Overview

HPE UOCAM is vulnerable to critical severity vulnerabilities. The attackers can leverage the vulnerabilities to execute arbitrary code on affected system.

Description

The critical-severity vulnerabilities affecting HPE Unified OSS Console Assurance Monitoring (UOCAM) Software tracked as CVE-2023-37466, and CVE-2023-37903 have CVSS score of 10 each. The vulnerabilities results from vm2 for versions up to 3.9.19, `Promise` handler sanitization can be bypassed with the `@@species` accessor property allowing attackers to escape the sandbox and run arbitrary code, potentially allowing remote code execution inside the context of vm2 sandbox, and from vm2 sandbox that can run untrusted code with whitelisted Node's built-in modules. Successful exploitation of these vulnerabilities could allow the attacker to execution arbitrary code, or denial of service condition.

Impact

Successful exploitation of these vulnerabilities may allow an attacker to take control of the vulnerable system.

Solution

HP has released security patches to address the vulnerabilities. Users and administrators are encouraged to apply necessary updates.

References

• 1. https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04727en_us&docLocale=en_US
• 2. https://vuldb.com/?id.235152