"HPE, NetApp Warn of Critical Open-Source Bug"

Hewlett Packard Enterprise (HPE) has issued an alert regarding its OneView infrastructure management platform, warning of a use-after-free vulnerability that enables remote attackers to execute arbitrary code on targeted systems, leak data, and more. The vulnerability stems from the use of the Expat XML parser third-party code. The bug, tracked as CVE-2022-40674, has a severity rating of 9.8. The vulnerable code has affected enterprise-class software from other vendors, including NetApp and IBM, which have also issued customer alerts to mitigate the same flaw. There are no reports of the vulnerability being exploited in the wild, nor is there a published proof-of-concept (POC) attack. IBM and NetApp have offered remediation but have indicated that there are no workarounds or mitigations for the specific Expat vulnerability. However, both vendors offer security upgrades for affected products. Recently, NetApp alerted users that eleven of its enterprise products were vulnerable to the Expat flaw. NetApp is still trying to determine whether any host utilities for SAN for Windows may also be affected. This article continues to discuss findings and warnings regarding the critical open-source bug. 

SC Magazine reports "HPE, NetApp Warn of Critical Open-Source Bug"