Security Bulletin: Vulnerability in the IBM FlashSystem model V840

Summary

There is a vulnerability to which the FlashSystem™ V840 is susceptible. An exploit of this vulnerability could make the system subject to an attack allowing an escalation of privilege. Only systems with 1.4 firmware installed are vulnerable.

Vulnerability Details

CVEID: CVE-2018-1822 DESCRIPTION: IBM FlashSystem product allows a specially crafted attack to gain administrative control or to deny service.
CVSS Base Score: 9.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/150296&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

FlashSystem V840 machine type and models (MTMs) affected include 9840-AE1 and 9843-AE1

Remediation/Fixes

Storage nodes:

9840-AE1 & 9843-AE1

Controller nodes:

9846-AC0, 9846-AC1, 9848-AC0, & 9848-AC1

|

Code fixes are now available. The minimum VRMF containing the fix depends on the code stream:

Fixed Code VRMF

1.5 stream: 1.5.0.0

1.4 stream: 1.4.8.1

Controller Node VRMF

The controller nodes are not susceptible to this vulnerability.

| N/A | FlashSystem V840 fixes are available @ IBM’s Fix Central

Workarounds and Mitigations

None.