Lucene search

K
ibmIBM1FDB55812AD3D9AB018A402C76AD1A7D7977943CA45EE64E54E9B459FD5AD0BA
HistoryMar 29, 2023 - 1:48 a.m.

Security Bulletin: Vulnerabilities in the Linux kernel affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem V9000 products

2023-03-2901:48:02
www.ibm.com
92
ibm
san volume controller
storwize
spectrum virtualize
flashsystem v9000
vulnerabilities
linux kernel
authenticated attacker
sensitive information
cve-2020-10732
cve-2020-10774
remediation
upgrading
code levels

CVSS2

3.6

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:N/A:P

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.2

Confidence

High

EPSS

0.001

Percentile

19.5%

Summary

Multiple vulnerabilities in the Linux kernel could allow an authenticated attacker to obtain sensitive information.

Vulnerability Details

**CVEID:**CVE-2020-10732 DESCRIPTION: Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by a flaw in the implementation of Userspace core dumps. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information or cause a program to crash.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/181554 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

**CVEID:**CVE-2020-10774 DESCRIPTION: Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by a flaw in the sysctl subsystem. By reading the file /proc/sys/kernel/rh_features, an attacker could exploit this vulnerability to obtain uninitialized values from the kernel memory.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192481 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

IBM SAN Volume Controller
IBM Storwize V7000
IBM Storwize V5000
IBM Storwize V5100
IBM FlashSystem V9000
IBM FlashSystem 9100 Family
IBM FlashSystem 9200
IBM FlashSystem 7200
IBM FlashSystem 5200
IBM FlashSystem 5000
IBM Spectrum Virtualize Software
IBM Spectrum Virtualize for Public Cloud

All products are affected when running supported version 8.4 (except 8.4.2.0 and later).

Remediation/Fixes

IBM recommends that you fix this vulnerability by upgrading affected versions of IBM SAN Volume Controller, IBM Storwize V7000, IBM Storwize V5000 and V5100, IBM Storwize V5000E, IBM Spectrum Virtualize Software, IBM Spectrum Virtualize for Public Cloud, IBM FlashSystem V9000, IBM FlashSystem 9100 Family, IBM FlashSystem 9200, IBM FlashSystem 7200, IBM FlashSystem 5200 and IBM FlashSystem 5000 to the following code levels or higher:

8.4.0.5

8.4.2.0

Latest IBM SAN Volume Controller Code
Latest IBM Storwize V7000 Code
Latest IBM Storwize V5000 and V5100 Code
Latest IBM Storwize V5000E Code
Latest IBM FlashSystem V9000 Code
Latest IBM FlashSystem 9100 Family Code
Latest IBM FlashSystem 9200 Code
Latest IBM FlashSystem 7200 Code
Latest IBM FlashSystem 5000 and 5200 Code
Latest IBM Spectrum Virtualize Software
Latest IBM Spectrum Virtualize for Public Cloud

For the Storage Nodes of IBM FlashSystem 900, please apply the fixes recommended in the IBM FlashSystem security bulletin for this issue.

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmflashsystem_v9000_firmwareMatch5000
OR
ibmall_products_are_affected_when_running_supported_version_8.4_\(exceptMatch8.4.2.0
VendorProductVersionCPE
ibmflashsystem_v9000_firmware5000cpe:2.3:o:ibm:flashsystem_v9000_firmware:5000:*:*:*:*:*:*:*
ibmall_products_are_affected_when_running_supported_version_8.4_\(except8.4.2.0cpe:2.3:a:ibm:all_products_are_affected_when_running_supported_version_8.4_\(except:8.4.2.0:*:*:*:*:*:*:*

CVSS2

3.6

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:N/A:P

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.2

Confidence

High

EPSS

0.001

Percentile

19.5%