IBM Support

Security Bulletin: Unauthorized access exposure on IBM SAN Volume Controller and Storwize Family (CVE-2013-2251 CVE-2013-2248 CVE-2013-2135 CVE-2013-2134 CVE-2013-2115 CVE-2013-1966 CVE-2013-1965)

Flashes (Alerts)


Abstract

Administrative access to the system via the IP interface may be obtained without authentication.

Content

VULNERABILITY DETAILS:


CVEID: CVE-2013-2251 CVE-2013-2248 CVE-2013-2135 CVE-2013-2134 CVE-2013-2115 CVE-2013-1966 CVE-2013-1965


DESCRIPTION:

The vulnerabilities can be exploited by a user with access to the system's management IP interface using vulnerabilities in the Apache Struts component. If successful, the user can gain access with superuser privilege which will allow any modification to the configuration, including complete deletion.

CVE-2013-2251
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85756 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE-2013-2248
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85755 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVE-2013-2135
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84763 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE-2013-2134
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84762 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE-2013-2115
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84543 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE-2013-1966
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84542 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE-2013-1965
CVSS Base Score: 6.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85573 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

AFFECTED PRODUCTS AND VERSIONS:


IBM SAN Volume Controller
IBM Storwize V7000
IBM Storwize V5000
IBM Storwize V3500
IBM Storwize V3700
IBM Flex System V7000

All products affected when running a version below V6.4.1.7 or V7.1.0.5.


REMEDIATION:


For IBM SAN Volume Controller, IBM Storwize V7000, V5000, V3700 and V3500 and IBM Flex System V7000, install the V6.4.1.7 or V7.1.0.5 PTF level or higher.

Workaround(s) & Mitigation(s):


Access to the system's IP interface can be restricted, for example using a private network or firewall technology. Only users with access to the IP interface can exploit the vulnerability.


REFERENCES:
· Complete CVSS Guide
· On-line Calculator V2


RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

ACKNOWLEDGEMENT

None

CHANGE HISTORY
17 December 2013: Updated to reference V6.4.1.7
16 October 2013: Original Copy Published

[{"Product":{"code":"ST3FR7","label":"IBM Storwize V7000"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"7.1","Platform":[{"code":"","label":"IBM Storwize V7000"}],"Version":"6.1;6.2;6.3;6.4;7.1","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"STLM6B","label":"IBM Storwize V3500 (2071)"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"7.1","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.4;7.1","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"STLM5A","label":"IBM Storwize V3700 (2072)"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"7.1","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.4;7.1","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"STHGUJ","label":"IBM Storwize V5000"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"7.1","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.1","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"STPVGU","label":"SAN Volume Controller"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"7.1","Platform":[{"code":"","label":"SAN Volume Controller"}],"Version":"6.1;6.2;6.3;6.4;7.1","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}]

Document Information

Modified date:
26 September 2022

UID

ssg1S1004481