Lucene search

IBM4A7967242C08B755CAC42817C5DE1D6873E083E250B638848D5A13A44961714B

HistoryOct 09, 2019 - 5:11 p.m.

Security Bulletin: A Vulnerability in Java affects the IBM FlashSystem models V840 and V9000

2019-10-0917:11:49

www.ibm.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

JSON

Summary

There is a vulnerability in Java to which the IBM FlashSystem™ V840 and FlashSystem V9000 are susceptible (CVE-2019-2602). An exploit of CVE-2019-2602 could make the system susceptible to a denial of service attack.

Vulnerability Details

CVEID: CVE-2019-2602 DESCRIPTION: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/159698> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Storage Node machine type and models (MTMs) affected:

9846-AE1 and 9848-AE1
9846-AE2 and 9848-AE2
9846-AE3 and 9848-AE3

Controller Node MTMs affected:

9846-AC0 and 9848-AC0
9846-AC1 and 9848-AC1
9846-AC2 and 9848-AC2
9846-AC3 and 9848-AC3

Supported storage node code versions which are affected

VRMFs prior to 1.5.2.6
VRMFs prior to 1.6.1.0

Supported controller node code versions which are affected

VRMFs prior to 7.8.1.10
VRMFs prior to 8.2.1.6
VRMFs prior to 8.3.0.0

Remediation/Fixes

MTMs

Controller nodes:
9846-AC0, 9846-AC1, 9848-AC0, 9848-AC1, 9846-AC2, 9848-AC2, 9846-AC3, & 9848-AC3 |

Code fixes are now available, the minimum VRMF containing the fix depends on the code stream:_ _

__Fixed Code VRMF __
1.6 stream: 1.6.1.0

1.5 stream: 1.5.2.6

__Controller Node VRMF __
8.3 stream: 8.3.0.0
8.2 stream: 8.2.1.6

7.8 stream: 7.8.1.10

| N/A |

FlashSystem V840 fixesor FlashSystem V9000 fixes for storage and controller nodeare available @ IBM’s Fix Central

Note: Not all streams may be supported for upgrade for different products. Refer to the Fix Central links above for available fixes for the appropriate product.

Workarounds and Mitigations

Upgrade to a remediated code level.

CPENameOperatorVersion
ibm flashsystem softwareeqany
ibm flashsystem v9000eqany

CPE	Name	Operator	Version
	ibm flashsystem software	eq	any
	ibm flashsystem v9000	eq	any

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

JSON

Related for 4A7967242C08B755CAC42817C5DE1D6873E083E250B638848D5A13A44961714B