Security Bulletin: A cross-site request forgery vulnerability affects the IBM FlashSystem model V9000 (CVE-2015-7446)

Summary

There is a cross-site request forgery vulnerability to which the IBM® FlashSystem™ V9000 is susceptible. An exploit of this vulnerability could allow cross-site scripting attacks, Web cache poisoning, and other malicious activities.

Vulnerability Details

CVEID: CVE-2015-7446 DESCRIPTION: IBM Flash System V9000 is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVSS Base Score: 8.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/108187 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Affected Products and Versions

FlashSystem V9000 including machine type and models (MTMs) for all available code levels. MTMs affected include 9846-AE2, 9848-AE2, 9846-AC2, and 9848-AC2

Remediation/Fixes

V9000 MTMs

| VRMF| APAR| Remediation/First Fix
—|—|—|—
V9000 MTMs:
9846-AE2,
9848-AE2,
9846-AC2 &
9848-AC2| Code fixes are now available, the minimum VRMF containing the fix depends on the code stream. These code levels work for both the storage enclosure nodes (-AEx) and the control nodes (-ACx)

Code Fix VRMF .
7.6 stream: 7.6.0.4 (or later)
7.5 stream: 7.5.1.3 (or later)
7.4 stream: 7.4.1.4 (or later)| _ _N/A| No workarounds or mitigations, other than applying this code fix, are known for this vulnerability

FlashSystem V9000 fixes**for storage and controller node **are available @ IBM’s Fix Central

Workarounds and Mitigations

None