Security Bulletin: Privileged access can be obtained from IBM Service account on IBM Storwize V7000 Unified (CVE-2014-3043)

Summary

A fix is available for IBM Storwize V7000 Unified, for the security issue that privileged access can be obtained from IBM Service account.

Vulnerability Details

CVEID:
CVE-2014-3043

DESCRIPTION:
The IBM Storwize V7000 Unified service account can be used to obtain unauthorized privileges on a V7000 Unified system.

The service account is normally used for carrying out regular service functions in IBM Storwize V7000 Unified, such as, initiating a disk discovery process, including disks, applying software, setting the locale, adding or removing a node, changing an error state, setting an event, and writing a serial number.

CVE-2014-3043
CVSS Base Score: 6.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93339 for the current score

Affected Products and Versions

IBM Storwize V7000 Unified
The product is affected when running a code releases 1.3.0.0 to 1.4.3.2

Remediation/Fixes

A fix for this issue is in version 1.4.3.3 of IBM Storwize V7000 Unified. Customers running an affected version of V7000 Unified should upgrade to 1.4.3.3 or a later version to apply the fix.

Workarounds and Mitigations

Workaround(s) : None

Mitigation(s) : None