Lucene search

K
ibmIBMBB06E8BD028B2DF581C4E507E45CF66921EDD872018812A67B8FFD9CD3141ABF
HistoryJun 18, 2018 - 12:08 a.m.

Security Bulletin: A Security vulnerability has been discovered in Apache Struts which impacts the DS8000 GUI (CVE-2014-0114)

2018-06-1800:08:26
www.ibm.com
31

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

Summary

A security vulnerability has been discovered in Apache Struts which impacts the DS8000 GUI.

Vulnerability Details

CVE-ID: CVE-2014-0114

**DESCRIPTION:**Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to restrict the setting of Class Loader attributes. An attacker could exploit this vulnerability using the class parameter of an ActionForm object to manipulate the ClassLoader and execute arbitrary code on the system.

CVSS Base Score: 7.5

CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/92889&gt; for more information

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Affected Products and Versions

DS8870 GUI Release 6.3 and all Releases 7.X

Remediation/Fixes

IBM strongly suggests that you install the vulnerability fix identified immediately below:

Users on R7.0 or R7.1 are advised to upgrade to R7.2 or R7.3 code bundles listed below.

Users on R7.2 or R7.3 can either apply the ICS patch or upgrade to the code bundles listed below.

DS8700 and DS8800 are advised to upgrade to recommended code bundle listed below.

Product VRMF APAR Remediation/First Fix
DS8870 R7.2-R7.3 ICS_DSGUI_STRUTS_PATCH_v1.0 N/A 07/09/2014
R7.2 87.21.30.0 N/A 07/09/2014
R7.3 87.31.2.0 N/A July /2014
DS8800 86.31.123.0 N/A 07/09/2014
DS8700 76.31.105.0 N/A 07/09/2014

Please contact your IBM representative to order and install the ICS CD or updated microcode

Workarounds and Mitigations

The following steps can help mitigate, but not eliminate the risks of this vulnerability:

Ensure that the DS8000 HMC is installed behind a firewall that limits access to the ports.

CPENameOperatorVersion
ibm ds8870eq6.3
ibm ds8870eq7.2
ibm ds8870eq7.3

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N