IBM9AA2D01BEA70E4B4628BB9B646B36737F01CD010876F58F1CF60614E306E2FA9Security Bulletin: Account specific information likely to be present in Service Advisor data (FFDC) on the Integrated Management Module II (IMM2) (CVE-2014-0882)
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
Summary
Account specific information may be present in Service Advisor data (FFDC) on IMM2.
Vulnerability Details
Abstract
Account specific information may be present in Service Advisor data (FFDC) on IMM2.
Content
Vulnerability Details:
CVE ID: CVE-2014-0882
Description:
There are certain configurations where the generated Service Advisor data (FFDC) on the IMM2 system may contain specific account information related to that configuration in the Service Advisor data.
CVSS Base Score: 4.0
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/91149> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)
Affected products and versions
- Flex System x220 Compute Node
- Flex System x222 Compute Node
- Flex System x240 Compute Node
- Flex System x440 Compute Node
- Flex System Manager Node, 7955 and 8731
- NeXtScale nx360 M4
- System x3100 M4
- System x3250 M4
- System x3500 M4
- System x3530 M4
- System x3550 M4
- System x3630 M4
- System x3650 M4
- System x3750 M4
- System x iDataPlex dx360 M4
Firmware versions:
- v3.50 1AOO50B
- 3.55 1AOO50E
- 3.56 1AOO50K
- v3.65 1AOO50D
- v3.67 1AOO50G
Remediation:
IBM recommends updating to the following firmware level or later. Firmware updates are available through IBM Fix Central.
- v3.78 1AOO52Y (Replaces v3.50 1AOO50B, v3.55 1AOO50E, and v3.56 1AOO50K)
- v3.70 1AOO52Q (Replaces v3.65 1AOO50D)
- v3.71 1AOO52W (Replaces v3.65 1AOO50D for System x3550 M4)
- v3.74 1AOO52R (Replaces v3.67 1AOO50G)
For Flex System Manager Node, IBM recommends applying the following fix, available through IBM Fix Central
- fsmfix1.3.1.0_IC99723
Workaround(s) & Mitigation(s):
None
References:
Related Information:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
None
Change History
28 February 2014: Original Copy Published
- The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P