logo
DATABASE RESOURCES PRICING ABOUT US

Security Bulletin: Vulnerability in Bash affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products (CVE-2016-0634)

Description

## Summary A vulnerability in Bash affects IBM SAN Volume Controller, IBM Storwize V7000, V5000, V3700 and V3500, IBM Spectrum Virtualize Software, IBM Spectrum Virtualize for Public Cloud and IBM FlashSystem V9000 products. OpenSSH is used in the Command Line Interface. ## Vulnerability Details **CVEID:** [_CVE-2016-0634_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0634>)** DESCRIPTION:** GNU Bash could allow a local attacker to execute arbitrary code on the system, caused by an error related to the expansion of the $HOSTNAME. By injecting the hostname with malicious code, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base Score: 4.9 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121373_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121373>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L) ## Affected Products and Versions IBM SAN Volume Controller IBM Storwize V7000 IBM Storwize V5000 IBM Storwize V3700 IBM Storwize V3500 IBM FlashSystem V9000 IBM Spectrum Virtualize Software IBM Spectrum Virtualize for Public Cloud All products are affected when running supported versions 7.5 to 8.1. ## Remediation/Fixes IBM recommends that you fix this vulnerability by upgrading affected versions of IBM SAN Volume Controller, IBM Storwize V7000, V5000, V3700 and V3500, IBM FlashSystem V9000, IBM Spectrum Virtualize Software, and IBM Spectrum Virtualize for Public Cloud to the following code levels or higher: 7.7.1.9 7.8.1.6 8.1.1.2 8.1.2.1 [_Latest IBM SAN Volume Controller Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Storage%20virtualization&product=ibm/StorageSoftware/SAN+Volume+Controller+\(2145\)&release=All&platform=All&function=all>) [_Latest IBM Storwize V7000 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Mid-range%20disk%20systems&product=ibm/Storage_Disk/IBM+Storwize+V7000+\(2076\)&release=All&platform=All&function=all>) [_Latest IBM Storwize V5000 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Mid-range%20disk%20systems&product=ibm/Storage_Disk/IBM+Storwize+V5000&release=All&platform=All&function=all>) [_Latest IBM Storwize V3700 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Entry-level%20disk%20systems&product=ibm/Storage_Disk/IBM+Storwize+V3700&release=All&platform=All&function=all>) [_Latest IBM Storwize V3500 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Entry-level%20disk%20systems&product=ibm/Storage_Disk/IBM+Storwize+V3500&release=All&platform=All&function=all>) [_Latest IBM FlashSystem V9000 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash%20high%20availability%20systems&product=ibm/StorageSoftware/IBM+FlashSystem+V9000&release=All&platform=All&function=all>) [_Latest IBM Spectrum Virtualize Software_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Spectrum+Virtualize+software&release=8.1&platform=All&function=all>) [_Latest IBM Spectrum Virtualize for Public Cloud_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Spectrum+Virtualize+for+Public+Cloud&release=8.1&platform=All&function=all>) For unsupported versions of the above products, IBM recommends upgrading to a fixed, supported version of code. ## Workarounds and Mitigations Although IBM recommends that you install a level of code with a fix for this vulnerability, you can mitigate, although not eliminate, your risk until you have done so by ensuring that all users who have access to the system are authenticated by another security system such as a firewall. ## Get Notified about Future Security Bulletins Subscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this. ### References [Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> "Link resides outside of ibm.com" ) [On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> "Link resides outside of ibm.com" ) [Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> "Link resides outside of ibm.com" ) [On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> "Link resides outside of ibm.com" ) Off ## Related Information [IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) [IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>) [_Subscribe to Security Bulletins_](<http://www.ibm.com/support/mynotifications/>) ## Acknowledgement None ## Change History 11 May 2018: Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. ## Disclaimer Review the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/bulletin/#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment. [{"Product":{"code":"ST3FR7","label":"IBM Storwize V7000 (2076)"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"6.1","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.1;6.2;6.3;6.4;7.1;7.2;7.3;7.4;7.5;7.6;7.6.1;7.7;7.7.1;7.8;7.8.1;8.1;8.1.1;8.1.2","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"STLM6B","label":"IBM Storwize V3500 (2071)"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"Not Applicable","Platform":[{"code":"PF025","label":"Platform Independent"},{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent;Version Independent","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"STLM5A","label":"IBM Storwize V3700 (2072)"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"Not Applicable","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"STHGUJ","label":"IBM Storwize V5000 and V5100"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"Not Applicable","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"STPVGU","label":"SAN Volume Controller"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Not Applicable","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"STKMQV","label":"IBM FlashSystem V9000"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":" ","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"SS4S7L","label":"IBM Spectrum Virtualize Software"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Not Applicable","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"STHLEK","label":"IBM Spectrum Virtualize for Public Cloud"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":" ","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}]


Affected Software


CPE Name Name Version
ibm storwize v7000 (2076) 6.1
ibm storwize v7000 (2076) 6.2
ibm storwize v7000 (2076) 6.3
ibm storwize v7000 (2076) 6.4
ibm storwize v7000 (2076) 7.1
ibm storwize v7000 (2076) 7.2
ibm storwize v7000 (2076) 7.3
ibm storwize v7000 (2076) 7.4
ibm storwize v7000 (2076) 7.5
ibm storwize v7000 (2076) 7.6
ibm storwize v7000 (2076) 7.6.1
ibm storwize v7000 (2076) 7.7
ibm storwize v7000 (2076) 7.7.1
ibm storwize v7000 (2076) 7.8
ibm storwize v7000 (2076) 7.8.1
ibm storwize v7000 (2076) 8.1
ibm storwize v7000 (2076) 8.1.1
ibm storwize v7000 (2076) 8.1.2
ibm spectrum virtualize software any
ibm spectrum virtualize for public cloud any

Related