- 313/2024
- High
Aruba has released security updates to fix multiple vulnerabilities affecting Aruba HPE StoreEasy, SGI CXFS, and Cray System Management Software.
The addressed vulnerabilities could allow the attacker to perform denial of service attacks, or gain elevated privileges and gain unauthorized access to files on the affected products.
Sample of the addressed vulnerabilities:
HPE Data Management Framework (DMF) Suite (CXFS), Local Unauthorized Access Vulnerability (CVE-2024-51764):
- CVSS: 8.1
- Attack Vector: Adjacent Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Privileges
Sample of the affected Products:
- Cray System Management Software – prior to COS-2.5.146, COS 23.11.1, CLE 7.0.UP04.PS19.
- HPE StoreEasy 1470 Storage – prior to 2.30_08-09-2024.
- HPE StoreEasy 1470 Performance – prior to 2.30_08-09-2024.
- HPE StoreEasy 1670 Storage – prior to 2.30_08-09-2024.
- SGI CXFS prior to patch11804, patch11805, patch11806, patch11807.
Vulnerabilities
- CVE-2024-51765
- CVE-2024-25585
- CVE-2024-51764
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.