Storwize V7000 Unified includes multiple software components for which the vendors have provided fixes for security vulnerabilities in such components.
|Vendor||Vendor ID||Vendor Title||Included CVEs|
|Red Hat||RHSA-2012-0143||Critical: xulrunner security update||CVE-2011-3026|
|Red Hat||RHSA-2012-0317||Important: libpng security update||CVE-2011-3026|
|Red Hat||RHSA-2012-0128||Moderate: httpd security update||CVE-2011-3639|
|Apache||Apache Tomcat 6.0.33||Fixed in Apache Tomcat 6.0.33||CVE-2011-1184|
|Apache||Apache Tomcat 6.0.35||Fixed in Apache Tomcat 6.0.35||CVE-2011-3190|
Storwize V7000 Unified has integrated updated versions of the software components for which the vendors have provided fixes for security vulnerabilities.
Please see vendor documentation for CVSS scores and CVSS vector.
- Affected releases: Storwize V7000 Unified 1.3 through 184.108.40.206.
- Releases/systems/configurations NOT affected: Storwize 7000 Unified 220.127.116.11 and above, Storwize 7000 Unified 18.104.22.168 and above.
Vendor Fix(es): The issue was fixed beginning with version Storwize V7000 Unified 22.214.171.124 and 126.96.36.199. Storwize V7000 Unified customers running an earlier version (e.g. Storwize V7000 Unified 188.8.131.52) must upgrade to Storwize V7000 Unified 184.108.40.206, 220.127.116.11 or a later version.
Mitigation(s): Storwize V7000 Unified is not exposed to CVE-2011-3026 during normal operation. Service procedures which use the Firefox web browser may activate the vulnerable code. Service personnel must not browse web pages on the internet to avoid the processing of web pages with malicious content.
The Tomcat related vulnerabilities are exposed to the Storwize V7000 Unified management and service IP addresses only, but not to the public IP addresses which are used for NAS data access. It is recommended that the management and service IP addresses will be attached to a management network only.
- Complete CVSS Guide
- On-line Calculator V2
- Apache Tomcat 6.0.33
- Apache Tomcat 6.0.35
- 03/18/13: Original copy published.
The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response."
IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
17 June 2018