XClarity Administrator (LXCA) API Vulnerabilities - Lenovo Support US

Lenovo Security Advisory: LEN-22168

Potential Impact: Privilege escalation

Severity: Critical

Scope of Impact: Lenovo-specific

CVE Identifier: CVE-2018-9064, CVE-2018-9065, CVE-2018-9066

Summary Description:

A Lenovo internal product security audit has led to the discovery of access control vulnerabilities in the XClarity Administrator (LXCA) web API. An authenticated LXCA user may abuse web API calls to retrieve the credentials for the System Manager user; inject additional parameters into a specific web API call which can result in privileged command execution within LXCA’s underlying operating system; or under limited circumstances, retrieve the service processor user name and password for servers previously managed by that LXCA instance.

Mitigation Strategy for Customers (what you should do to protect yourself):

Update your LXCA installation to the latest version 2.1.0 or later.

For a complete list of all Lenovo Product Security Advisories, click here.

Revision History:

Revision

|

Date

|

Description

—|—|—

1

|

2018-07-26

|

Initial release

For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on as “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.