There is a vulnerability in Apache Struts to which the IBM® FlashSystem™ V840 is susceptible. An exploit of this vulnerability could allow a remote attacker to gain unauthorized access to the system.
CVEID: CVE-2015-5209**
DESCRIPTION:** Apache Struts could allow a remote attacker to gain unauthorized access to the system. An attacker could exploit this vulnerability using a special top-level object to manipulate internal settings and modify another user session.
CVSS Base Score: 9.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/106695 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
FlashSystem V840 including machine type and models (MTMs) for all available code levels. MTMs affected include 9846-AE1, 9848-AE1, 9846-AC0, 9848-AC0, 9846-AC1, and 9848-AC1.
V840 MTMs
| VRMF| APAR| Remediation/First Fix
—|—|—|—
Storage nodes:
9846-AE1 &
9848-AE1
Control nodes: 9846-AC0,
9846-AC1,
9848-AC0 &
9848-AC1| _Code fixes are now available, the minimum VRMF containing the fix depends on the code stream:
Storage Node VRMF . _
1.4 stream: 1.4.0.10 (or later)
1.3 stream: 1.3.0.5 (or later)
1.2 stream: 1.2.1.9 (or later)
Controller Node VRMF .
7.6 stream: 7.6.0.4 (or later)
7.5 stream: 7.5.0.7 (or later)
7.4 stream: 7.4.0.9 (or later)| _ _N/A| No workarounds or mitigations, other than applying this code fix, are known for this vulnerability
FlashSystem V840 fixes**for storage and controller node **are available @ IBM’s Fix Central
None