C) 6.1 CVE-2022-4304 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 5.9 (AV:N/AC:H/Au:N/C:C/I:N/A:N) 5.4 CVE-2022-4450 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 7.5 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 7.8 CVE-2023-0215 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 7.5 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 7.8 CVE-2023-0216 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 7.5 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 7.8 CVE-2023-0217 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 7.5 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 7.8 CVE-2023-0286 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H 7.4 (AV:N/AC:H/Au:N/C:C/I:N/A:C) 7.1 CVE-2023-0401 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 7.5 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 7.8 Information on CVSS is documented in HPE Customer Notice: HPSN-2008-002 RESOLUTION The table below summarizes the fix details: Product # Version Fix SPR(s), Installation Impact Usable with RVUs Availability L38 T0607L38^AUG L22.09.01 Oct'23 Minimal Onwards T0607 system impact L37 T0607L37^AUJ L19.08 Onwards Available Minimal system impact --------------- ------------- ---------------------------------- ----------------------- ------------------ L38 T0610L38^AUG L22.09.01 Oct'23 Minimal Onwards system impact T0610 L37 T0610L37^AUJ L19.08 Onwards Available Minimal system impact --------------- ------------- ---------------------------------- ----------------------- ------------------ L02 T0682L02^BBN L19.03.00 Oct'23 Onwards T0682 H02 TBD TBD End Oct'23 --------------- ------------- ---------------------------------- ----------------------- ------------------ T0865 L01 T2813L02^AAX; L20.05.00 - Available Minimal L22.09.01 See Note-3 system impact --------------- ------------- ---------------------------------- ----------------------- ------------------ L03 T0853L03^DCS L20.10.00 Oct'23 Onwards T0853 J03 TBD TBD Date by Aug'23 --------------- ------------- ---------------------------------- ----------------------- ------------------ L02 T0910L02^ABT L16.05 onwards Available T0910 H01 T0910H01^ABS J06.11.00 - Available J06.23.01 --------------- ------------- ---------------------------------- ----------------------- ------------------ T0954 V04 T0954V04^AAU; All server models Available Minimal listed in NOTE-1 system impact --------------- ------------- ---------------------------------- ----------------------- ------------------ T0993 L01 T0993L01^AAF L20.05 Onwards End of July'23 --------------- ------------- ---------------------------------- ----------------------- ------------------ L38 T1056L38^AUG L22.09.01 Oct'23 Minimal Onwards system impact T1056 L37 T1056L37^AUJ L19.08 Onwards Available Minimal system impact --------------- ------------- ---------------------------------- ----------------------- ------------------ T1137 V01 T1137V01^AAC; All server models TBD Minimal listed in NOTE-2 system impact --------------- ------------- ---------------------------------- ----------------------- ------------------ T1144 L02 T2813L02^AAX; L20.05.00 - Available Minimal L22.09.01 system impact --------------- ------------- ---------------------------------- ----------------------- ------------------ L01 T1153L01^AAG; L15.08.00 Available Subsystem onwards interruption required T1153 J01 T1153J01^AAH; J06.03.00 - Available Subsystem onwards interruption required --------------- ------------- ---------------------------------- ----------------------- ------------------ L01 T1154L01^AAG; L15.08.00 Available Subsystem onwards interruption required T1154 J01 T1154J01^AAH; J06.03.00 - Available Subsystem onwards interruption required --------------- ------------- ---------------------------------- ----------------------- ------------------ L01 T1325L01^ABN L15.02 Onwards End July'23 T1325 H01 TBD TBD Sep'23 --------------- ------------- ---------------------------------- ----------------------- ------------------ T2813 L02 T2813L02^AAX; L20.05.00 - Available Minimal L22.09.01 system impact --------------- ------------- ---------------------------------- ----------------------- ------------------ L38 T7969L38^APA; L21.11.01 Oct'23 Minimal Onwards system impact T7969 L37 T7969L37^APB L19.08 Onwards Available Minimal system impact H34 TBD TBD Sep'23 --------------- ------------- ---------------------------------- ----------------------- ------------------ L38 T7970L38^APA; L21.11.01 Oct'23 Minimal Onwards system impact T7970 L37 T7970L37^APB L19.08 Onwards Avaiable Minimal system impact H34 TBD TBD Sep'23 --------------- ------------- ---------------------------------- ----------------------- ------------------ NOTE-1: The table of affected products below shows the base HPE server models that are used in various BackBox VTC product versions running SPR T0954V04^AAT and under. Base HPE Server Model BackBox VTC Product Versions DL360 Gen9 BBHWE-02 DL380 Gen9 BBHWH-02 DL380 Gen10 BBHWE-03 DL380 Gen10 BBHWE-04 NOTE-2: The table of affected products below shows the base HPE server models that are used in various BackBox VTC product versions running SPR T1137V01^AAB and under. Base HPE Server Model BackBox VTC Product Versions DL380 Gen10 BBHWE-04 NOTE-3: T1144 and T0865 use OpenSSL as a DLL via T2813 SPR present on the server.Therefore, the fix is available in T2813 SPR. HISTORY Version:1 (rev.1) - 16 March 2023 Initial release Version:2 (rev.2) - 13 June 2023 Version:3(rev.3)-Revised to update the list of impacted CVEs for vulnerable products Version:3 (rev.3) - 14 June 2023 Revised to update the list of impacted CVEs for vulnerable products Version:4 (rev.4) - 12 June 2023 Revised to update the list of impacted CVEs for vulnerable products. Please note that rev.2 and rev.3 of this document were cancelled due to technical issues, and were not published. Version:5 (rev.5) - 24 July 2023 Updated SPR availability date Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com. Report: To report a potential security vulnerability for any HPE supported product: Web Form: https://www.hpe.com/info/report-security-vulnerability Email: security-alert@hpe.com Hewlett Packard Enterprise Product Security Response Policy: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00100637en_us Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive System management and security procedures must be reviewed frequently to maintain system integrity. HPE is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HPE is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HPE products the important security information contained in this Bulletin. HPE recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HPE does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HPE will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HPE disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." ©Copyright 2025 Hewlett Packard Enterprise Development LP Hewlett Packard Enterprise Development shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HPE nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise Development and the names of Hewlett Packard Enterprise Development products referenced herein are trademarks of Hewlett Packard Enterprise Development in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

Scope

None

Resolution

The table below summarizes the fix details: Product # Version Fix SPR(s), Installation Impact Usable with RVUs Availability L38 T0607L38^AUG L22.09.01 Oct'23 Minimal Onwards T0607 system impact L37 T0607L37^AUJ L19.08 Onwards Available Minimal system impact --------------- ------------- ---------------------------------- ----------------------- ------------------ L38 T0610L38^AUG L22.09.01 Oct'23 Minimal Onwards system impact T0610 L37 T0610L37^AUJ L19.08 Onwards Available Minimal system impact --------------- ------------- ---------------------------------- ----------------------- ------------------ L02 T0682L02^BBN L19.03.00 Oct'23 Onwards T0682 H02 TBD TBD End Oct'23 --------------- ------------- ---------------------------------- ----------------------- ------------------ T0865 L01 T2813L02^AAX; L20.05.00 - Available Minimal L22.09.01 See Note-3 system impact --------------- ------------- ---------------------------------- ----------------------- ------------------ L03 T0853L03^DCS L20.10.00 Oct'23 Onwards T0853 J03 TBD TBD Date by Aug'23 --------------- ------------- ---------------------------------- ----------------------- ------------------ L02 T0910L02^ABT L16.05 onwards Available T0910 H01 T0910H01^ABS J06.11.00 - Available J06.23.01 --------------- ------------- ---------------------------------- ----------------------- ------------------ T0954 V04 T0954V04^AAU; All server models Available Minimal listed in NOTE-1 system impact --------------- ------------- ---------------------------------- ----------------------- ------------------ T0993 L01 T0993L01^AAF L20.05 Onwards End of July'23 --------------- ------------- ---------------------------------- ----------------------- ------------------ L38 T1056L38^AUG L22.09.01 Oct'23 Minimal Onwards system impact T1056 L37 T1056L37^AUJ L19.08 Onwards Available Minimal system impact --------------- ------------- ---------------------------------- ----------------------- ------------------ T1137 V01 T1137V01^AAC; All server models TBD Minimal listed in NOTE-2 system impact --------------- ------------- ---------------------------------- ----------------------- ------------------ T1144 L02 T2813L02^AAX; L20.05.00 - Available Minimal L22.09.01 system impact --------------- ------------- ---------------------------------- ----------------------- ------------------ L01 T1153L01^AAG; L15.08.00 Available Subsystem onwards interruption required T1153 J01 T1153J01^AAH; J06.03.00 - Available Subsystem onwards interruption required --------------- ------------- ---------------------------------- ----------------------- ------------------ L01 T1154L01^AAG; L15.08.00 Available Subsystem onwards interruption required T1154 J01 T1154J01^AAH; J06.03.00 - Available Subsystem onwards interruption required --------------- ------------- ---------------------------------- ----------------------- ------------------ L01 T1325L01^ABN L15.02 Onwards End July'23 T1325 H01 TBD TBD Sep'23 --------------- ------------- ---------------------------------- ----------------------- ------------------ T2813 L02 T2813L02^AAX; L20.05.00 - Available Minimal L22.09.01 system impact --------------- ------------- ---------------------------------- ----------------------- ------------------ L38 T7969L38^APA; L21.11.01 Oct'23 Minimal Onwards system impact T7969 L37 T7969L37^APB L19.08 Onwards Available Minimal system impact H34 TBD TBD Sep'23 --------------- ------------- ---------------------------------- ----------------------- ------------------ L38 T7970L38^APA; L21.11.01 Oct'23 Minimal Onwards system impact T7970 L37 T7970L37^APB L19.08 Onwards Avaiable Minimal system impact H34 TBD TBD Sep'23 --------------- ------------- ---------------------------------- ----------------------- ------------------ NOTE-1: The table of affected products below shows the base HPE server models that are used in various BackBox VTC product versions running SPR T0954V04^AAT and under. Base HPE Server Model BackBox VTC Product Versions DL360 Gen9 BBHWE-02 DL380 Gen9 BBHWH-02 DL380 Gen10 BBHWE-03 DL380 Gen10 BBHWE-04 NOTE-2: The table of affected products below shows the base HPE server models that are used in various BackBox VTC product versions running SPR T1137V01^AAB and under. Base HPE Server Model BackBox VTC Product Versions DL380 Gen10 BBHWE-04 NOTE-3: T1144 and T0865 use OpenSSL as a DLL via T2813 SPR present on the server.Therefore, the fix is available in T2813 SPR. HISTORY Version:1 (rev.1) - 16 March 2023 Initial release Version:2 (rev.2) - 13 June 2023 Version:3(rev.3)-Revised to update the list of impacted CVEs for vulnerable products Version:3 (rev.3) - 14 June 2023 Revised to update the list of impacted CVEs for vulnerable products Version:4 (rev.4) - 12 June 2023 Revised to update the list of impacted CVEs for vulnerable products. Please note that rev.2 and rev.3 of this document were cancelled due to technical issues, and were not published. Version:5 (rev.5) - 24 July 2023 Updated SPR availability date Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com. Report: To report a potential security vulnerability for any HPE supported product: Web Form: https://www.hpe.com/info/report-security-vulnerability Email: security-alert@hpe.com Hewlett Packard Enterprise Product Security Response Policy: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00100637en_us Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive

Original Vendor Announcement

Defect ID: a00138717en_us
Advisory: (Revision) HPE Compute Scale-up Server 3200 - System May Encounter an HWERR_BIOS_HALT_DETECTED Condition During the OS Crashdump Process
Defect ID: a00142136en_us
Advisory: (Revision) HPE ProLiant DL20/ML30 Gen10 Plus Servers - Systems Configured with Intel I350-T4 or Broadcom BCM5719 Adapters May Stop Responding During a Reboot or Shutdown if All Four NIC Ports Are Disabled
Defect ID: a00119124en_us
Notice: (Revision) HPE B-series Switches - Accessing HPE B-series SANnav, Fabric OS, and TruFOS Certificates
Defect ID: a00118860en_us
Advisory: HPE InfoSight for Servers - Manually Uploaded Active Health System (AHS) Log to the Analyze Log Page Is Not Displayed After a Successful Upload to the InfoSight Portal
Defect ID: a00146525en_us
Advisory: HPE OneView - OneView May Display the Error, "Unable to Create Volume Template Error Regarding Read-Only Attribute"

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Hewlett Packard Enterprise - Defect ID: hpesbns04457en_us

HPESBNS04457 rev.5 - HPE NonStop servers, multiple vulnerabilities

Hewlett Packard Enterprise - Defect ID: hpesbns04457en_us

HPESBNS04457 rev.5 - HPE NonStop servers, multiple vulnerabilities

Last updated on 3/4/2025

Vendor details

Vendor details

Description

Info

Scope

Resolution

Links

Top Hewlett Packard Enterprise defects by risk score

Ready to prevent the next vendor outage?