Security Bulletin: IBM Storage Fusion could be vulnerable to code injection via use of quartz/quartz-jobs [CVE-2023-39107]

Summary

The Java library quartz/quartz-jobs is used by IBM Storage Fusion for backup scheduling. A vulnerability in this library includes code injection that could lead to execution of arbitrary code as described in the CVE listed in the “Vulnerabilities Details” section. This bulletin identifies the steps to take to address the vulnerability.

Vulnerability Details

CVEID:CVE-2023-39017
**DESCRIPTION:**Quartz Job Scheduler could allow a remote attacker to execute arbitrary code on the system, caused by improper neutralization of user supplied-input by the org.quartz.jobs.ee.jms.SendQueueMessageJob.execute component. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/262034 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

• Upgrade to IBM Storage Fusion 2.7.0 or 2.7.1
• Link to 2.7.0 fix: <https://www.ibm.com/support/pages/node/7050643&gt;
• Link to 2.7.1 fix: <https://www.ibm.com/support/pages/node/7080124&gt;

Workarounds and Mitigations

None