logo
DATABASE RESOURCES PRICING ABOUT US

Security Bulletin: Multiple vulnerabilities in Linux Kernel affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products

Description

## Summary Vulnerabilities in the Linux Kernel affect IBM SAN Volume Controller, IBM Storwize V7000, V5000, V3700 and V3500, IBM Spectrum Virtualize Software, IBM Spectrum Virtualize for Public Cloud and IBM FlashSystem V9000 products. The applicable CVEs are CVE-2016-7117 CVE-2016-6828 CVE-2016-10229 CVE-2016-6480 CVE-2016-6327 CVE-2016-6198 CVE-2016-6136 CVE-2016-5829 CVE-2016-5828 CVE-2016-5412 CVE-2016-4794 CVE-2016-4581 CVE-2016-4578 CVE-2016-3699 CVE-2016-3156 CVE-2016-4569 CVE-2016-2847 CVE-2016-2384 CVE-2016-2069 CVE-2016-2053 CVE-2015-8956 CVE-2015-8845 CVE-2015-8844 CVE-2015-8812 CVE-2015-8746 CVE-2015-8543 CVE-2015-8374 CVE-2013-4312 and CVE-2016-3070. ## Vulnerability Details **CVEID:** [_CVE-2016-7117_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7117>)** DESCRIPTION:** Linux Kernel could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in __sys_recvmmsg function in net/socket.c. An attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base Score: 7.3 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/117765_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/117765>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) **CVEID:** [_CVE-2016-6828_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6828>)** DESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by the failure to properly maintain certain SACK state in tcp_check_send_head function in include/net/tcp.h. By executing a specially-crafted SACK option, an attacker could exploit this vulnerability to cause a denial of service. CVSS Base Score: 6.2 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/118135_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118135>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) **CVEID:** [_CVE-2016-10229_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10229>)** DESCRIPTION:** Linux Kernel could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in udp.c. By sending specially-crafted UDP packets, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base Score: 7.3 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/124676_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/124676>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) **CVEID:** [_CVE-2016-6480_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6480>)** DESCRIPTION:** Linux Kernel could allow a local attacker to obtain sensitive information, caused by a race condition in the Linux-4.5/drivers/scsi/aacraid/commctrl.c when the driver fetches user space data. A local attacker could exploit this vulnerability to obtain sensitive information. CVSS Base Score: 4 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/115630_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/115630>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) **CVEID:** [_CVE-2016-6327_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6327>)** DESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in drivers/infiniband/ulp/srpt/ib_srpt.c. By using an ABORT_TASK command to abort a device write operation, a local attacker could exploit this vulnerability to cause the system to crash. CVSS Base Score: 5.5 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/118155_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118155>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) **CVEID:** [_CVE-2016-6198_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6198>)** DESCRIPTION:** Linux Kernel is vulnerable to a denial of service. A local attacker could exploit this vulnerability using rename syscall on overlayfs on top of xfs to cause the kernel to crash. CVSS Base Score: 6.2 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114867_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114867>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) **CVEID:** [_CVE-2016-6136_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6136>)** DESCRIPTION:** Linux Kernel could allow a local attacker to obtain sensitive information, caused by a race condition in the Linux-4.6.1/kernel/auditsc.c when the driver fetches user space data using copy_from_user(). A local attacker could exploit this vulnerability to obtain sensitive information. CVSS Base Score: 4 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114719_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114719>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) **CVEID:** [_CVE-2016-5829_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5829>)** DESCRIPTION:** Linux Kernel is vulnerable to a buffer overflow, caused by improper bounds checking by the hiddev driver code. By sending a specially crafted ioctl call, a local attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base Score: 7.3 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114457_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114457>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L) **CVEID:** [_CVE-2016-5828_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5828>)** DESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by the improper handling of Transactional Memory on powerpc systems. By starting a transaction, suspending it, and then calling any of the exec() class system calls, an attacker could exploit this vulnerability to cause the system to crash. CVSS Base Score: 6.2 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114456_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114456>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) **CVEID:** [_CVE-2016-5412_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5412>)** DESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by an error in book3s_hv_rmhandlers.S. If CONFIG_KVM_BOOK3S_64_HV is enabled, a local attacker could exploit this vulnerability to cause the host to enter into an infinite loop. CVSS Base Score: 6.5 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116181_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116181>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H) **CVEID:** [_CVE-2016-4794_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4794>)** DESCRIPTION:** Linux Kernel could allow a local attacker to execute arbitrary code on the system, caused by a use-after-free in array_map_alloc. An attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base Score: 5.9 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113188_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113188>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) **CVEID:** [_CVE-2016-4581_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4581>)** DESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by the improper handling of the first propagated copy. A local attacker could exploit this vulnerability to cause a kernel oops. CVSS Base Score: 6.2 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113159_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113159>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) **CVEID:** [_CVE-2016-4578_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4578>)** DESCRIPTION:** Linux Kernel could allow a local attacker to obtain sensitive information, caused by an information leak in sound/core/timer.c. An attacker could exploit this vulnerability to obtain sensitive information. CVSS Base Score: 6.2 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113158_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113158>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) **CVEID:** [_CVE-2016-3699_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3699>)** DESCRIPTION:** Linux Kernel could allow a local attacker to gain elevated privileges on the system. By appending ACPI tables to the initrd, an attacker could exploit this vulnerability to bypass intended Secure Boot restrictions and execute arbitrary code on the system. CVSS Base Score: 7.4 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/118241_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118241>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) **CVEID:** [_CVE-2016-3156_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3156>)** DESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by an error when destroying a network. A local authenticated attacker could exploit this vulnerability using a huge number of ipv4 addresses to keep rtnl_lock for a very long time and block network related operations. CVSS Base Score: 3.3 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112056_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112056>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L) **CVEID:** [_CVE-2016-4569_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4569>)** DESCRIPTION:** Linux Kernel could allow a local attacker to obtain sensitive information, caused by an information leak in sound/core/timer.c. An attacker could exploit this vulnerability to obtain sensitive information. CVSS Base Score: 4 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113190_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113190>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) **CVEID:** [_CVE-2016-2847_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2847>)** DESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by an error related to the per-user limit. By filling pipes with an overly large amount of data, an attacker could exploit this vulnerability to consume an overly large amount of kernel memory resources. CVSS Base Score: 6.2 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111306_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111306>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) **CVEID:** [_CVE-2016-2384_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2384>)** DESCRIPTION:** Linux Kernel could allow a local attacker to execute arbitrary code on the system, caused by a double-free in the ALSA USB MIDI driver. An attacker could exploit this vulnerability using an invalid USB descriptor to execute arbitrary code on the system. CVSS Base Score: 5.9 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/110587_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/110587>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) **CVEID:** [_CVE-2016-2069_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2069>)** DESCRIPTION:** Linux Kernel could allow a local attacker to gain elevated privileges on the system, caused by a race condition in arch/x86/mm/tlb.c. By triggering access to a paging structure by a different CPU, a local attacker could exploit this vulnerability to gain elevated privileges on the system. CVSS Base Score: 8.4 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113822_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113822>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) **CVEID:** [_CVE-2016-2053_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2053>)** DESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by an error in the asn1_ber_decoder function. A remote attacker could exploit this vulnerability using an ASN.1 BER file that lacks a public key to cause a denial of service. CVSS Base Score: 5.9 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114430_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114430>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) **CVEID:** [_CVE-2015-8956_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8956>)** DESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c. By using vectors involving a bind system call on a Bluetooth RFCOMM socket, an attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service on the system. CVSS Base Score: 6.1 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/118238_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118238>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L) **CVEID:** [_CVE-2015-8845_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8845>)** DESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by an error when restoring machine specific registers on the power pc platform. Incorrect transactional memory state registers modify the call path on return from userspace. An attacker could exploit this vulnerability to cause a kernel panic. CVSS Base Score: 6.2 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112156_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112156>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) **CVEID:** [_CVE-2015-8844_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8844>)** DESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by an error when restoring machine specific registers T and S bits on the power pc platform. Incorrect transactional memory state registers modify the call path on return from userspace. An attacker could exploit this vulnerability to cause a kernel panic. CVSS Base Score: 6.2 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112155_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112155>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) **CVEID:** [_CVE-2015-8812_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8812>)** DESCRIPTION:** Linux Kernel could allow a local attacker to gain elevated privileges on the system, caused by a use-after-free in the CXGB3 kernel driver when the network was considered congested. An attacker could exploit this vulnerability to gain elevated privileges on the system. CVSS Base Score: 8.4 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/110574_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/110574>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) **CVEID:** [_CVE-2015-8746_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8746>)** DESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in the client. A local attacker could exploit this vulnerability to cause a kernel panic. CVSS Base Score: 6.2 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/109545_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/109545>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) **CVEID:** [_CVE-2015-8543_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8543>)** DESCRIPTION:** Linux Kernel could allow a local attacker to gain elevated privileges on the system, caused by the failure to validate protocol identifiers for certain protocol families by the networking implementation. An attacker could exploit this vulnerability to execute arbitrary code on the system with elevated privileges or cause the kernel to panic CVSS Base Score: 7.8 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/109383_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/109383>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) **CVEID:** [_CVE-2015-8374_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8374>)** DESCRIPTION:** Linux Kernel could allow a remote authenticated attacker to obtain sensitive information, caused by a information leak when truncating compressed/inlined extents on BTRFS. An attacker could exploit this vulnerability to obtain the truncated data. CVSS Base Score: 4.3 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/108371_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/108371>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) **CVEID:** [_CVE-2013-4312_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4312>)** DESCRIPTION:** Linux Kernel could allow a local attacker to bypass security restrictions. By sending specially-crafted file descriptors over a UNIX socket, an attacker could exploit this vulnerability to bypass file-descriptor limits and cause a denial of service. CVSS Base Score: 5.1 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/110778_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/110778>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L) **CVEID:** [_CVE-2016-3070_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3070>)** DESCRIPTION:** Linux Kernel is vulnerable to a denial of service, caused by the improper interaction with mm/migrate.c by the trace_writeback_dirty_page implementation. By triggering a certain page move, a local attacker could exploit this vulnerability to cause a NULL pointer dereference and crash the system. CVSS Base Score: 6.2 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116338_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116338>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) ## Affected Products and Versions IBM SAN Volume Controller IBM Storwize V7000 IBM Storwize V5000 IBM Storwize V3700 IBM Storwize V3500 IBM FlashSystem V9000 IBM Spectrum Virtualize Software IBM Spectrum Virtualize for Public Cloud All products are affected when running supported versions 7.6 to 8.1. ## Remediation/Fixes IBM recommends that you fix this vulnerability by upgrading affected versions of IBM SAN Volume Controller, IBM Storwize V7000, V5000, V3700 and V3500, IBM FlashSystem V9000, IBM Spectrum Virtualize Software, and IBM Spectrum Virtualize for Public Cloud to the following code levels or higher: 7.7.1.9 7.8.1.6 8.1.1.2 8.1.2.1 [_Latest IBM SAN Volume Controller Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Storage%20virtualization&product=ibm/StorageSoftware/SAN+Volume+Controller+\(2145\)&release=All&platform=All&function=all>) [_Latest IBM Storwize V7000 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Mid-range%20disk%20systems&product=ibm/Storage_Disk/IBM+Storwize+V7000+\(2076\)&release=All&platform=All&function=all>) [_Latest IBM Storwize V5000 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Mid-range%20disk%20systems&product=ibm/Storage_Disk/IBM+Storwize+V5000&release=All&platform=All&function=all>) [_Latest IBM Storwize V3700 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Entry-level%20disk%20systems&product=ibm/Storage_Disk/IBM+Storwize+V3700&release=All&platform=All&function=all>) [_Latest IBM Storwize V3500 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Entry-level%20disk%20systems&product=ibm/Storage_Disk/IBM+Storwize+V3500&release=All&platform=All&function=all>) [_Latest IBM FlashSystem V9000 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash%20high%20availability%20systems&product=ibm/StorageSoftware/IBM+FlashSystem+V9000&release=All&platform=All&function=all>) [_Latest IBM Spectrum Virtualize Software_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Spectrum+Virtualize+software&release=8.1&platform=All&function=all>) [_Latest IBM Spectrum Virtualize for Public Cloud_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Spectrum+Virtualize+for+Public+Cloud&release=8.1&platform=All&function=all>) For unsupported versions of the above products, IBM recommends upgrading to a fixed, supported version of code. ## Workarounds and Mitigations Although IBM recommends that you install a level of code with a fix for this vulnerability, you can mitigate, although not eliminate, your risk until you have done so by ensuring that all users who have access to the system are authenticated by another security system such as a firewall. ## Get Notified about Future Security Bulletins Subscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this. ### References [Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> "Link resides outside of ibm.com" ) [On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> "Link resides outside of ibm.com" ) [Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> "Link resides outside of ibm.com" ) [On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> "Link resides outside of ibm.com" ) Off ## Related Information [IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) [IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>) [_Subscribe to Security Bulletins_](<http://www.ibm.com/support/mynotifications/>) ## Acknowledgement None ## Change History 11 May 2018: Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. ## Disclaimer Review the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment. [{"Product":{"code":"ST3FR7","label":"IBM Storwize V7000 (2076)"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"6.1","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.1;6.2;6.3;6.4;7.1;7.2;7.3;7.4;7.5;7.6;7.6.1;7.7;7.7.1;7.8;7.8.1;8.1;8.1.1","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"STLM6B","label":"IBM Storwize V3500 (2071)"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"Not Applicable","Platform":[{"code":"PF025","label":"Platform Independent"},{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent;Version Independent","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"STLM5A","label":"IBM Storwize V3700 (2072)"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"Not Applicable","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"STHGUJ","label":"IBM Storwize V5000 and V5100"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":"Not Applicable","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"STPVGU","label":"SAN Volume Controller"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Not Applicable","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"STKMQV","label":"IBM FlashSystem V9000"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":" ","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"SS4S7L","label":"IBM Spectrum Virtualize Software"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Not Applicable","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Product":{"code":"STHLEK","label":"IBM Spectrum Virtualize for Public Cloud"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":" ","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}]


Affected Software


CPE Name Name Version
ibm storwize v7000 (2076) 6.1
ibm storwize v7000 (2076) 6.2
ibm storwize v7000 (2076) 6.3
ibm storwize v7000 (2076) 6.4
ibm storwize v7000 (2076) 7.1
ibm storwize v7000 (2076) 7.2
ibm storwize v7000 (2076) 7.3
ibm storwize v7000 (2076) 7.4
ibm storwize v7000 (2076) 7.5
ibm storwize v7000 (2076) 7.6
ibm storwize v7000 (2076) 7.6.1
ibm storwize v7000 (2076) 7.7
ibm storwize v7000 (2076) 7.7.1
ibm storwize v7000 (2076) 7.8
ibm storwize v7000 (2076) 7.8.1
ibm storwize v7000 (2076) 8.1
ibm storwize v7000 (2076) 8.1.1
ibm spectrum virtualize software any
ibm spectrum virtualize for public cloud any

Related