Remote Code Execution Vulnerability in HPE 3PAR, Primera, and Alletra 9000 Storage Systems
CVE-2021-26588

9.8CRITICAL

Key Information:

Vendor: HP
Status: HP 3par Storeserv 10000 Storage; HP 3par Storeserv 7000 Storage; HP 3par Storeserv 8000 Storage; HP Primera 600 Storage; HP 3par Storeserv 20000; HP Alletra 9000; HP 3par Storeserv 9000 Storage
Vendor: CVE Published:; 11 October 2021

Summary

A security vulnerability has been discovered in the firmware of HPE 3PAR StoreServ, HPE Primera, and HPE Alletra 9000 storage arrays. This vulnerability allows an unauthenticated user to exploit the system with low complexity, potentially enabling the execution of arbitrary code as an administrator. Such exploitation can jeopardize the confidentiality, integrity, and availability of the storage array. HPE has released significant software updates and provided mitigation strategies to address this issue. It is imperative for users to implement these updates to secure their systems.

Affected Version(s)

HP 3PAR StoreServ 10000 Storage; HP 3PAR StoreServ 7000 Storage; HPE 3PAR StoreServ 8000 Storage; HPE Primera 600 Storage; HPE 3PAR StoreServ 20000; HPE Alletra 9000; HPE 3PAR StoreServ 9000 Storage 3.3.1 MU1 up to 3.3.1 MU2 P157 or 3.3.1 up to 3.3.1 MU5 P156 or 3.3.1 MU1 up to 3.3.2 GA P01

References

https://support.hpe.com/hpsc/doc/public/display?docLocale...

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 11, 2021
Vulnerability Reserved
Feb 2, 2021