[security bulletin] HPESBHF03713 rev.1 - HPE Intelligent Management Center (IMC) PLAT, Deserialization of Untrusted Data, Remote Code Execution

LS0tLS1CRUdJTiBQR1AgU0lHTkVEIE1FU1NBR0UtLS0tLQpIYXNoOiBTSEEyNTYKCk5v
dGU6IHRoZSBjdXJyZW50IHZlcnNpb24gb2YgdGhlIGZvbGxvd2luZyBkb2N1bWVudCBp
cyBhdmFpbGFibGUgaGVyZToNCmh0dHBzOi8vaDIwNTY0Lnd3dzIuaHBlLmNvbS9ocHNj
L2RvYy9wdWJsaWMvZGlzcGxheT9kb2NJZD1lbXJfbmEtaHBlc2JoZjAzNzEzZW5fdXMN
Cg0KU1VQUE9SVCBDT01NVU5JQ0FUSU9OIC0gU0VDVVJJVFkgQlVMTEVUSU4NCg0KRG9j
dW1lbnQgSUQ6IGhwZXNiaGYwMzcxM2VuX3VzDQpWZXJzaW9uOiAxDQoNCkhQRVNCSEYw
MzcxMyByZXYuMSAtIEhQRSBJbnRlbGxpZ2VudCBNYW5hZ2VtZW50IENlbnRlciAoSU1D
KSBQTEFULA0KRGVzZXJpYWxpemF0aW9uIG9mIFVudHJ1c3RlZCBEYXRhLCBSZW1vdGUg
Q29kZSBFeGVjdXRpb24NCg0KTk9USUNFOiBUaGUgaW5mb3JtYXRpb24gaW4gdGhpcyBT
ZWN1cml0eSBCdWxsZXRpbiBzaG91bGQgYmUgYWN0ZWQgdXBvbiBhcw0Kc29vbiBhcyBw
b3NzaWJsZS4NCg0KUmVsZWFzZSBEYXRlOiAyMDE3LTAzLTA4DQpMYXN0IFVwZGF0ZWQ6
IDIwMTctMDMtMDgNCg0KUG90ZW50aWFsIFNlY3VyaXR5IEltcGFjdDogUmVtb3RlOiBD
b2RlIEV4ZWN1dGlvbg0KDQpTb3VyY2U6IEhld2xldHQgUGFja2FyZCBFbnRlcnByaXNl
LCBQcm9kdWN0IFNlY3VyaXR5IFJlc3BvbnNlIFRlYW0NCg0KVlVMTkVSQUJJTElUWSBT
VU1NQVJZDQpBIHBvdGVudGlhbCBzZWN1cml0eSB2dWxuZXJhYmlsaXR5IGhhcyBiZWVu
IGlkZW50aWZpZWQgaW4gSFBFIEludGVsbGlnZW50DQpNYW5hZ2VtZW50IENlbnRlciAo
SU1DKSBQTEFULiBUaGUgdnVsbmVyYWJpbGl0eSBjb3VsZCBiZSByZW1vdGVseSBleHBs
b2l0ZWQNCnRvIGFsbG93IGNvZGUgZXhlY3V0aW9uLg0KDQpSZWZlcmVuY2VzOg0KDQog
IC0gQ1ZFLTIwMTctNTc5Mg0KDQpTVVBQT1JURUQgU09GVFdBUkUgVkVSU0lPTlMqOiBP
TkxZIGltcGFjdGVkIHZlcnNpb25zIGFyZSBsaXN0ZWQuDQoNCiAgLSBIUEUgSW50ZWxs
aWdlbnQgTWFuYWdlbWVudCBDZW50ZXIgKGlNQykgaU1DIFBMQVQgNy4yIEUwNDAzUDA2
DQoNCkJBQ0tHUk9VTkQNCg0KICBDVlNTIEJhc2UgTWV0cmljcw0KICA9PT09PT09PT09
PT09PT09PQ0KICBSZWZlcmVuY2UsIENWU1MgVjMgU2NvcmUvVmVjdG9yLCBDVlNTIFYy
IFNjb3JlL1ZlY3Rvcg0KDQogICAgQ1ZFLTIwMTctNTc5Mg0KICAgICAgNy4zIENWU1M6
My4wL0FWOk4vQUM6TC9QUjpOL1VJOk4vUzpVL0M6TC9JOkwvQTpMDQogICAgICA3LjUg
KEFWOk4vQUM6TC9BdTpOL0M6UC9JOlAvQTpQKQ0KDQogICAgSW5mb3JtYXRpb24gb24g
Q1ZTUyBpcyBkb2N1bWVudGVkIGluDQogICAgSFBFIEN1c3RvbWVyIE5vdGljZSBIUFNO
LTIwMDgtMDAyIGhlcmU6DQoNCmh0dHBzOi8vaDIwNTY0Lnd3dzIuaHBlLmNvbS9ocHNj
L2RvYy9wdWJsaWMvZGlzcGxheT9kb2NJZD1lbXJfbmEtYzAxMzQ1NDk5DQoNCkhld2xl
dHQgUGFja2FyZCBFbnRlcnByaXNlIHRoYW5rcyBKYWNvYiBCYWluZXMgb2YgVGVuYWJs
ZSBOZXR3b3JrIFNlY3VyaXR5DQp3b3JraW5nIHdpdGggVHJlbmQgTWljcm8ncw0KWmVy
byBEYXkgSW5pdGlhdGl2ZSBmb3IgcmVwb3J0aW5nIHRoaXMgaXNzdWUuDQoNClJFU09M
VVRJT04NCg0KSFBFIGhhcyBtYWRlIHRoZSBmb2xsb3dpbmcgc29mdHdhcmUgdXBkYXRl
cyB0byByZXNvbHZlIHRoZSB2dWxuZXJhYmlsaXR5IGluDQpJbnRlbGxpZ2VudCBNYW5h
Z2VtZW50IENlbnRlciAoSU1DKSBQTEFUIDcuMiBFMDQwM1AwNi4NCg0KKyAqKmlNQyBQ
TEFUIC0gVmVyc2lvbjogRml4ZWQgaW4gSU1DIFBMQVQgNy4zIEUwNTA0UDAyKioNCiAg
ICAqIEhQIE5ldHdvcmsgUHJvZHVjdHMNCiAgICAgIC0gSkQxMjVBICBIUCBJTUMgU3Rk
IFMvVyBQbGF0Zm9ybSB3LzEwMC1ub2RlDQogICAgICAtIEpEMTI2QSAgSFAgSU1DIEVu
dCBTL1cgUGxhdGZvcm0gdy8xMDAtbm9kZQ0KICAgICAgLSBKRDgwOEEgIEhQIElNQyBF
bnQgUGxhdGZvcm0gdy8xMDAtbm9kZSBMaWNlbnNlDQogICAgICAtIEpEODE0QSAgIEhQ
IEEtSU1DIEVudGVycHJpc2UgRWRpdGlvbiBTb2Z0d2FyZSBEVkQgTWVkaWENCiAgICAg
IC0gSkQ4MTVBICBIUCBJTUMgU3RkIFBsYXRmb3JtIHcvMTAwLW5vZGUgTGljZW5zZQ0K
ICAgICAgLSBKRDgxNkEgIEhQIEEtSU1DIFN0YW5kYXJkIEVkaXRpb24gU29mdHdhcmUg
RFZEIE1lZGlhDQogICAgICAtIEpGMjg4QUFFICBIUCBOZXR3b3JrIERpcmVjdG9yIHRv
IEludGVsbGlnZW50IE1hbmFnZW1lbnQgQ2VudGVyDQpVcGdyYWRlIEUtTFRVDQogICAg
ICAtIEpGMjg5QUFFICBIUCBFbnRlcnByaXNlIE1hbmFnZW1lbnQgU3lzdGVtIHRvIElu
dGVsbGlnZW50IE1hbmFnZW1lbnQNCkNlbnRlciBVcGdyYWRlIEUtTFRVDQogICAgICAt
IEpGMzc3QSAgSFAgSU1DIFN0ZCBTL1cgUGxhdGZvcm0gdy8xMDAtbm9kZSBMaWMNCiAg
ICAgIC0gSkYzNzdBQUUgIEhQIElNQyBTdGQgUy9XIFBsdGZybSB3LzEwMC1ub2RlIEUt
TFRVDQogICAgICAtIEpGMzc4QSAgSFAgSU1DIEVudCBTL1cgUGxhdGZvcm0gdy8yMDAt
bm9kZSBMaWMNCiAgICAgIC0gSkYzNzhBQUUgIEhQIElNQyBFbnQgUy9XIFBsdGZybSB3
LzIwMC1ub2RlIEUtTFRVDQogICAgICAtIEpHNTQ2QUFFICBIUCBJTUMgQmFzaWMgU1cg
UGxhdGZvcm0gdy81MC1ub2RlIEUtTFRVDQogICAgICAtIEpHNTQ4QUFFICBIUCBQQ00r
IHRvIElNQyBCc2MgVXBnciB3LzUwLW5vZGUgRS1MVFUNCiAgICAgIC0gSkc1NDlBQUUg
IEhQIFBDTSsgdG8gSU1DIFN0ZCBVcGdyIHcvMjAwLW5vZGUgRS1MVFUNCiAgICAgIC0g
Skc3NDdBQUUgIEhQIElNQyBTdGQgU1cgUGxhdCB3LyA1MCBOb2RlcyBFLUxUVQ0KICAg
ICAgLSBKRzc0OEFBRSAgSFAgSU1DIEVudCBTVyBQbGF0IHcvIDUwIE5vZGVzIEUtTFRV
DQogICAgICAtIEpHNzY4QUFFICBIUCBQQ00rIHRvIElNQyBTdGQgVXBnIHcvIDIwMC1u
b2RlIEUtTFRVDQogICAgICAtIEpHNTUwQUFFIEhQRSBQQ00rIE1vYmlsaXR5IE1hbmFn
ZXIgdG8gSU1DIEJhc2ljIFdMQU4gUGxhdGZvcm0gVXBncmFkZQ0KNTAtbm9kZSBhbmQg
MTUwLUFQIEUtTFRVDQogICAgICAtIEpHNTkwQUFFIEhQRSBJTUMgQmFzaWMgV0xBTiBN
YW5hZ2VyIFNvZnR3YXJlIFBsYXRmb3JtIDUwIEFjY2VzcyBQb2ludA0KRS1MVFUNCiAg
ICAgIC0gSkc2NjBBQUUgSFAgSU1DIFNtYXJ0IENvbm5lY3Qgd2l0aCBXaXJlbGVzcyBN
YW5hZ2VyIFZpcnR1YWwgQXBwbGlhbmNlDQpFZGl0aW9uIEUtTFRVDQogICAgICAtIEpH
NzY2QUFFIEhQIElNQyBTbWFydCBDb25uZWN0IFZpcnR1YWwgQXBwbGlhbmNlIEVkaXRp
b24gRS1MVFUNCiAgICAgIC0gSkc3NjdBQUUgSFAgSU1DIFNtYXJ0IENvbm5lY3Qgd2l0
aCBXaXJlbGVzcyBNYW5hZ2VyIFZpcnR1YWwgQXBwbGlhbmNlDQpFZGl0aW9uIEUtTFRV
DQogICAgICAtIEpHNzY4QUFFIEhQRSBQQ00rIHRvIElNQyBTdGFuZGFyZCBTb2Z0d2Fy
ZSBQbGF0Zm9ybSBVcGdyYWRlIHdpdGgNCjIwMC1ub2RlIEUtTFRVDQogICAgICAtIEpI
NzA0QUFFICBBcnViYSBJTUMgU3RkIFNXIFBsYXQgdy81MC1ub2RlIEUtTFRVDQogICAg
ICAtIEpINzA1QUFFICBBcnViYSBJTUMgRW50IFNXIFBsYXQgdy81MC1ub2RlIEUtTFRV
DQogICAgICANCiAqKk5vdGU6KiogUGxlYXNlIGNvbnRhY3QgSFBFIFRlY2huaWNhbCBT
dXBwb3J0IGlmIGFueSBhc3Npc3RhbmNlIGlzIG5lZWRlZA0KYWNxdWlyaW5nIHRoZSBz
b2Z0d2FyZSB1cGRhdGVzLg0KDQpISVNUT1JZDQpWZXJzaW9uOjEgKHJldi4xKSAtIDgg
TWFyY2ggMjAxNyBJbml0aWFsIHJlbGVhc2UNCg0KVGhpcmQgUGFydHkgU2VjdXJpdHkg
UGF0Y2hlczogVGhpcmQgcGFydHkgc2VjdXJpdHkgcGF0Y2hlcyB0aGF0IGFyZSB0byBi
ZQ0KaW5zdGFsbGVkIG9uIHN5c3RlbXMgcnVubmluZyBIZXdsZXR0IFBhY2thcmQgRW50
ZXJwcmlzZSAoSFBFKSBzb2Z0d2FyZQ0KcHJvZHVjdHMgc2hvdWxkIGJlIGFwcGxpZWQg
aW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBjdXN0b21lcidzIHBhdGNoIG1hbmFnZW1lbnQN
CnBvbGljeS4NCg0KU3VwcG9ydDogRm9yIGlzc3VlcyBhYm91dCBpbXBsZW1lbnRpbmcg
dGhlIHJlY29tbWVuZGF0aW9ucyBvZiB0aGlzIFNlY3VyaXR5DQpCdWxsZXRpbiwgY29u
dGFjdCBub3JtYWwgSFBFIFNlcnZpY2VzIHN1cHBvcnQgY2hhbm5lbC4gRm9yIG90aGVy
IGlzc3VlcyBhYm91dA0KdGhlIGNvbnRlbnQgb2YgdGhpcyBTZWN1cml0eSBCdWxsZXRp
biwgc2VuZCBlLW1haWwgdG8gc2VjdXJpdHktYWxlcnRAaHBlLmNvbS4NCg0KUmVwb3J0
OiBUbyByZXBvcnQgYSBwb3RlbnRpYWwgc2VjdXJpdHkgdnVsbmVyYWJpbGl0eSBmb3Ig
YW55IEhQRSBzdXBwb3J0ZWQNCnByb2R1Y3Q6DQogIFdlYiBmb3JtOiBodHRwczovL3d3
dy5ocGUuY29tL2luZm8vcmVwb3J0LXNlY3VyaXR5LXZ1bG5lcmFiaWxpdHkNCiAgRW1h
aWw6IHNlY3VyaXR5LWFsZXJ0QGhwZS5jb20NCg0KU3Vic2NyaWJlOiBUbyBpbml0aWF0
ZSBhIHN1YnNjcmlwdGlvbiB0byByZWNlaXZlIGZ1dHVyZSBIUEUgU2VjdXJpdHkgQnVs
bGV0aW4NCmFsZXJ0cyB2aWEgRW1haWw6IGh0dHA6Ly93d3cuaHBlLmNvbS9zdXBwb3J0
L1N1YnNjcmliZXJfQ2hvaWNlDQoNClNlY3VyaXR5IEJ1bGxldGluIEFyY2hpdmU6IEEg
bGlzdCBvZiByZWNlbnRseSByZWxlYXNlZCBTZWN1cml0eSBCdWxsZXRpbnMgaXMNCmF2
YWlsYWJsZSBoZXJlOiBodHRwOi8vd3d3LmhwZS5jb20vc3VwcG9ydC9TZWN1cml0eV9C
dWxsZXRpbl9BcmNoaXZlDQoNClNvZnR3YXJlIFByb2R1Y3QgQ2F0ZWdvcnk6IFRoZSBT
b2Z0d2FyZSBQcm9kdWN0IENhdGVnb3J5IGlzIHJlcHJlc2VudGVkIGluDQp0aGUgdGl0
bGUgYnkgdGhlIHR3byBjaGFyYWN0ZXJzIGZvbGxvd2luZyBIUFNCLg0KDQozQyA9IDND
T00NCjNQID0gM3JkIFBhcnR5IFNvZnR3YXJlDQpHTiA9IEhQRSBHZW5lcmFsIFNvZnR3
YXJlDQpIRiA9IEhQRSBIYXJkd2FyZSBhbmQgRmlybXdhcmUNCk1VID0gTXVsdGktUGxh
dGZvcm0gU29mdHdhcmUNCk5TID0gTm9uU3RvcCBTZXJ2ZXJzDQpPViA9IE9wZW5WTVMN
ClBWID0gUHJvQ3VydmUNClNUID0gU3RvcmFnZSBTb2Z0d2FyZQ0KVVggPSBIUC1VWA0K
DQpDb3B5cmlnaHQgMjAxNiBIZXdsZXR0IFBhY2thcmQgRW50ZXJwcmlzZQ0KDQpIZXds
ZXR0IFBhY2thcmQgRW50ZXJwcmlzZSBzaGFsbCBub3QgYmUgbGlhYmxlIGZvciB0ZWNo
bmljYWwgb3IgZWRpdG9yaWFsDQplcnJvcnMgb3Igb21pc3Npb25zIGNvbnRhaW5lZCBo
ZXJlaW4uIFRoZSBpbmZvcm1hdGlvbiBwcm92aWRlZCBpcyBwcm92aWRlZA0KImFzIGlz
IiB3aXRob3V0IHdhcnJhbnR5IG9mIGFueSBraW5kLiBUbyB0aGUgZXh0ZW50IHBlcm1p
dHRlZCBieSBsYXcsIG5laXRoZXINCkhQIG9yIGl0cyBhZmZpbGlhdGVzLCBzdWJjb250
cmFjdG9ycyBvciBzdXBwbGllcnMgd2lsbCBiZSBsaWFibGUgZm9yDQppbmNpZGVudGFs
LHNwZWNpYWwgb3IgY29uc2VxdWVudGlhbCBkYW1hZ2VzIGluY2x1ZGluZyBkb3dudGlt
ZSBjb3N0OyBsb3N0DQpwcm9maXRzOyBkYW1hZ2VzIHJlbGF0aW5nIHRvIHRoZSBwcm9j
dXJlbWVudCBvZiBzdWJzdGl0dXRlIHByb2R1Y3RzIG9yDQpzZXJ2aWNlczsgb3IgZGFt
YWdlcyBmb3IgbG9zcyBvZiBkYXRhLCBvciBzb2Z0d2FyZSByZXN0b3JhdGlvbi4gVGhl
DQppbmZvcm1hdGlvbiBpbiB0aGlzIGRvY3VtZW50IGlzIHN1YmplY3QgdG8gY2hhbmdl
IHdpdGhvdXQgbm90aWNlLiBIZXdsZXR0DQpQYWNrYXJkIEVudGVycHJpc2UgYW5kIHRo
ZSBuYW1lcyBvZiBIZXdsZXR0IFBhY2thcmQgRW50ZXJwcmlzZSBwcm9kdWN0cw0KcmVm
ZXJlbmNlZCBoZXJlaW4gYXJlIHRyYWRlbWFya3Mgb2YgSGV3bGV0dCBQYWNrYXJkIEVu
dGVycHJpc2UgaW4gdGhlIFVuaXRlZA0KU3RhdGVzIGFuZCBvdGhlciBjb3VudHJpZXMu
IE90aGVyIHByb2R1Y3QgYW5kIGNvbXBhbnkgbmFtZXMgbWVudGlvbmVkIGhlcmVpbg0K
bWF5IGJlIHRyYWRlbWFya3Mgb2YgdGhlaXIgcmVzcGVjdGl2ZSBvd25lcnMuDQotLS0t
LUJFR0lOIFBHUCBTSUdOQVRVUkUtLS0tLQpWZXJzaW9uOiBHbnVQRyB2MQoKaVFFY0JB
RUJDQUFHQlFKWXdDcWVBQW9KRUxYaEF4dDdTWmFpamJRSUFLdUtCb0dqRGlpSW51R3B2
YjZaaGYwVwoxQzYvbzVSZC9SR2N2WWFpdU5LVVpPRGRUNEI1ZzlFeWZmRXdzRzZSRnlz
cHEyMGZIZWxBNE1YQ21WRXlsVXZUCk15VGxSaldkUzBlcUt0SlFFM3dvOHFydWJwUG9k
WDhBL09kbjhhWWZYdExqSGdWaXlCNXV6cjVYSkplbDluemEKR2VnOVVabWZFTmZjc1Nl
eTZOWktleHBDZVVvcUxHSEJ4UHBUMFVIWEEvRUJsSFEwNkU1VDU1ZVMvQm9qZTdrNwps
SEZNNWVHdEU4cXA0VWpqeDVXSml6NzdIcnpnSmxjVGc0TzZETkU4WXpKRWg5T1loY0xH
Z3lWOU1LYWVQSHRZCmJ1Y2FRa1NXOE80TlVZbU9GcDZUL3BOVFBHMmx2NEV5R0xUbGgx
UWREK3QxY25Ba1cwdnBUR3QrRkRnc3V0TT0KPWlDOHMKLS0tLS1FTkQgUEdQIFNJR05B
VFVSRS0tLS0tCg==