Lenovo Security Advisory: LEN-22168
Potential Impact: Privilege escalation
Severity: Critical
Scope of Impact: Lenovo-specific
CVE Identifier: CVE-2018-9064, CVE-2018-9065, CVE-2018-9066
Summary Description:
A Lenovo internal product security audit has led to the discovery of access control vulnerabilities in the XClarity Administrator (LXCA) web API. An authenticated LXCA user may abuse web API calls to retrieve the credentials for the System Manager user; inject additional parameters into a specific web API call which can result in privileged command execution within LXCAβs underlying operating system; or under limited circumstances, retrieve the service processor user name and password for servers previously managed by that LXCA instance.
Mitigation Strategy for Customers (what you should do to protect yourself):
Update your LXCA installation to the latest version 2.1.0 or later.
For a complete list of all Lenovo Product Security Advisories, click here.
Revision History:
Revision
|
Date
|
Description
β|β|β
1
|
2018-07-26
|
Initial release
For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on as βas isβ basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.