HPE yawns, stretches, and patches January OpenSSH bug in virtual access products
lighttpd also gets a fix
HPE customers have just been issued patches related to the lighttpd daemon and OpenSSH for remote access devices.
The vulns are in the company's HPE Remote Device Access: Virtual Customer Access System (vCAS). vCAS is designed for IT shops to provide remote support access to customer networks.
The company has disclosed three vulnerabilities:
- CVE-2015-3200 – affected lighttpd before version 1.4.36 and patched by the project in August 2015, it allowed remote attackers to inject log entries.
- CVE-2016-0777 – a roaming bug in OpenSSH clients before 7.1p2 patched in January; it allowed an attacker to retrieve buffers and access users' private keys.
- CVE-2016-0778 – also patched in January, and related to the other OpenSSH roaming bug.
HPE says the bugs "could be exploited remotely resulting in unauthorized modification of information, denial of service, and disclosure of information," so it's lumbered into action.
There are separate patches for vCAS systems running on Oracle VirtualBox and VMware. ®