Security Bulletin: Vulnerabilities in Apache Struts affect the IBM FlashSystem models 840 and 900

Summary

There are vulnerabilities in Apache Struts to which the IBM® FlashSystem™ 840 and FlashSystem™ 900 are susceptible. An exploit of these vulnerabilities (CVE-2016-4430, CVE-2016-4431, CVE-2016-4433, and CVE-2016-4436) could allow a remote attacker to perform a cross-site script attack, perform Web cache poisoning, and redirect the victim to an arbitrary site.

Vulnerability Details

CVEID: CVE-2016-4430 DESCRIPTION: Apache Struts is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed expression to bypass token validation. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVSS Base Score: 8.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114185 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID: CVE-2016-4431 DESCRIPTION: Apache Struts could allow a remote attacker to bypass security restrictions, caused by an error in the default action method. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass internal security mechanism and redirect the victim to an arbitrary site.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114187 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2016-4433 DESCRIPTION: Apache Struts could allow a remote attacker to bypass security restrictions, caused by an error in the Getter as action method. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass internal security mechanism and redirect the victim to an arbitrary site.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114186 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2016-4436 DESCRIPTION: An unspecified error Apache Struts related to the method used to clean up action name has an unknown impact and attack vector.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114183 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

FlashSystem 840 including machine type and models (MTMs) for all available code levels. MTMs affected include 9840-AE1 and 9843-AE1.

FlashSystem 900 including machine type and models (MTMs) for all available code levels. MTMs affected include 9840-AE2 and 9843-AE2.

Remediation/Fixes

MTMs

| VRMF| APAR| Remediation/First Fix
—|—|—|—
FlashSystem****840 MTM:
9840-AE1 &
9843-AE1

FlashSystem 900 MTMs:
9840-AE2 &
9843-AE2| _Code fixes are now available, the minimum VRMF containing the fix depends on the code stream:

___ Fixed code VRMF .__
1.4 stream: 1.4.6.0 (or later)
1.3 stream: 1.3.0.7 (or later)| _ N/A| FlashSystem 840 fixes****and FlashSystem 900 fixes****are available @ IBM’s Fix Central _

Workarounds and Mitigations

None