Security Bulletin: A vulnerability affects the IBM FlashSystem V840

Summary

There is a vulnerability to which the FlashSystem™ V840 is susceptible. An exploit of this vulnerability could make the system subject to an attack where an unauthenticated user could download arbitrary files form the operating system.

Vulnerability Details

CVEID: CVE-2018-1775 DESCRIPTION: IBM SAN Volume Controller and Storwize Family could allow an authenticated user to download arbitrary files from the operating system.
CVSS Base Score: 6.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148757&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

FlashSystem 900 MTMs affected include 9840-AE2 and 9843-AE2. FlashSystem 840 MTMs affected include 9840-AE1 and 9843-AE1.

Supported code versions which are affected:

• VRMFs prior to 1.4.8.2
• VRMFs prior to 1.5.2.5

Supported controller node code versions which are affected

• VRMFs prior to 7.8.1.8
• VRMFs prior to 8.1.3.3
• VRMFs prior to 8.2.0.0

Remediation/Fixes

Storage nodes:

9846-AE1 & 9848-AE1

Controller nodes:

9846-AC0, 9846-AC1, 9848-AC0, & 9848-AC1

|

Code fixes are now available, the minimum VRMF containing the fix depending on the code stream:

Fixed Code VRMF

1.6 stream: 1.6.0.0

1.5 stream: 1.5.2.5

1.4 stream: 1.4.8.2

Controller Node VRMF

8.2 stream: 8.2.0.0

8.1 stream: 8.1.3.3

7.8 stream: 7.8.1.8

| N/A | FlashSystem V840 fixes for storage node are available @ IBM’s Fix Central

Workarounds and Mitigations

None.