Security Bulletin: A vulnerability exists in the management GUI of the IBM FlashSystem 900

Summary

A vulnerability (CVE-2020-4987) affects the IBM FlashSystem model 900 management GUI.

Vulnerability Details

CVEID:CVE-2020-4987
**DESCRIPTION:**IBM FlashSystem 900 user management GUI is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 6.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192702 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)

Affected Products and Versions

Storage Node machine type and models (MTMs) affected:

• 9840-AE1 and 9843-AE1
• 9840-AE2 and 9843-AE2
• 9840-AE3 and 9843-AE3

Supported storage node code versions which are affected:

• VRMFs 1.5.2.8 and prior

• VRMFs 1.6.1.2 and prior

**Note:**For information on IBM FlashSystem V9000 SVC code levels affected and remediated, search for the equivalent security bulletin here: IBM Support

Remediation/Fixes

9840-AE1 and 9843-AE1

FlashSystem 900 MTMs:

9843-UF3, 9840-AE2, 9843-AE2, 9840-AE3, and 9843-AE3

Note: AE1 systems are no longer supported.

|

Code fixes are now available, the minimum VRMF containing the fix depending on the code stream:

Fixed Code VRMF:

1.6 stream: 1.6.1.3

1.5 stream: 1.5.2.9

| N/A | FlashSystem 900 fixes are available at IBM’s Fix Central website. FlashSystem 840 is no longer supported.

Workarounds and Mitigations

Upgrade to a supported firmware level.