Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
Document Version Release Date Details 6 09/23/2020 SPP 2019.09.1 addressing these vulnerabilities has been released. 5 09/17/2020 SPP 2019.12.2 addressing these vulnerabilities has been released. 4 09/08/2020 SPP 2020.03.2 addressing these vulnerabilities has been released. 3 09/02/2020 Updated expected timeframe for upcoming SPP releases. 2 08/06/2020 Updated Resolution with information on upcoming SPP releases for various vulnerabilities. 1 07/29/2020 Original Document Release. On July 29th, a researcher disclosed a vulnerability in Linux GRUB2 bootloaders called "BootHole" (CVE-2020-10713). A system is vulnerable to the BootHole issue when a signed GRUB2 bootloader with the vulnerable code is permitted to execute by the UEFI Allowed Signature Database (DB). The vulnerability can lead to circumventing the Secure Boot process, on systems where Secure Boot is enabled. To prevent this vulnerability, an updated GRUB2 and an updated Forbidden Signature Database (DBX) are being made available from relevant OS vendors, and must be applied to the system. Impacted HPE products will also have updates that align with these GRUB2 and DBX updates. This vulnerability impacts the bootable ISO of HPE Service Pack for ProLiant (SPP) that is primarily used for performing Offline mode of update to the targets as described in the HPE Service Pack for ProLiant - Downloading and Installing an SPP document under section titled "Initiating offline deployment". This document provides details of the affected versions along with information on updates to all the supported and impacted versions of SPP.
Any of the following versions (and earlier) of SPP are impacted: Gen10 Production Versions: 2020.03.0 2019.12.0 Gen9/Gen10 Production Versions (warranty/support agreement required): 2020.03.0 2019.12.0 2019.09.0 Post-Production Versions (warranty/support agreement required): Gen8.1
Update Gen9, Gen10 or Gen10 Plus systems to the correspondent SPP version mentioned below to resolve the CVE-2020-10713, CVE-2020-15705 and CVE-2020-7205 vulnerabilities. IMPORTANT: The updates must be made in a specific order. For CVE-2020-10713 the GRUB2 updates (from HPE and from the OS Vendors) must be made first, in either order. After the GRUB2 updates are complete, customers should then apply the DBX updates (from HPE and from OS Vendors) in either order. The GRUB2 updates must be executed first, and the DBX updates completed next, in order to successfully reboot in the future. Customers should follow instructions from vendors outside of HPE, for making updates from those OS vendors. To download and get installation instructions for the needed SPP version go to the following links: Gen10/Gen10 Plus: 2020.03.2 2019.12.2 Gen9/Gen10/Gen10 Plus: 2020.03.2 2019.12.2 2019.09.1 The remaining SPP releases that mitigate these vulnerabilities are expected to become available during the month of September, based on availability of fixes from the industry. This document will be updated as the updated SPP versions become available. To obtain the latest DBX Updater tools from HPE refer to the following Bulletin GRUB2 (aka BootHole) Vulnerabilites - CRITICAL UPDATE Secure Boot DBX Updater for Linux, Windows and UEFI Refer to the following Customer Bulletins and Customer Notice for further details of this issue with Intelligent Provisioning and Scripting Toolkit (STK): HPE Intelligent Provisioning - UEFI Secure Boot Evasion Vulnerability (aka BootHole Vulnerability) CVE-2020-10713 HPE Scripting Toolkit for Linux - UEFI Secure Boot Evasion Vulnerability (aka BootHole Vulnerability) CVE-2020-10713 GRUB2 (aka BootHole) Vulnerability - UEFI Secure Boot Evasion Vulnerability (CVE-2020-10713) For additional information refer to the following Security Bulletins: HPESBHF04019 rev.1 - Systems with Secure Boot enabled and GRUB2 vulnerability, Local Arbitrary Code Execution HPESBHF04020 rev.1 - HPE insmod and GRUB2 vulnerability, Local Arbitrary Code Execution HPE has added this vulnerability to the HPE Product Security Vulnerability Alerts Webpage RECEIVE PROACTIVE UPDATES : Receive support alerts (such as Customer Advisories), as well as updates on drivers, software, firmware, and customer replaceable components, proactively in your e-mail through HPE Subscriber's Choice. Sign up for Subscriber's Choice at the following URL: Proactive Updates Subscription Form. NAVIGATION TIP: For hints on navigating HPE.com to locate the latest drivers, patches and other support software downloads to Proliant servers and options, refer to the Navigation Tips document. SEARCH TIP: For hints on locating similar documents on HPE.com, refer to the Search Tips document.