Security Bulletin: Storwize V7000 Unified Update Includes Fixes for Multiple Vendor Security Vulnerabilities

Abstract

Storwize V7000 Unified includes multiple software components for which the vendors have provided fixes for security vulnerabilities in such components.

Content

VULNERABILITY DETAILS:

CVE ID:

DESCRIPTION:
Storwize V7000 Unified has integrated updated versions of the software components for which the vendors have provided fixes for security vulnerabilities.

CVSS:

IBM Java 6.0.0 SR13

CVEID: CVE-2013-0438 - Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality via unknown vectors related to Deployment.
CVSS Base Score: 4.3
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/81800&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVEID: CVE-2013-0443 - Unspecified vulnerability in Java Runtime Environment allows remote attackers to affect confidentiality and integrity via vectors related to JSSE.
CVSS Base Score: 4
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/81801&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)

IBM Java 6.0.0 SR13 FP1

CVE-2013-0169 - Unspecified vulnerability in the JRE component allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets
CVSS Base Score: 4.3
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/81902&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

_Red Hat _RHSA-2013-0587

CVE-2012-4929
CVSS Base Score: 2.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/78807 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)

CVE-2013-0166
CVSS Base Score: 5
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/81904&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVE-2013-0169
CVSS Base Score: 4.3
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/81902&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Red Hat RHSA-2013-0144

CVE-2013-0744
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81073 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVE-2013-0746
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81077 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVE-2013-0748
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81079 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVE-2013-0750
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81080 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVE-2013-0753
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81084 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVE-2013-0754
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81085 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVE-2013-0758
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81083 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVE-2013-0759
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81085 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVE-2013-0762
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81064 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVE-2013-0766
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81065 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVE-2013-0767
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81066 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVE-2013-0769
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81047 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

Red Hat RHSA-2013-0271

CVE-2013-0775
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82189 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVE-2013-0776
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82190 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVE-2013-0780
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82194 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVE-2013-0782
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82196 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVE-2013-0783
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82181 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

Red Hat RHSA-2013-0614

CVE-2013-0787
CVSS Base Score: 9.3
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/82652&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

Red Hat RHSA-2013-0696

CVE-2013-0788
CVSS Base Score: 9.3
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/83176&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVE-2013-0793
CVSS Base Score: 4.3
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/83200&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVE-2013-0795
CVSS Base Score: 9.3
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/83198&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVE-2013-0796
CVSS Base Score: 9.3
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/83197&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVE-2013-0800
CVSS Base Score: 9.3
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/83193&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

AFFECTED PLATFORMS:

• **_Affected releases: _**Storwize V7000 Unified 1.3.0.0 through 1.4.0.X.
• _Releases/systems/configurations NOT affected: _ Storwize V7000 Unified 1.4.1.0 and above.

REMEDIATION:

Vendor Fix(es):
The issues were fixed beginning with version Storwize V7000 Unified 1.4.1.0. Storwize V7000 Unified customers running an earlier version (e.g. Storwize V7000 Unified 1.3.X.X, 1.4.0.X) must upgrade to Storwize V7000 Unified 1.4.1.0 or a later version in order to get these fixes.

Workaround(s): None.

Mitigation(s): Storwize V7000 Unified is not exposed to CVEs related to Firefox and Xulrunner during normal operation. Service procedures which use the Firefox web browser may activate the vulnerable code. Service personnel must not browse web pages on the internet to avoid the processing of web pages with malicious content

REFERENCES:

• Complete CVSS Guide
• On-line Calculator V2
• RHSA-2013-0587

CVE-2012-4929
CVE-2013-0166
CVE-2013-0169

• IBM Java 6.0.0 SR13

CVE-2013-0169
CVE-2013-0438
CVE-2013-0443

• RHSA-2013-0144

CVE-2013-0744
CVE-2013-0746
CVE-2013-0748
CVE-2013-0750
CVE-2013-0753
CVE-2013-0754
CVE-2013-0758
CVE-2013-0759
CVE-2013-0762
CVE-2013-0766
CVE-2013-0767
CVE-2013-0769

• RHSA-2013-0271

CVE-2013-0775
CVE-2013-0776
CVE-2013-0780
CVE-2013-0782
CVE-2013-0783

• RHSA-2013-0614

CVE-2013-0787

• RHSA-2013-0696

CVE-2013-0788
CVE-2013-0793
CVE-2013-0795
CVE-2013-0796
CVE-2013-0800
RELATED INFORMATION:

• IBM Secure Engineering Web Portal
• IBM Product Security Incident Response Blog

CHANGE HISTORY:

• 28-June-2013: Original copy published.

_The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _

_Note: __According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” _
IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

[{“Product”:{“code”:“ST5Q4U”,“label”:“IBM Storwize V7000 Unified (2073-700)”},“Business Unit”:{“code”:“BU058”,“label”:“IBM Infrastructure w/TPS”},“Component”:“1.4”,“Platform”:[{“code”:“PF025”,“label”:“Platform Independent”}],“Version”:“1.4”,“Edition”:“”,“Line of Business”:{“code”:“LOB26”,“label”:“Storage”}}]