Security Bulletin
Summary
The updates indicated below have been released to address the following vulnerabilities: CVE-2023-46169 (Arbitrary file deletion), CVE-2023-46171 (view sensitive log information), CVE-2023-46172 (Bypass authentication restrictions for authorized user), CVE-2023-46170 (Arbitrary file read) , CVE-2023-40743 (Apache Axis). Note 1: CVEs 2023-46169, 2023-461670, 2023-461671, and 2023-461672 only affect HMC log files that do not contain any customer data. DS8900HMC does not contain any files with customer data. External users cannot access customer data. Note 2: CVE-2023-40743 only affects those DS8900F HMCs that uses LDAP authentication via CSM as an LDAP Proxy.
Vulnerability Details
CVEID: CVE-2023-46171
DESCRIPTION: IBM DS8900F HMC could allow an authenticated user to view sensitive log information after enumerating filenames.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/269408 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2023-46170
DESCRIPTION: IBM DS8900F HMC could allow an authenticated user to arbitrarily read files after enumerating file names.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/269407 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2023-46172
DESCRIPTION: IBM DS8900F HMC could allow a remote attacker to bypass authentication restrictions for authorized user.
CVSS Base score: 5.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/269409 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2023-46169
DESCRIPTION: IBM DS8900F HMC could allow an authenticated user to arbitrarily delete a file.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/269406 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
CVEID: CVE-2023-40743
DESCRIPTION: Apache Axis could allow a remote attacker to execute arbitrary code on the system, caused by improper input validation by the ServiceFactory.getService function. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code, cause a denial of service or perform SSRF attacks.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/265157 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
All versions of microcode for the DS8900F prior to and including the following version(s) are affected.
Note 1: CVEs 2023-46169, 2023-461670, 2023-461671, and 2023-461672 only affect HMC log files that do not contain any customer data. DS8900HMC does not contain any files with customer data. External users cannot access customer data.
Note 2: CVE-2023-40743 only affects those DS8900F HMCs that uses LDAP authentication via CSM as an LDAP Proxy.
| Affected Product(s) | Version(s) |
| R9.2 | 89.22.19.0 |
| R9.3 |
89.30.68.0 89.32.40.0 89.33.48.0 |
Remediation/Fixes
DS8900F fixes are delivered in Microcode Bundle 89.40.89.0 R9.4 GA2
DS8900F fixes for CVE-2023-40743 are delivered in:
- Microcode Bundle 89.33.51.0 R9.3 Service Pack 3.5
- ICS CVE_NI_AXIS_v1.0.iso. This ICS is applicable from Microcode Bundle 89.32.37.0 R9.3 Service Pack 2 to Microcode Bundle 89.33.48.0 R9.3 Service Pack 3.4
DS8900F customers should either schedule Remote Code Load (RCL) via https://www.ibm.com/support/pages/ibm-remote-code-load or contact IBM support, and request that 89.40.89.0, or 89.33.51.0, or ICS CVE_NI_AXIS_v1.0.iso be applied to their systems.
NOTE : For the current recommended code releases, please see https://www.ibm.com/support/pages/ds8000-code-recommendation
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Acknowledgement
The vulnerability was reported to IBM by Rushank Shetty and Ryan Kane (Security Researchers at Northwestern Mutual).
Change History
06 Mar 2024: Initial Publication
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
05 April 2024
UID
ibm17130084