Overview
- HPE says all OneView releases prior to version 11.00 are vulnerable, with hotfixes provided for versions 5.20 through 10.20.
- The company advises upgrading to OneView 11.00 or applying the hotfix immediately because there are no mitigations.
- HPE notes the hotfix must be reapplied after upgrades from 6.60 or later to 7.00.00 or after any Synergy Composer reimaging, with separate downloads for the virtual appliance and Synergy deployments.
- HPE credits researcher Nguyen Quoc Khanh for reporting the flaw and says it has not confirmed exploitation in the wild.
- Rapid7’s early review indicates the issue likely involves a specific REST API endpoint and warns that compromising OneView could grant wide control over infrastructure.