Security Bulletin: RPM vulnerability issue on IBM SONAS (CVE-2013-6435)

2018-06-1800:09:23

www.ibm.com

7.6 High

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:H/Au:N/C:C/I:C/A:C

JSON

Summary

A fix is available for IBM SONAS, for the security issue that an attacker could execute arbitrary code on the system by exploiting a vulnerability in RPM

Vulnerability Details

CVEID: CVE-2013-6435 DESCRIPTION: RPM Package Manager (RPM) is a package management system. It is used in IBM SONAS. RPM Package Manager has a flaw in managing temporary files during package installation. An attacker could exploit this vulnerability to execute arbitrary code on the system.

CVSS Base Score: 6.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/99254> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Affected Products and Versions

IBM SONAS

All products are affected when running code releases 1.3, 1.4 and 1.5 except for version 1.5.2.0 and above.

Remediation/Fixes

IBM recommends that you fix this vulnerability by upgrading affected versions of IBM SONAS to the following code level or higher:

1.5.2.0

Please contact IBM support for assistance in upgrading your system.

CPENameOperatorVersion
network attached storage (nas)->scale out network attached storageeq1.3
network attached storage (nas)->scale out network attached storageeq1.4
network attached storage (nas)->scale out network attached storageeq1.5

Name	Operator	Version
network attached storage (nas)->scale out network attached storage	eq	1.3
network attached storage (nas)->scale out network attached storage	eq	1.4
network attached storage (nas)->scale out network attached storage	eq	1.5