Security Bulletin: IBM b-type SAN switches and directors affected by XSS vulnerabilities CVE-2017-6225.

Summary

Fabric OS is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the web-based management interface. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

Vulnerability Details

CVEID: CVE-2017-6225**
DESCRIPTION:** Brocade Fabric OS is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the web-based management interface. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/138944 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

Affected IBM b-type Network/Storage switches

| Affected Versions
—|—
IBM FOS Firmware| 7.X prior to 7.4.2b
IBM FOS Firmware| 8.X prior to 8.1.2a

Remediation/Fixes

Product

|

VRMF

|

** Fix**

—|—|—
IBM FOS Firmware| 7.4.2b| <ftp://public.dhe.ibm.com/storage/san/fos7/v7.4.2b_ReleaseNotes_v1.0.pdf&gt;
IBM FOS Firmware| 8.1.2a| <ftp://public.dhe.ibm.com/storage/san/fos8/v8.1.2a_ReleaseNotes_v1.0.pdf&gt;

Workarounds and Mitigations

None