HPE tape library permits unauthorised remote access

Eh!

How are you going to read the data off the tapes from the internal library controller via HTTP. The tape drives are connected via Fibre Channel to the backup server and all the data goes via the FC interface.

That's a modern tape library with three access paths: data path, control path and out of band management interface. The data path and the control path can conceivably be on the same SAN, but the management interface is Ethernet.

The vulnerability only affects the third portion above. Even if you have access to that interface, you still have no access to the control path or the data path.

In short, you can't access data over the library management interface. (In theory you could over TTI, but that is unusable for slurping data since the interface throughput peaks at some 10 KB/s).

Now, in a very stupid configuration, you could put the data and control paths on FCoE and then put them on the same LAN as the library management interface, but that has zero practical applications.