Security Bulletin
Summary
Security Bulletin: Vulnerabilities in Bash affect SAN Volume Controller and Storwize Family (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278)
Vulnerability Details
Security Bulletin |
|---|
Summary |
|---|
There are security vulnerabilities in SSLv3 that is used by SAN Volume Controller and Storwize Family. In addition, OpenSSL vulnerabilities along with SSL 3 Fallback protection (TLS_FALLBACK_SCSV) were disclosed on October 15, 2014 by the OpenSSL Project. OpenSSL is used by SAN Volume Controller and Storwize Family. SAN Volume Controller and Storwize Family has addressed the applicable CVEs and included the SSL 3.0 Fallback protection (TLS_FALLBACK_SCSV) provided by OpenSSL.
Vulnerability Details |
|---|
CVE-ID: CVE-2014-3566
DESCRIPTION: Product could allow a remote
attacker to obtain sensitive information, caused by a design error
when using the SSLv3 protocol. A remote user with the ability to
conduct a man-in-the-middle attack could exploit this vulnerability
via a POODLE (Padding Oracle On Downgraded Legacy Encryption)
attack to decrypt SSL sessions and access the plaintext of
encrypted connections.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97013
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVE-ID: CVE-2014-3567
DESCRIPTION: OpenSSL is vulnerable to a denial of
service, caused by a memory leak when handling failed session
ticket integrity checks. By sending an overly large number of
invalid session tickets, an attacker could exploit this
vulnerability to exhaust all available memory of an SSL/TLS or DTLS
server.
CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97036
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Affected Products and Versions |
|---|
IBM SAN Volume Controller
Storwize V7000 for Lenovo
Storwize V5000 for Lenovo
Storwize V3700 for Lenovo
Storwize V3500 for Lenovo
All products are affected when running any releases, from 1.1 to
7.3.
Remediation/Fixes |
|---|
IBM recommends that you fix this vulnerability by upgrading
affected versions of IBM SAN Volume Controller, IBM Storwize V7000,
V5000, V3700 and V3500 to the following code levels or higher:
7.1.0.12
7.2.0.10
7.3.0.8
Latest SAN Volume Controller Code
Latest
Storwize V7000 Code
Latest
Storwize V5000 Code
Latest
Storwize V3700 Code
Latest
Storwize V3500 Code
IBM recommends that you fix this vulnerability by upgrading
affected versions of IBM Flex System V7000 to the following code
levels or higher:
7.2.0.10
Latest
IBM Flex System V7000 Code
Lenovo recommends that you review your entire environment to
identify areas that enable the SSLv3 protocol and take appropriate
mitigation and remediation actions. The most immediate mitigation
action that can be taken is disabling SSLv3. You should verify
disabling SSLv3 does not cause any compatibility issues.
Workarounds and Mitigations |
|---|
None known
Get Notified about Future Security Bulletins |
|---|
Subscribe to My Notifications to be notified of important product support alerts like this.
References |
|---|
Complete
CVSS Guide
On-line
Calculator V2
Related information |
|---|
IBM
Secure Engineering Web Portal
IBM Product Security
Incident Response Blog
Subscribe
to Security Bulletins
Acknowledgement |
|---|
None
Change History |
|---|
21 Nov 2014: Published draft
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer |
|---|
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." LENOVO PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Cross reference information |
|---|
| Segment | Product | Component | Platform | Version |
|---|---|---|---|---|
| Disk Storage Systems | Storwize V3500 for Lenovo | Not Applicable | Platform Independent | 6.4, 7.1, 7.2, 7.3 |
| Disk Storage Systems | Storwize V3700 for Lenovo | Not Applicable | Platform Independent | 6.4, 7.1, 7.2, 7.3 |
| Disk Storage Systems | Storwize V5000 for Lenovo | Not Applicable | Platform Independent | 7.1, 7.2, 7.3 |
| Disk Storage Systems | Flex System V7000 | Not Applicable | Platform Independent | 6.4, 7.1, 7.2 |
| Storage Virtualization | SAN Volume Controller | Not Applicable | Platform Independent | 6.1, 6.2, 6.3, 6.4, 7.1, 7.2, 7.3 |
Get Notified about Future Security Bulletins
References
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
28 March 2023
UID
ibm1MIGR-5096904