Security Bulletin: DS8900F DSCLI LDAP Client allows unauthenticated-bind LDAP with valid user name and empty password ( CVE-2024-22326 )

Summary

The updates indicated below have been released to address CVE-2024-22326 (Deny unauthenticated-bind LDAP connection request).

Vulnerability Details

CVEID:CVE-2024-22326
**DESCRIPTION:**IBM System Storage DS8000 could allow a remote user to create an LDAP connection with a valid username and empty password to establish an anonymous connection.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279518 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L)

Affected Products and Versions

Affected Products/Versions guidance:

All versions of microcode for the DS8900F prior to and including the following version(s) are affected.

**Note 1:**CVE 2024-22326 only affects those DS8900F HMCs which connects to LDAP server(s) that allow unauthenticated BIND.

Affected Product(s)|**Version(s)
**
—|—
R9.2| 89.22.19.0
R9.3|

89.30.68.0

89.32.40.0

89.33.48.0

R9.4|

89.40.83.0

89.40.93.0

Remediation/Fixes

Remediation/Fixes guidance:

DS8900F fixes are delivered in Microcode Bundle 89.41.23.0 R9.4 SP1.1

DS8900F customers should either schedule Remote Code Load (RCL) via <https://www.ibm.com/support/pages/ibm-remote-code-load&gt; or contact IBM support, and request that 89.41.23.0 be applied to their systems.
NOTE : For the current recommended code releases, please see <https://www.ibm.com/support/pages/ds8000-code-recommendation&gt;

Workarounds and Mitigations

Workarounds/Mitigation guidance:

IBM strongly recommends addressing the vulnerability now by upgrading to LDAP server version that disables Unauthenticated Bind .