SB20250716106 - Multiple vulnerabilities in HPE Unified OSS Console (UOC) and HPE Unified OSS Assurance Monitoring (UOCAM)
Published: July 16, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Inefficient regular expression complexity (CVE-ID: CVE-2024-52798)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.2) Resource exhaustion (CVE-ID: CVE-2024-54677)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the examples web application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
3) Permissions, privileges, and access controls (CVE-ID: CVE-2024-56337)
The vulnerability allows a remote attacker to compromise the affected system.
The mitigation bypass depends on the version of Java used on the system.
4) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2024-50379)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to missing access restrictions to the default servlet. If the default servlet is write enabled (readonly initialisation parameter set to the non-default value of false) for a case insensitive file system, concurrent read and upload under load of the same file can bypass Tomcat's case sensitivity checks and cause an uploaded file to be treated as a JSP leading to remote code execution.
Remediation
Install update from vendor's website.