7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
A security vulnerability has been discovered in Apache Struts which impacts the DS8000 GUI.
CVE-ID: CVE-2014-0114
**DESCRIPTION:**Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to restrict the setting of Class Loader attributes. An attacker could exploit this vulnerability using the class parameter of an ActionForm object to manipulate the ClassLoader and execute arbitrary code on the system.
CVSS Base Score: 7.5
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/92889> for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
DS8870 GUI Release 6.3 and all Releases 7.X
IBM strongly suggests that you install the vulnerability fix identified immediately below:
Users on R7.0 or R7.1 are advised to upgrade to R7.2 or R7.3 code bundles listed below.
Users on R7.2 or R7.3 can either apply the ICS patch or upgrade to the code bundles listed below.
DS8700 and DS8800 are advised to upgrade to recommended code bundle listed below.
Product | VRMF | APAR | Remediation/First Fix |
---|---|---|---|
DS8870 R7.2-R7.3 | ICS_DSGUI_STRUTS_PATCH_v1.0 | N/A | 07/09/2014 |
R7.2 | 87.21.30.0 | N/A | 07/09/2014 |
R7.3 | 87.31.2.0 | N/A | July /2014 |
DS8800 | 86.31.123.0 | N/A | 07/09/2014 |
DS8700 | 76.31.105.0 | N/A | 07/09/2014 |
Please contact your IBM representative to order and install the ICS CD or updated microcode
The following steps can help mitigate, but not eliminate the risks of this vulnerability:
Ensure that the DS8000 HMC is installed behind a firewall that limits access to the ports.
CPE | Name | Operator | Version |
---|---|---|---|
ibm ds8870 | eq | 6.3 | |
ibm ds8870 | eq | 7.2 | |
ibm ds8870 | eq | 7.3 |
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N