HPE Servers Exposed: Critical Vulnerability Demands Urgent Firmware Update

by do son · Published July 25, 2024 · Updated July 25, 2024

A critical security vulnerability, CVE-2021-38578, has been discovered in a wide range of HPE ProLiant, Alletra, Synergy, Apollo, and Edgeline servers. This vulnerability, rated with a severity score of 9.8, could allow remote attackers to execute arbitrary code, potentially leading to data breaches, system compromise, and operational disruptions.

The affected servers span multiple generations and models, including Gen10, Gen10 Plus, and Gen11 ProLiant servers, Alletra storage systems, Synergy compute modules, Apollo systems, and Edgeline servers. HPE has released firmware updates to address this critical vulnerability and urges customers to apply the updates immediately.

This vulnerability is particularly concerning due to its high severity rating and the potential for remote exploitation. Attackers could exploit this flaw to gain unauthorized access to sensitive data, install malware, or disrupt critical business operations. The broad range of affected servers amplifies the risk, as it impacts various industries and organizations that rely on HPE’s enterprise-grade hardware.

The affected server models and their vulnerable firmware versions are as follows:

HPE Alletra 4110 and 4120 – Prior to v2.20_05-27-2024
HPE ProLiant DL and ML Series (Gen10, Gen10 Plus, Gen11) – Various versions prior to v3.20_05-27-2024
HPE Synergy Compute Modules (Gen10, Gen10 Plus, Gen11) – Various versions prior to v3.20_05-27-2024
HPE Apollo Systems – Prior to v2.10_05-27-2024
HPE Edgeline Servers – Various versions prior to v3.20_05-27-2024

For a complete list of affected models and versions, please refer to the HPE security bulletin.

HPE has acted swiftly to address this critical vulnerability by releasing updated BIOS firmware for the affected models. Users are strongly advised to update their server firmware to the latest versions to mitigate any potential security risks.

The recommended firmware versions to resolve this vulnerability are:

Gen11, Alletra, and Synergy Gen11 – v2.20_05-27-2024 or later
Gen10 Plus, Synergy Gen10 Plus, and XL – v2.10_05-27-2024 or later
Gen10, Synergy Gen10, and XL – v3.20_05-27-2024 or later
AMD Gen11 – v1.60_03-14-2024 or later
AMD Gen10 and Gen10 Plus – v3.10_03-21-2024 or later
Edgeline 930t – v2.20_05-27-2024 or later
Edgeline 920x – v2.10_05-27-2024 or later
Edgeline e910x – v3.20_05-27-2024 or later

To download the necessary firmware updates, users should visit the Hewlett Packard Enterprise Support Center. Follow these steps to locate and download the required updates:

Enter the product name from the list of impacted products in the text search field and wait for the Suggested Products list to display.
Select the desired product from the Suggested Products list.
The page will refresh to include a selection for the “DRIVERS AND SOFTWARE” tab.
Select the “DRIVERS AND SOFTWARE” tab to find and download the necessary components.