Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN877
_____________________________________________________________________

DATE                : 18/12/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running HPE OneView versions up to and
                                   including 10.20.

=====================================================================
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04985en_us&docLocale=en_US
_____________________________________________________________________


HPESBGN04985 rev.2 - Hewlett Packard Enterprise OneView Software,
Remote Code Execution
Document Subtype: Security Bulletin|Document ID: hpesbgn04985en_us|
Last Updated: 2025-12-18|Release Date: 2025-12-16|Document Version: 2

Potential Security Impact: Remote: Code Execution

Source: Hewlett Packard Enterprise, HPE Product Security Response Team


VULNERABILITY SUMMARY

A potential security vulnerability has been identified in Hewlett
Packard Enterprise OneView Software. This vulnerability could be
exploited, allowing a remote unauthenticated user to perform remote
code execution.

References: CVE-2025-37164
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

HPE OneView - All versions through v10.20
BACKGROUND
HPE calculates CVSS using CVSS Version 3.1. If the score is provided
from NIST, we will display Version 3.1 as provided from NVD.


Reference                          V3 Vector           V3 Base Score
CVE-2025-37164  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H   10.0

Information on CVSS is documented in HPE Customer Notice: HPSN-2008-002

Hewlett Packard Enterprise acknowledges brocked200 (Nguyen Quoc Khanh)
for reporting this issue to security-alert@hpe.com.
RESOLUTION

HPE has made the following software update available to resolve the
vulnerability in HPE OneView.

A security hotfix to apply to any version of HPE OneView version 5.20
through version 10.20. The security hotfix must be reapplied after
an appliance upgrade from HPE OneView version 6.60.xx to 7.00.00,
including any HPE Synergy Composer reimage. Please visit the
HPE OneView virtual appliance security hotfix to download the virtual
appliance security hotfix. Visit HPE Synergy CVE security hotfix to
download the HPE Synergy Composer security hotfix.


HISTORY

    Version:1 (rev.1) - 17 December 2025 Initial release
    Version:2 (rev.2) - 18 December 2025 Revised resolution

Third Party Security Patches: Third party security patches that are
to be installed on systems running Hewlett Packard Enterprise (HPE)
software products should be applied in accordance with the customer's
patch management policy.

Support: For issues about implementing the recommendations of this
Security Bulletin, contact normal HPE Services support channel. For
other issues about the content of this Security Bulletin, send
e-mail to security-alert@hpe.com.


Report: To report a potential security vulnerability for any HPE
supported product:

    Web Form: https://www.hpe.com/info/report-security-vulnerability

    Email: security-alert@hpe.com

    Hewlett Packard Enterprise Product Security Response Policy

Subscribe: To initiate a subscription to receive future HPE Security
Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice

Security Bulletin Archive: A list of recently released Security
Bulletins is available here:
http://www.hpe.com/support/Security_Bulletin_Archive

System management and security procedures must be reviewed frequently
to maintain system integrity. HPE is continually reviewing and
enhancing the security features of software products to provide
customers with current secure solutions.

"HPE is broadly distributing this Security Bulletin in order to bring
to the attention of users of the affected HPE products the important
security information contained in this Bulletin. HPE recommends that
all users determine the applicability of this information to their
individual situations and take appropriate action. HPE does not warrant
that this information is necessarily accurate or complete for all user
situations and, consequently, HPE will not be responsible for any
damages resulting from user's use or disregard of the information
provided in this Bulletin. To the extent permitted by law, HPE
disclaims all warranties, either express or implied, including the
warranties of merchantability and fitness for a particular purpose,
title and non-infringement."

©Copyright 2025 Hewlett Packard Enterprise Development LP
Hewlett Packard Enterprise Development shall not be liable for technical
or editorial errors or omissions contained herein. The information
provided is provided "as is" without warranty of any kind. To the extent
permitted by law, neither HPE nor its affiliates, subcontractors or
suppliers will be liable for incidental, special or consequential
damages including downtime cost; lost profits; damages relating to the
procurement of substitute products or services; or damages for loss of
data, or software restoration. The information in this document is
subject to change without notice. Hewlett Packard Enterprise Development
and the names of Hewlett Packard Enterprise Development products
referenced herein are trademarks of Hewlett Packard Enterprise
Development in the United States and other countries. Other product
and company names mentioned herein may be trademarks of their
respective owners.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================