Security Bulletin: A vulnerability has been identified in IBM Elastic Storage Server GUI where an unauthorised user can execute commands (CVE-2020-4348)

Summary

A security vulnerability has been identified in all levels of IBM Elastic Storage Server GUI that could allow an unauthorised user to execute commands . A fix for this vulnerability is available.

Vulnerability Details

CVEID:CVE-2020-4348
**DESCRIPTION:**IBM Spectrum Scale 4.2.0.0 through 4.2.3.21 and 5.0.0.0 through 5.0.4.4 could allow an authenticated GUI user to perform unauthorized actions due to missing function level access control. IBM X-Force ID: 178414
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/178414 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

The Elastic Storage Server 5.3.0 thru 5.3.5.2
The Elastic Storage Server 5.0.0 thru 5.2.9
The Elastic Storage Server 4.5.0 thru 4.6.0
The Elastic Storage Server 4.0.0 thru 4.0.6

Remediation/Fixes

For IBM Elastic Storage Server V5.0.0 thru 5.3.5.2, apply V5.3.6 available from FixCentral at:

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Elastic+Storage+Server+(ESS)&release=All&platform=All&function=all

For IBM Elastic Storage Server V5.0.0 thru 5.2.9, apply V5.2.10 available from FixCentral at:

https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/StorageSoftware/IBM+Elastic+Storage+Server+(ESS)&function=fixid&fixids=ESS_DME_BASEIMAGE-5.2.9-power-Linux

Workarounds and Mitigations

None