A high-severity remote code execution (RCE) vulnerability has been identified in HPE AutoPass License Server (APLS). This flaw allows an unauthenticated remote attacker to execute arbitrary commands on the server, potentially leading to a complete system compromise. Due to the critical nature of this vulnerability and its high CVSS score, immediate patching is required to prevent data breaches, service disruption, and further network intrusion.

The vulnerability stems from an insecure implementation of the HSQLDB database component within the HPE AutoPass License Server. An unauthenticated remote attacker can send a specially crafted request to an exposed service endpoint. This request can inject malicious SQL statements that leverage HSQLDB's ability to call Java code, allowing the attacker to execute arbitrary commands on the underlying operating system with the privileges of the APLS service account.

Rated as High severity with a CVSS score of 8.0, this vulnerability poses a significant risk to the organization. Successful exploitation grants an attacker full control over the affected license server. This could lead to the theft of sensitive license and customer data, disruption of business-critical applications that rely on the license server, and the use of the compromised server as a foothold to launch further attacks against the internal network. The potential consequences include major data confidentiality and integrity loss, operational downtime, and reputational damage.

Immediate Action:

• Immediately apply the security patch provided by HPE to upgrade all instances of AutoPass License Server to version 9.0 or later.
• Prioritize patching for any APLS instances that are internet-facing or accessible from untrusted networks.
• After patching, verify that the upgrade was successful and the service is functioning correctly.

Proactive Monitoring:

• Review APLS and web server access logs for unusual or malformed requests, particularly those targeting database-related endpoints.
• Monitor network traffic for anomalous connections to the APLS server.
• On the host system, monitor for unexpected process execution originating from the APLS service (e.g., cmd.exe, /bin/sh, powershell.exe).
• Implement log alerts for suspicious SQL queries in HSQLDB logs, if accessible, that contain keywords like CALL, SCRIPT, or Java class names.

Compensating Controls:

• If patching cannot be performed immediately, restrict network access to the APLS application to only trusted IP addresses and subnets using a firewall.
• Place the APLS instance behind a Web Application Firewall (WAF) with rules configured to inspect and block malicious SQL injection and command injection patterns.
• Ensure an Endpoint Detection and Response (EDR) solution is active on the server to detect and block anomalous process execution.

Public Exploit Available: False

Given the high severity (CVSS 8.0) and the critical impact of a successful remote code execution attack, we strongly recommend that immediate action is taken. Although this vulnerability is not currently listed in the CISA KEV catalog, its characteristics make it a prime target for future exploitation. The organization must prioritize the immediate application of the vendor-supplied patch across all affected systems as outlined in the remediation plan. Systems that cannot be patched immediately must have compensating controls applied without delay.