Lenovo XClarity Administrator Credential Disclosure - us

Lenovo Security Advisory: LEN-13671

Potential Impact: Disclosure of credentials to a non-administrative user

Severity: High

**Scope of Impact:**Lenovo Specific

**CVE Identifier:**CVE-2017-3745

Summary Description:

During an internal assessment, a vulnerability was identified in Lenovo XClarity Administrator (LXCA) version 1.2.2. If service data is downloaded from LXCA, a non-administrative user may have access to password information for users that have previously authenticated to the LXCA’s internal LDAP server, including administrative accounts and service accounts with administrative privileges. This is an issue only for users who have used local authentication with LXCA and not remote authentication against external LDAP or ADFS servers.

Lenovo XClarity Administrator is a centralized, resource-management solution for Lenovo server systems and solutions.

Mitigation Strategy for Customers (what you should do to protect yourself):

Update your system to LXCA version 1.3.0 or later by clicking here.

For a complete list of all Lenovo Product Security Advisories, click here.

Revision History:

Revision

|

Date

|

Description

—|—|—

1

|

6/8/2017

|

Initial Release

For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on as “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.