IBM9AEFE0624A405926B9EF457D798CAE68F96AA5F7FAA919BC12BB126362FDD162Security Bulletin: Multiple Vulnerabilities in XCC affect IBM Cloud Pak System
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
40.0%
Summary
Multiple Vulnerabilities in XClarity Controller (XCC) affect IBM Cloud Pak System. XCC is used by Cloud Pak System. IBM Cloud Pak System has addressed these vulnerabilities.
Vulnerability Details
CVEID:CVE-2023-4607
**DESCRIPTION:**Lenovo XClarity Controller (XCC) could allow a remote authenticated attacker to gain elevated privileges on the system. By sending a specially crafted API command, an attacker could exploit this vulnerability to change permissions for any user.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/266004 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2023-25492
**DESCRIPTION:**Lenovo XClarity Controller (XCC) is vulnerable to a denial of service, caused by a format string injection flaw in the XCC web user interface. By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/250234 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2023-25495
**DESCRIPTION:**Lenovo XClarity Controller (XCC) could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw in the web interface API. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain the configured LDAP client password information, and use this information to launch further attacks against the affected system.
CVSS Base score: 4.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/250235 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)
CVEID:CVE-2023-0683
**DESCRIPTION:**Lenovo XClarity Controller (XCC) could allow a local authenticated attacker to gain elevated privileges on the system, caused by an unspecified flaw. By sending a specifically crafted API call, an authenticated attacker could exploit this vulnerability to gain elevated privileges.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/250233 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Cloud Pak System |
2.3.3.0
IBM Cloud Pak System|
2.3.3.3, 2.3.3.3 iFix1
IBM Cloud Pak System|
2.3.3.4
IBM Cloud Pak System|
2.3.3.5
IBM Cloud Pak System|
2.3.3.6, 2.3.3.6 iFix1, 2.3.3.6 iFix2
SN550 | XClarity Controller (XCC)
SR630
OEMSR630
Remediation/Fixes
Recommended solution for Cloud Pak System update XClarity Controller (XCC) with Cloud Pak System 2.3.4.0 as reported in the table below. IBM recommendation for customers to apply the fix below as soon as practical.
| Product System Node (s) | Version(s) |
|---|---|
| IBM Cloud Pak Systems | 2.3.4.0 (Intel) |
| SN550 | XCC (6.20) TEI3F2H |
| SR630 | XCC ** **( 9.80) CDI3B2H |
| OEMSR630 | XCC ( 9.80) CDI3B2H |
Workarounds and Mitigations
None
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| ibm | cloud_pak_system | 2.3.3 | cpe:2.3:a:ibm:cloud_pak_system:2.3.3:*:*:*:*:*:*:* |
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
40.0%