Security Bulletin: Incorrect access control list (ACL) might occur in case of a network retransmission, when Active Cloud Engine (ACE) is being used on IBM Storwize V7000 Unified system (CVE-2014-0875)

Summary

Incorrect access control list (ACL) might occur in case of a network retransmission, when Active Cloud Engine (ACE) is being used.

Vulnerability Details

CVEID: CVE-2014-0875

DESCRIPTION:
Active Cloud Engine (ACE) component of IBM V7000 Unified uses NFS client operations for data transmission. ACE is used for caching data at remote locations and providing access to data at remote sites as if it is available locally. Where NFS packet re-transmissions occur in response to a noisy or slow responding network, a rare condition can result in an incorrect access control list (ACL) on a file or directory. This could further lead to an unauthorized user having access to that file or directory. The exposure occurs when the ACL is being managed with ACE in IBM Storwize V7000 Unified release versions 1.3 and 1.4.
CVSS Base Score: 3.5

Affected Products and Versions

IBM Storwize V7000 Unified V1.3.0.0 to V1.4.3.X

Remediation/Fixes

A fix for this issue is in version 1.5.0.0 of IBM Storwize V7000 Unified system. Customers running the affected version of V7000 Unified should upgrade to 1.5.0.0 or a later version, so that the fix gets applied.

Workarounds and Mitigations

Workaround(s) : None.