Recently, the HP PSRT have exposed some serious security vulnerabilities, these vulnerabilities are result of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. The vulnerability numbers are Faster XML(CVE-2017-17485, CVE-2018-5968, CVE-2018-7489, CVE-2017-9096).
An attacker could bypass the blacklist by sending a maliciously crafted JSON input to the readValue method of ObjectMapper to gain unauthenticated remote code execution permissions.
H3C R&D team quickly investigated the H3C products after the vulnerabilities were publicly disclosed.
We found below products are in impact scope:
l VDI（CVE-2017-17485、 CVE-2018-5968、CVE-2018-748）
l H3CloudOS/ H3CloudCMP (CVE-2018-7489)
【Solution for H3C Products】
For product solutions, please contact H3C Service Hotline: +852 2907 0456 or email: email@example.com.