SB2017050821 - Multiple vulnerabilities in SAN Volume Controller, Storwize family and FlashSystem V9000 products

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Modification of information (CVE-ID: CVE-2016-5546)

The vulnerability allows a remote unauthenticated attacker to modify information.

The weakness exists due to unknown error in Oracle Java SE Java SE Embedded and Jrockit related to the Libraries component. A remote attacker can modify arbitrary data on the system.

2) Information disclosure (CVE-ID: CVE-2016-5548)

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information.

The weakness exists due to unknown error in Oracle Java SE and Java SE Embedded related to the Libraries component. A remote attacker can trick the victim into visiting a specially crafted webpage and read important files on the target system.

Successful exploitation of the vulnerability results in information disclosure.

3) Information disclosure (CVE-ID: CVE-2016-5549)

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information.

The weakness exists due to unknown error in Oracle Java SE and Java SE Embedded related to the Libraries component. A remote attacker can trick the victim into visiting a specially crafted webpage and read important files on the target system.

Successful exploitation of the vulnerability results in information disclosure.

4) Denial of service (CVE-ID: CVE-2016-5547)

The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.

The weakness exists due to unknown error in Oracle Java SE Java SE Embedded and Jrockit related to the Libraries component. A remote attacker can cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

Remediation

Install update from vendor's website.

References

• https://www.ibm.com/support/pages/node/697341