SB2025061027 - Multiple vulnerabilities in HPE Telco Service Activator

Main Vulnerability Database SB2025061027

SB2025061027 - Multiple vulnerabilities in HPE Telco Service Activator

Published: June 10, 2025

Security Bulletin ID SB2025061027

Severity

High

Patch available

YES

Number of vulnerabilities 6

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 6 secuirty vulnerabilities.

1) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2023-43642)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to missing upper bound check on chunk length. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

2) Resource exhaustion (CVE-ID: CVE-2023-44487)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improperly control of consumption for internal resources when handling HTTP/2 requests with compressed HEADERS frames. A remote attacker can send a sequence of compressed HEADERS frames followed by RST_STREAM frames and perform a denial of service (DoS) attack, a.k.a. "Rapid Reset".

Note, the vulnerability is being actively exploited in the wild.

3) Resource exhaustion (CVE-ID: CVE-2023-5685)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources in NotifierState, when the chain of notifier states becomes problematically large. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

4) Resource exhaustion (CVE-ID: CVE-2024-5971)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to response writes hand when using Java 17 TLSv1.3 NewSessionTicket. A remote attacker can perform a denial of service (DoS) attack.

5) Uncontrolled Recursion (CVE-ID: CVE-2024-7254)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation when parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields. A remote attacker can pass specially crafted input to the application to create unbounded recursions and perform a denial of service (DoS) attack.

6) Session Fixation (CVE-ID: CVE-2024-7341)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the session fixation issue in the SAML adapters. A remote user who hijacks the current session before authentication can trigger session fixation.

Remediation

Install update from vendor's website.

References

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbnw04833en_us