Vulnerability Description
The HPE-provided Windows firmware installer for certain Gen9, Gen8, G7,and G6 HPE servers allows local disclosure of privileged information. This issue was resolved in previously provided firmware updates as follows. The HPE Windows firmware installer was updated in the system ROM updates which also addressed the original Spectre/Meltdown set of vulnerabilities. At that time, the Windows firmware installer was also updated in the versions of HPE Integrated Lights-Out 2, 3, and 4 (iLO 2, 3, and 4) listed in the security bulletin. The updated HPE Windows firmware installer was released in the system ROM and HPE Integrated Lights-Out (iLO) releases documented in earlier HPE Security Bulletins: HPESBHF03805, HPESBHF03835, HPESBHF03831. Windows-based systems that have already been updated to the system ROM or iLO versions described in these security bulletins require no further action.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Hp | Integrated Lights-Out 2 Firmware | < 2.33 |
| Hp | Integrated Lights-Out 2 | - |
| Hp | Proliant Gen6 Server | - |
| Hp | Integrated Lights-Out 3 Firmware | < 1.90 |
| Hp | Integrated Lights-Out | - |
| Hp | Proliant Gen7 Server | - |
| Hp | Integrated Lights-Out 4 Firmware | < 2.60 |
| Hp | Proliant Gen8 Server | - |
| Hp | Proliant Xl750F Gen9 Server Firmware | < 2.56_01-22-2018 |
| Hp | Proliant Xl750F Gen9 Server | - |
| Hp | Proliant Xl740F Gen9 Server Firmware | < 2.56_01-22-2018 |
| Hp | Proliant Xl740F Gen9 Server | - |
| Hp | Proliant Xl730F Gen9 Server Firmware | < 2.56_01-22-2018 |
| Hp | Proliant Xl730F Gen9 Server | - |
| Hp | Proliant Xl450 Gen9 Server Firmware | < 2.56_01-22-2018 |
| Hp | Proliant Xl450 Gen9 Server | - |
| Hp | Proliant Xl270D Gen9 Server Firmware | < 2.56_01-22-2018 |
| Hp | Proliant Xl270D Gen9 Server | - |
| Hp | Proliant Xl270D Gen9 Accelerator Tray Firmware | < 2.56_01-22-2018 |
| Hp | Proliant Xl270D Gen9 Accelerator Tray | - |
References
- http://www.securitytracker.com/id/1041984Third Party AdvisoryVDB Entry
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpeNot ApplicableVendor Advisory
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpeNot ApplicableVendor Advisory
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpeNot ApplicableVendor Advisory
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpeVendor Advisory
- http://www.securitytracker.com/id/1041984Third Party AdvisoryVDB Entry
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpeNot ApplicableVendor Advisory
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpeNot ApplicableVendor Advisory
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpeNot ApplicableVendor Advisory
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpeVendor Advisory
FAQ
What is CVE-2018-7112?
CVE-2018-7112 is a vulnerability with a CVSS score of 5.5 (MEDIUM). The HPE-provided Windows firmware installer for certain Gen9, Gen8, G7,and G6 HPE servers allows local disclosure of privileged information. This issue was resolved in previously provided firmware upd...
How severe is CVE-2018-7112?
CVE-2018-7112 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-7112?
Check the references section above for vendor advisories and patch information. Affected products include: Hp Integrated Lights-Out 2 Firmware, Hp Integrated Lights-Out 2, Hp Proliant Gen6 Server, Hp Integrated Lights-Out 3 Firmware, Hp Integrated Lights-Out.