Security Bulletin: Vulnerability in Apache Struts affects SAN Volume Controller, Storwize family and FlashSystem V9000 products (CVE-2017-5638)


## Summary A vulnerability in the Apache Struts component affects the Service Assistant GUI of SAN Volume Controller, Storwize family and FlashSystem V9000 products allowing arbitrary code execution. The Command Line Interface is unaffected. ## Vulnerability Details **CVEID:** [_CVE-2017-5638_](<https://vulners.com/cve/CVE-2017-5638>)** DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when performing a file upload based on Jakarta Multipart parser. An attacker could exploit this vulnerability using a malicious Content-Type value to execute arbitrary code on the system. CVSS Base Score: 7.3 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/122776_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/122776>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) ## Affected Products and Versions IBM SAN Volume Controller IBM Storwize V7000 IBM Storwize V5000 IBM Storwize V3700 IBM Storwize V3500 IBM FlashSystem V9000 All products are affected when running supported releases 7.1 to 7.8. For unsupported versions of the above products, IBM recommends upgrading to a fixed, supported version of the product. ## Remediation/Fixes IBM recommends that you fix this vulnerability by upgrading affected versions of IBM SAN Volume Controller, IBM Storwize V7000, V5000, V3700 and V3500 to the following code levels or higher: [_Latest SAN Volume Controller Code_](<http://www-01.ibm.com/support/docview.wss?rs=591&uid=ssg1S1001707>) [_Latest Storwize V7000 Code_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1003705>) [_Latest Storwize V5000 Code_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004336>) [_Latest Storwize V3700 Code_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004172>) [_Latest Storwize V3500 Code_](<http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004171>) For IBM FlashSystem V9000, upgrade to the following code levels or higher: [_Latest FlashSystem V9000 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash%2Bhigh%2Bavailability%2Bsystems&product=ibm/StorageSoftware/IBM+FlashSystem+V9000&release=All&platform=All&function=all>) ## Workarounds and Mitigations Although IBM recommends that you install a level of code with a fix for this vulnerability, you can mitigate, although not eliminate, your risk until you have done so by ensuring that all users who have access to the system are authenticated by another security system such as a firewall. ##

Affected Software

CPE Name Name Version
ibm storwize v7000 6.1
ibm storwize v7000 6.2
ibm storwize v7000 6.3
ibm storwize v7000 6.4
ibm storwize v7000 7.1
ibm storwize v7000 7.2
ibm storwize v7000 7.3
ibm storwize v7000 7.4
ibm storwize v7000 7.5
ibm storwize v7000 7.6
ibm storwize v7000 7.6.1
ibm storwize v7000 7.7
ibm storwize v7000 7.7.1
ibm storwize v7000 7.8
ibm storwize v7000 7.8.1
ibm storwize v3500 (2071) 6.4
ibm storwize v3500 (2071) 7.1
ibm storwize v3500 (2071) 7.2
ibm storwize v3500 (2071) 7.3
ibm storwize v3500 (2071) 7.4
ibm storwize v3500 (2071) 7.5
ibm storwize v3700 (2072) 6.4
ibm storwize v3700 (2072) 7.1
ibm storwize v3700 (2072) 7.2
ibm storwize v3700 (2072) 7.3
ibm storwize v3700 (2072) 7.4
ibm storwize v3700 (2072) 7.5
ibm storwize v5000 7.1
ibm storwize v5000 7.2
ibm storwize v5000 7.3
ibm storwize v5000 7.4
ibm storwize v5000 7.5
san volume controller 6.1
san volume controller 6.2
san volume controller 6.3
san volume controller 6.4
san volume controller 7.1
san volume controller 7.2
san volume controller 7.3
san volume controller 7.4
san volume controller 7.5
ibm flashsystem v9000 7.1
ibm flashsystem v9000 7.2
ibm flashsystem v9000 7.3
ibm flashsystem v9000 7.4
ibm flashsystem v9000 7.5