Vulnerability Note VU#267328
HP Data Protector does not perform authentication and contains an embedded SSL private key
The HP Data Protector does not perform user authentication, even when Encrypted Control Communications is enabled, and contains an embedded SSL private key that is shared among all installations.
CWE-306: Missing Authentication for Critical Function - CVE-2016-2004
Data Protector does not authenticate users, even with Encrypted Control Communications enabled. An unauthenticated remote attacker may be able to execute code on the server hosting Data Protector.
An unauthenticated remote attacker may be able to execute code on the server, or perform man-in-the-middle attacks against the server.
Apply an update
Restrict Network Access
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Hewlett Packard Enterprise||Affected||11 Nov 2015||22 Apr 2016|
CVSS Metrics (Learn More)
Thanks to Ian Lovering for reporting this vulnerability.
This document was written by Garret Wassermann.
- CVE IDs: CVE-2016-2004
- Date Public: 18 Apr 2016
- Date First Published: 22 Apr 2016
- Date Last Updated: 22 Apr 2016
- Document Revision: 37
If you have feedback, comments, or additional information about this vulnerability, please send us email.