Security Bulletin: Vulnerabilities in SSL and TLS protocols affects SAN Volume Controller and Storwize Family (CVE-2011-3389)


## Summary SSL and TLS vulnerabilities were disclosed in September 2011. This vulnerability has been referred to as the “BEAST” attack. SSL protocol is used by SAN Volume Controller and Storwize Family. ## Vulnerability Details **CVE-ID**: [_CVE-2011-3389_](<https://vulners.com/cve/CVE-2011-3389>) **DESCRIPTION**: Multiple products could allow a remote attacker to obtain sensitive information, caused by a design error in the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols when using a Cipher-Block Chaining (CBC) based cryptographic algorithm. By persuading a victim to visit a Web site, a remote attacker could exploit this vulnerability using man-in-the-middle techniques to decrypt HTTPS sessions and obtain sensitive information. CVSS Base Score: 4.3 CVSS Temporal Score: See [**_http://xforce.iss.net/xforce/xfdb/70069_**](<http://xforce.iss.net/xforce/xfdb/70069>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) ## Affected Products and Versions IBM SAN Volume Controller IBM Storwize V7000 IBM Storwize V5000 IBM Storwize V3700 IBM Storwize V3500 All products are affected when running supported releases 1.1 to 7.3. Release 7.4 is not affected once the minimum SSL protocol level has been set (see below). ## Remediation/Fixes IBM recommends that you fix this vulnerability by upgrading affected versions of IBM SAN Volume Controller, IBM Storwize V7000, V5000, V3700 and V3500 to the following code levels or higher: [_Latest SAN Volume Controller Code_](<http://www-01.ibm.com/support/docview.wss?rs=591&uid=ssg1S1001707>) [_Latest Storwize V7000 Code_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1003705>) [_Latest Storwize V5000 Code_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004336>) [_Latest Storwize V3700 Code_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004172>) [_Latest Storwize V3500 Code_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004171>) If running code before, please run one of the following commands ... chsecurity -sslprotocol 2 chsecurity -sslprotocol 3 [_SAN Volume Controller 7.4 Knowledge Centre - chsecurity command_](<http://www-01.ibm.com/support/knowledgecenter/STPVGU_7.4.0/com.ibm.storage.svc.console.740.doc/svc_chsecurity.html?lang=en>) The default SSL protocol in and is not vulnerable and so running chsecurity not necessary. IBM recommends that you review your entire environment to identify levels of SSL protocol being used. ## Workarounds and Mitigations Although IBM recommends that you install a level of code with a fix for this vulnerability, you can mitigate, although not eliminate, your risk until you have done so by ensuring that all users who have access to the system are authenticated by another security system such as a firewall. ##

Affected Software

CPE Name Name Version
ibm storwize v7000 6.1
ibm storwize v7000 6.2
ibm storwize v7000 6.3
ibm storwize v7000 6.4
ibm storwize v7000 7.1
ibm storwize v7000 7.2
ibm storwize v7000 7.3
ibm storwize v3500 (2071) 6.4
ibm storwize v3500 (2071) 7.1
ibm storwize v3500 (2071) 7.2
ibm storwize v3500 (2071) 7.3
ibm storwize v3700 (2072) 6.4
ibm storwize v3700 (2072) 7.1
ibm storwize v3700 (2072) 7.2
ibm storwize v3700 (2072) 7.3
ibm storwize v5000 7.1
ibm storwize v5000 7.2
ibm storwize v5000 7.3
san volume controller 6.1
san volume controller 6.2
san volume controller 6.3
san volume controller 6.4
san volume controller 7.1
san volume controller 7.2
san volume controller 7.3