IBM4E2B6560279E42A27338A85543DB8B7983305EFA9041947C135E41F85B9E3E4CSecurity Bulletin: Password provided for executing chkauth is logged in audit log on IBM Storwize V7000 Unified (CVE-2014-3077)
EPSS
Percentile
5.1%
Summary
A fix is available for IBM Storwize V7000 Unified, for the security issue that Password provided for executing chkauth is logged in audit log
Vulnerability Details
CVEID:
CVE-2014-3077
DESCRIPTION:
Under some circumstances, user details appear in the system audit log. An attacker could exploit this vulnerability to gain unauthorized access to the system.
CVSS Base Score: 1.7
CVSS Vector: (AV:L/AC:L/Au:S/C:P/I:N/A:N)
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93906 for the current score
Affected Products and Versions
IBM Storwize V7000 Unified
The product is affected when running code releases 1.3.0.0 to 1.4.3.3
Remediation/Fixes
A fix for this issue is in version 1.4.3.4 of IBM Storwize V7000 Unified. Customers running an affected version of V7000 Unified should upgrade to 1.4.3.4 or a later version, so that the fix gets applied.
Workarounds and Mitigations
Workaround(s) :
Avoid use of authentication server which is not protected behind a firewall. This vulnerability can be exploited only by someone who could obtain access to the authentication server.
Mitigation(s) : None
Related
