Lucene search

K
ibmIBMD769235D102AD19A73D51C968FFD8889D9656A19C29D4BE9C66233A668FC8B7A
HistoryMar 29, 2023 - 1:48 a.m.

Security Bulletin: Vulnerability in Apache Struts affects SAN Volume Controller, Storwize family and FlashSystem V9000 products (CVE-2017-5638)

2023-03-2901:48:02
www.ibm.com
105
apache struts
ibm storage
arbitrary code execution
san volume controller
storwize family
flashsystem v9000
cve-2017-5638
file upload
code levels
security system
firewall

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

10

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS

0.975

Percentile

100.0%

Summary

A vulnerability in the Apache Struts component affects the Service Assistant GUI of SAN Volume Controller, Storwize family and FlashSystem V9000 products allowing arbitrary code execution. The Command Line Interface is unaffected.

Vulnerability Details

CVEID: CVE-2017-5638**
DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when performing a file upload based on Jakarta Multipart parser. An attacker could exploit this vulnerability using a malicious Content-Type value to execute arbitrary code on the system.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/122776 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

IBM SAN Volume Controller
IBM Storwize V7000
IBM Storwize V5000
IBM Storwize V3700
IBM Storwize V3500
IBM FlashSystem V9000

All products are affected when running supported releases 7.1 to 7.8. For unsupported versions of the above products, IBM recommends upgrading to a fixed, supported version of the product.

Remediation/Fixes

IBM recommends that you fix this vulnerability by upgrading affected versions of IBM SAN Volume Controller, IBM Storwize V7000, V5000, V3700 and V3500 to the following code levels or higher:

7.6.1.8
7.7.1.6
7.8.1.0

Latest SAN Volume Controller Code
Latest Storwize V7000 Code
Latest Storwize V5000 Code
Latest Storwize V3700 Code
Latest Storwize V3500 Code

For IBM FlashSystem V9000, upgrade to the following code levels or higher:

7.6.1.8
7.7.1.6
7.8.1.0

Latest FlashSystem V9000 Code

Workarounds and Mitigations

Although IBM recommends that you install a level of code with a fix for this vulnerability, you can mitigate, although not eliminate, your risk until you have done so by ensuring that all users who have access to the system are authenticated by another security system such as a firewall.

Affected configurations

Vulners
Node
ibmstorwize_v7000Match6.1
OR
ibmstorwize_v7000Match6.2
OR
ibmstorwize_v7000Match6.3
OR
ibmstorwize_v7000Match6.4
OR
ibmstorwize_v7000Match7.1
OR
ibmstorwize_v7000Match7.2
OR
ibmstorwize_v7000Match7.3
OR
ibmstorwize_v7000Match7.4
OR
ibmstorwize_v7000Match7.5
OR
ibmstorwize_v7000Match7.6
OR
ibmstorwize_v7000Match7.6.1
OR
ibmstorwize_v7000Match7.7
OR
ibmstorwize_v7000Match7.7.1
OR
ibmstorwize_v7000Match7.8
OR
ibmstorwize_v7000Match7.8.1
OR
ibmstorwize_v3500Match6.4
OR
ibmstorwize_v3500Match7.1
OR
ibmstorwize_v3500Match7.2
OR
ibmstorwize_v3500Match7.3
OR
ibmstorwize_v3500Match7.4
OR
ibmstorwize_v3500Match7.5
OR
ibmstorwize_v3700Match6.4
OR
ibmstorwize_v3700Match7.1
OR
ibmstorwize_v3700Match7.2
OR
ibmstorwize_v3700Match7.3
OR
ibmstorwize_v3700Match7.4
OR
ibmstorwize_v3700Match7.5
OR
ibmstorwize_v5000Match7.1
OR
ibmstorwize_v5000Match7.2
OR
ibmstorwize_v5000Match7.3
OR
ibmstorwize_v5000Match7.4
OR
ibmstorwize_v5000Match7.5
OR
ibmsan_volume_controllerMatch6.1
OR
ibmsan_volume_controllerMatch6.2
OR
ibmsan_volume_controllerMatch6.3
OR
ibmsan_volume_controllerMatch6.4
OR
ibmsan_volume_controllerMatch7.1
OR
ibmsan_volume_controllerMatch7.2
OR
ibmsan_volume_controllerMatch7.3
OR
ibmsan_volume_controllerMatch7.4
OR
ibmsan_volume_controllerMatch7.5
OR
ibmflashsystem_v9000Match7.1
OR
ibmflashsystem_v9000Match7.2
OR
ibmflashsystem_v9000Match7.3
OR
ibmflashsystem_v9000Match7.4
OR
ibmflashsystem_v9000Match7.5

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

10

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS

0.975

Percentile

100.0%