Security Bulletin: TSSC/IMC is vulnerable to aritrary code excecution due to curl (CVE-2023-27536, CVE-2023-28321)

Summary

TSSC/IMC is vulnerable to aritrary code excecution due to cURL. A patch has been provided that updates the curl library. (CVE-2023-30630, CVE-2023-28321)

Vulnerability Details

CVEID:CVE-2023-27536
**DESCRIPTION:**cURL libcurl could allow a remote attacker to bypass security restrictions, caused by a GSS delegation too eager connection re-use flaw. By sending a specially crafted request, an attacker could exploit this vulnerability to reuse a previously created connection even when the GSS delegation.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/250531 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2023-28321
**DESCRIPTION:**cURL libcurl could allow a remote attacker to bypass security restrictions, caused by a flaw when listed as “Subject Alternative Name” in TLS server certificates. By sending a specially crafted request, an attacker could exploit this vulnerability to accept mismatch wildcard patterns.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/255625 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

Upgrade to 9.4.26/9.5.8

Download patch and execute on TSSC/IMC system

Total Storage Service Console (TSSC) / TS4500 IMC| 9.4.21|

Upgrade to 9.4.26/9.5.8

Download patch and execute on TSSC/IMC system

Total Storage Service Console (TSSC) / TS4500 IMC| 9.4.26| Download patch and execute on TSSC/IMC system
Total Storage Service Console (TSSC) / TS4500 IMC| 9.5.8| Download patch and execute on TSSC/IMC system

Workarounds and Mitigations

None