Lucene search

K
ibmIBMC3B24D9C073C7840B6F13827EE7743D35E733053B2442D8C8AD0A06EAEC3B9DA
HistorySep 26, 2022 - 4:23 a.m.

Security Bulletin: Storwize V7000 Unified V1.3.2.3 and V1.4.0.0 Include Fixes for Multiple Vendor Security Vulnerabilities

2022-09-2604:23:14
www.ibm.com
17
storwize v7000 unified
security fixes
vendor vulnerabilities
red hat
apache tomcat
cve-2011-3026
cve-2011-3639
cve-2011-4317
cve-2012-0053
cve-2011-1184
cve-2011-2204

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.928

Percentile

99.0%

Abstract

Storwize V7000 Unified includes multiple software components for which the vendors have provided fixes for security vulnerabilities in such components.

Content

VULNERABILITY DETAILS:

CVE ID:

Vendor Vendor ID Vendor Title Included CVEs
Red Hat RHSA-2012-0143 Critical: xulrunner security update CVE-2011-3026
Red Hat RHSA-2012-0317 Important: libpng security update CVE-2011-3026
Red Hat RHSA-2012-0128 Moderate: httpd security update CVE-2011-3639
CVE-2011-4317
CVE-2012-0053
Apache Apache Tomcat 6.0.33 Fixed in Apache Tomcat 6.0.33 CVE-2011-1184
CVE-2011-2204
CVE-2011-2526
Apache Apache Tomcat 6.0.35 Fixed in Apache Tomcat 6.0.35 CVE-2011-3190
CVE-2011-3375
CVE-2012-0022

DESCRIPTION:
Storwize V7000 Unified has integrated updated versions of the software components for which the vendors have provided fixes for security vulnerabilities.

CVSS:
Please see vendor documentation for CVSS scores and CVSS vector.

AFFECTED PLATFORMS:

  • Affected releases: Storwize V7000 Unified 1.3 through 1.3.2.0.
  • Releases/systems/configurations NOT affected: Storwize 7000 Unified 1.3.2.3 and above, Storwize 7000 Unified 1.4.0.0 and above.

REMEDIATION:

Vendor Fix(es): The issue was fixed beginning with version Storwize V7000 Unified 1.3.2.3 and 1.4.0.0. Storwize V7000 Unified customers running an earlier version (e.g. Storwize V7000 Unified 1.3.2.0) must upgrade to Storwize V7000 Unified 1.3.2.3, 1.4.0.0 or a later version.

Workaround(s): None.

Mitigation(s): Storwize V7000 Unified is not exposed to CVE-2011-3026 during normal operation. Service procedures which use the Firefox web browser may activate the vulnerable code. Service personnel must not browse web pages on the internet to avoid the processing of web pages with malicious content.

The Tomcat related vulnerabilities are exposed to the Storwize V7000 Unified management and service IP addresses only, but not to the public IP addresses which are used for NAS data access. It is recommended that the management and service IP addresses will be attached to a management network only.

REFERENCES:

RELATED INFORMATION:

CHANGE HISTORY:

  • 03/18/13: Original copy published.

_The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _

_Note: __According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” _
IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

[{“Product”:{“code”:“ST5Q4U”,“label”:“IBM Storwize V7000 Unified (2073-700)”},“Business Unit”:{“code”:“BU058”,“label”:“IBM Infrastructure w/TPS”},“Component”:“1.4”,“Platform”:[{“code”:“PF025”,“label”:“Platform Independent”}],“Version”:“1.3;1.4”,“Edition”:“”,“Line of Business”:{“code”:“LOB26”,“label”:“Storage”}}]

Affected configurations

Vulners
Node
ibmstorwize_v7000_unifiedMatch1.3
OR
ibmstorwize_v7000_unifiedMatch1.4

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.928

Percentile

99.0%