Security Bulletin: Unauthorized access exposure on IBM SAN Volume Controller and Storwize Family (CVE-2013-2251 CVE-2013-2248 CVE-2013-2135 CVE-2013-2134 CVE-2013-2115 CVE-2013-1966 CVE-2013-1965)

Flash (Alert)


Abstract

Administrative access to the system via the IP interface may be obtained without authentication.

Content

VULNERABILITY DETAILS:
CVEID: CVE-2013-2251 CVE-2013-2248 CVE-2013-2135 CVE-2013-2134 CVE-2013-2115 CVE-2013-1966 CVE-2013-1965


DESCRIPTION:

The vulnerabilities can be exploited by a user with access to the system's management IP interface using vulnerabilities in the Apache Struts component. If successful, the user can gain access with superuser privilege which will allow any modification to the configuration, including complete deletion.

CVE-2013-2251
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85756 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE-2013-2248
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85755 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVE-2013-2135
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84763 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE-2013-2134
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84762 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE-2013-2115
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84543 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE-2013-1966
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84542 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE-2013-1965
CVSS Base Score: 6.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85573 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

AFFECTED PRODUCTS AND VERSIONS:


IBM SAN Volume Controller
IBM Storwize V7000
IBM Storwize V5000
IBM Storwize V3500
IBM Storwize V3700
IBM Flex System V7000

All products affected when running a version below V6.4.1.7 or V7.1.0.5.


REMEDIATION:


For IBM SAN Volume Controller, IBM Storwize V7000, V5000, V3700 and V3500 and IBM Flex System V7000, install the V6.4.1.7 or V7.1.0.5 PTF level or higher.

Workaround(s) & Mitigation(s):


Access to the system's IP interface can be restricted, for example using a private network or firewall technology. Only users with access to the IP interface can exploit the vulnerability.


REFERENCES:
· Complete CVSS Guide
· On-line Calculator V2


RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

ACKNOWLEDGEMENT

None

CHANGE HISTORY
17 December 2013: Updated to reference V6.4.1.7
16 October 2013: Original Copy Published


Cross reference information
Segment Product Component Platform Version Edition
Disk Storage Systems Flex System V7000 7.1 Platform Independent 6.4, 7.1
Disk Storage Systems IBM Storwize V3500 (2071) 7.1 Platform Independent 6.4, 7.1
Disk Storage Systems IBM Storwize V3700 (2072) 7.1 Platform Independent 6.4, 7.1
Disk Storage Systems IBM Storwize V5000 7.1 Platform Independent 7.1
Storage Virtualization SAN Volume Controller 7.1 SAN Volume Controller 6.1, 6.2, 6.3, 6.4, 7.1

Rate this page:

(0 users)Average rating

Document information


More support for:

IBM Storwize V7000 (2076)
7.1

Version:

6.1, 6.2, 6.3, 6.4, 7.1

Operating system(s):

IBM Storwize V7000

Reference #:

S1004481

Modified date:

2013-12-17

Translate my page

Machine Translation

Content navigation