Multiple vulnerabilities in SAN Volume Controller, Storwize family and FlashSystem V9000 products
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2016-5385 CVE-2016-5386 CVE-2016-5387 CVE-2016-5388 |
| CWE-ID | CWE-79 CWE-284 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #3 is available. |
| Vulnerable software |
IBM FlashSystem V9000 Hardware solutions / Other hardware appliances IBM Storwize V3500 Hardware solutions / Other hardware appliances IBM Storwize V3700 Hardware solutions / Other hardware appliances IBM Storwize V5000 Hardware solutions / Other hardware appliances IBM Storwize V7000 Hardware solutions / Other hardware appliances |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Environment variable injection in TYPO3
EUVDB-ID: #VU194
Risk: High
CVSSv3.1: 7.4 [AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-5385
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to redirect an application's outbound HTTP traffic.
The vulnerability exists in TYPO3 CMS. A remote attacker can redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request.
Successful exploitation of this vulnerability may result in XSS attack and data injection.
Install update from vendor's website.
Vulnerable software versionsIBM FlashSystem V9000: before 7.6.1.6
IBM Storwize V3500: before 7.6.1.6
IBM Storwize V3700: before 7.6.1.6
IBM Storwize V5000: before 7.6.1.6
IBM Storwize V7000: before 7.6.1.6
CPE2.3- cpe:2.3:h:ibm_corporation:ibm_flashsystem_v9000:*:*:*:*:*:*:*:
- cpe:2.3:h:ibm_corporation:ibm_storwize_v3500:*:*:*:*:*:*:*:
- cpe:2.3:h:ibm_corporation:ibm_storwize_v3700:*:*:*:*:*:*:*:
- cpe:2.3:h:ibm_corporation:ibm_storwize_v5000:*:*:*:*:*:*:*:
- cpe:2.3:h:ibm_corporation:ibm_storwize_v7000:*:*:*:*:*:*:*:
http://www.ibm.com/support/pages/node/696295
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper access control
EUVDB-ID: #VU33632
Risk: High
CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-5386
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM FlashSystem V9000: before 7.6.1.6
IBM Storwize V3500: before 7.6.1.6
IBM Storwize V3700: before 7.6.1.6
IBM Storwize V5000: before 7.6.1.6
IBM Storwize V7000: before 7.6.1.6
CPE2.3- cpe:2.3:h:ibm_corporation:ibm_flashsystem_v9000:*:*:*:*:*:*:*:
- cpe:2.3:h:ibm_corporation:ibm_storwize_v3500:*:*:*:*:*:*:*:
- cpe:2.3:h:ibm_corporation:ibm_storwize_v3700:*:*:*:*:*:*:*:
- cpe:2.3:h:ibm_corporation:ibm_storwize_v5000:*:*:*:*:*:*:*:
- cpe:2.3:h:ibm_corporation:ibm_storwize_v7000:*:*:*:*:*:*:*:
http://www.ibm.com/support/pages/node/696295
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Httpoxy issue
EUVDB-ID: #VU337
Risk: Medium
CVSSv3.1: 7.3 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2016-5387
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information and compromise vulnerable server.
The vulnerability exists due to a design error in multiple implementations of web servers. A remote unauthenticated attacker can use a specially crafted Proxy header in HTTP request to influence HTTP_PROXY environment variable and redirect application’s HTTP traffic to arbitrary proxy server.
Successful exploitation of this vulnerability may allow an attacker to gain unauthorized access to sensitive information and compromise vulnerable server.
This vulnerability is known as httppoxy.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM FlashSystem V9000: before 7.6.1.6
IBM Storwize V3500: before 7.6.1.6
IBM Storwize V3700: before 7.6.1.6
IBM Storwize V5000: before 7.6.1.6
IBM Storwize V7000: before 7.6.1.6
CPE2.3- cpe:2.3:h:ibm_corporation:ibm_flashsystem_v9000:*:*:*:*:*:*:*:
- cpe:2.3:h:ibm_corporation:ibm_storwize_v3500:*:*:*:*:*:*:*:
- cpe:2.3:h:ibm_corporation:ibm_storwize_v3700:*:*:*:*:*:*:*:
- cpe:2.3:h:ibm_corporation:ibm_storwize_v5000:*:*:*:*:*:*:*:
- cpe:2.3:h:ibm_corporation:ibm_storwize_v7000:*:*:*:*:*:*:*:
http://www.ibm.com/support/pages/node/696295
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
4) Improper access control
EUVDB-ID: #VU64586
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-5388
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable. A remote attacker can redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM FlashSystem V9000: before 7.6.1.6
IBM Storwize V3500: before 7.6.1.6
IBM Storwize V3700: before 7.6.1.6
IBM Storwize V5000: before 7.6.1.6
IBM Storwize V7000: before 7.6.1.6
CPE2.3- cpe:2.3:h:ibm_corporation:ibm_flashsystem_v9000:*:*:*:*:*:*:*:
- cpe:2.3:h:ibm_corporation:ibm_storwize_v3500:*:*:*:*:*:*:*:
- cpe:2.3:h:ibm_corporation:ibm_storwize_v3700:*:*:*:*:*:*:*:
- cpe:2.3:h:ibm_corporation:ibm_storwize_v5000:*:*:*:*:*:*:*:
- cpe:2.3:h:ibm_corporation:ibm_storwize_v7000:*:*:*:*:*:*:*:
http://www.ibm.com/support/pages/node/696295
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
