September 27, 2023

HPE has issued a critical alert tied to its OneView infrastructure management platform warning of a use-after-free vulnerability that allows remote attackers to execute arbitrary code on targeted systems, leak data, or create conditions ripe for a denial-of-service attack.

The flaw resides in a third-party code called Expat XML parser and is tracked as CVE-2022-40674, HPE scores the bug with a severity rating of 9.8. The vulnerable code has impacted a bevy of other vendors’ enterprise-class software including NetApp and IBM, which both released critical warnings to customers to mitigate the same flaw.


There are no public reports that the vulnerability is being exploited in the wild or that a public proof-of-concept attack exists.

HPE explained that Expat is used by its OneView platform to parse various XMLs. The bug, HPE said, only impacts versions of HPE OneView prior to 8.1. In a technical summary, HPE explained vulnerable systems allow an “attacker to triage a denial of service or potentially arbitrary code execution.”

Both IBM and NetApp offer remediation, however, the vendors indicate there are no workarounds or mitigations to the specific Expat flaw. Alternatively, both vendors offer upgrades that secure affected products.

NetApp warned users that the Expat flaw impacted eleven of its enterprise products. NetApp indicated it is still investigating whether any host utilities for SAN for Windows may also impacted.

The Expat XML parser is a stream-oriented XML parser library written in the coding language C, according to a GitHub repository entry.  “Expat excels with files too large to fit RAM, and where performance and flexibility are crucial,”.

Successful exploitation of the bug could lead to the disclosure of sensitive information, addition or modification of data, or Denial of Service.


The Expat flaw was originally made public in September. Since then, the CVE has been updated many times to reflect additionally impacted vendors.

It recommended the customers of the above vendors should read the published advisory and take preventive actions

Leave a Reply

%d bloggers like this: