Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
lenovoLenovoLENOVO:PS500389-LENOVO-XCLARITY-ORCHESTRATOR-LXCO-INFORMATION-DISCLOSURE-VULNERABILITIES-NOSID
HistoryMar 09, 2021 - 1:13 p.m.

Lenovo XClarity Orchestrator (LXCO) Information Disclosure Vulnerabilities - Lenovo Support NL

2021-03-0913:13:00
support.lenovo.com
20

0.001 Low

EPSS

Percentile

28.6%

JSON

**Lenovo Security Advisory:**LEN-49884

**Potential Impact:**Information disclosure

**Severity:**Medium

**Scope of Impact:**Lenovo-specific

**CVE Identifier:**CVE-2020-8356, CVE-2021-3417

Summary Description:

The following vulnerabilities were found in Lenovo XClarity Orchestrator (LXCO).

CVE-2020-8356: An internal product security audit of LXCO discovered that optional passwords, if specified, for the Syslog and SMTP forwarders are written to an internal LXCO log file in clear text. Affected logs are captured in the First Failure Data Capture (FFDC) service log. The FFDC service log is only generated when requested by a privileged LXCO user and it is only accessible to the privileged LXCO user that requested the file.

CVE-2021-3417: An internal product security audit of LXCO discovered that credentials for Lenovo XClarity Administrator (LXCA), if added as a Resource Manager, are encoded then written to an internal LXCO log file each time a session is established with LXCA. Affected logs are captured in the First Failure Data Capture (FFDC) service log. The FFDC service log is only generated when requested by a privileged LXCO user and it is only accessible to the privileged LXCO user that requested the file.

Mitigation Strategy for Customers (what you should do to protect yourself):

Update to Lenovo XClarity Orchestrator (LXCO) version 1.2.2 or higher.

References:

LXCO 1.2.2 Fix Bundle: <https://datacentersupport.lenovo.com/in/en/downloads/ds548879&gt;

LXCO Updates: <https://support.lenovo.com/us/en/solutions/ht509976-lenovo-xclarity-orchestrator&gt;

Revision History:

Revision Date Description
1 2021-03-09 Initial release

For a complete list of all Lenovo Product Security Advisories, click here.

For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on an β€œas is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.

Related

prion 2
cve 2
cvelist 2
nvd 2
prion
prion
Design/Logic Flaw
2021-03-09 17:15:00
Design/Logic Flaw
2021-03-09 17:15:00
cve
cve
CVE-2020-8356
2021-03-09 17:15:12
CVE-2021-3417
2021-03-09 17:15:12
cvelist
cvelist
CVE-2020-8356
2021-03-09 00:00:00
CVE-2021-3417
2021-03-09 00:00:00
nvd
nvd
CVE-2020-8356
2021-03-09 17:15:12
CVE-2021-3417
2021-03-09 17:15:12

0.001 Low

EPSS

Percentile

28.6%

JSON
Related for LENOVO:PS500389-LENOVO-XCLARITY-ORCHESTRATOR-LXCO-INFORMATION-DISCLOSURE-VULNERABILITIES-NOSID
prion2cve2cvelist2nvd2