LenovoLENOVO:PS500144-NOSIDLenovo StorSelect DX8200C glibc, Linux Kernel and Cloudian Management Console Vulnerabilities - us
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.002 Low
EPSS
Percentile
61.9%
Lenovo Security Advisory: LEN-17538
Potential Impact: Arbitrary Code Execution
Severity: High
**Scope of Impact:**Industry-Wide
**CVE Identifier:**CVE-2017-1000364, CVE-2017-1000366
Summary:
Several vulnerabilities have been identified on the Lenovo StorSelect DX8200C MT 5120 running versions of Cloudian HyperStore earlier than v6.2.1.
Lenovo StorSelect is a software-defined storage (SDS) solution that runs on Lenovo x86 servers.
All appliance customers are advised to review this article and take necessary action for their CentOS 6.8. Vulnerabilities have been reported by Redhat in the Linux glibc and kernel packages, and remedies have been provided.
- CVE-2017-1000364: An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be βjumpedβ over (the stack guard page is bypassed), this affects Linux Kernel versions 4.11.5 and earlier (the stackguard page was introduced in 2010).
- CVE-2017-1000366: glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causing them to alias, potentially resulting in arbitrary code execution.
- Possible security vulnerabilities have been found in Cloudian Management Console (CMC), where a malicious user with system admin privilege can run arbitrary OS commands on HyperStore nodes via CMC. These issues have been fixed in Cloudian HyperStore v6.2.1 and later versions. Affected Versions: Cloudian HyperStore v6.0.x, v6.1.x, and v6.2.
Mitigation Strategy for Customers (what you should do to protect yourself):
- Apply the patches by following Red Hat guidance for the following CVEs:
- Licensed Lenovo StorSelect DX8200C users should access the Cloudian support portal for more information and to download the fix.
For StorSelect DX8200C Licensed End Users: <https://cloudian-support.force.com/lenovo/50110000000EMp4>
For a complete list of all Lenovo Product Security Advisories, click here.
Revision History:
Revision
|
Date
|
Description
β|β|β
1
|
10/26/2017
|
Initial release
For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on as βas isβ basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.
Related
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.002 Low
EPSS
Percentile
61.9%