Multiple vulnerabilities in SAN Volume Controller, Storwize family and FlashSystem V9000 products
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2016-5546 CVE-2016-5548 CVE-2016-5549 CVE-2016-5547 |
| CWE-ID | CWE-20 CWE-200 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
IBM SAN Volume Controller Hardware solutions / Other hardware appliances IBM Storwize V3500 Hardware solutions / Other hardware appliances IBM Storwize V3700 Hardware solutions / Other hardware appliances IBM Storwize V5000 Hardware solutions / Other hardware appliances IBM Storwize V7000 Hardware solutions / Other hardware appliances IBM FlashSystem V9000 Hardware solutions / Other hardware appliances |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Modification of information
EUVDB-ID: #VU7325
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2016-5546
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to modify information.
The weakness exists due to unknown error in Oracle Java SE Java SE Embedded and Jrockit related to the Libraries component. A remote attacker can modify arbitrary data on the system.
Install update from vendor's website.
Vulnerable software versionsIBM SAN Volume Controller: before 7.5.0.12
IBM Storwize V3500: before 7.5.0.12
IBM Storwize V3700: before 7.5.0.12
IBM Storwize V5000: before 7.5.0.12
IBM Storwize V7000: before 7.5.0.12
IBM FlashSystem V9000: before 7.6.1.8
CPE2.3- cpe:2.3:h:ibm_corporation:ibm_san_volume_controller:*:*:*:*:*:*:*:*
- cpe:2.3:h:ibm_corporation:ibm_storwize_v3500:*:*:*:*:*:*:*:*
- cpe:2.3:h:ibm_corporation:ibm_storwize_v3700:*:*:*:*:*:*:*:*
- cpe:2.3:h:ibm_corporation:ibm_storwize_v5000:*:*:*:*:*:*:*:*
- cpe:2.3:h:ibm_corporation:ibm_storwize_v7000:*:*:*:*:*:*:*:*
- cpe:2.3:h:ibm_corporation:ibm_flashsystem_v9000:*:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/697341
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information disclosure
EUVDB-ID: #VU7327
Risk: Low
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-5548
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information.
The weakness exists due to unknown error in Oracle Java SE and Java SE Embedded related to the Libraries component. A remote attacker can trick the victim into visiting a specially crafted webpage and read important files on the target system.
Successful exploitation of the vulnerability results in information disclosure.
Install update from vendor's website.
Vulnerable software versionsIBM SAN Volume Controller: before 7.5.0.12
IBM Storwize V3500: before 7.5.0.12
IBM Storwize V3700: before 7.5.0.12
IBM Storwize V5000: before 7.5.0.12
IBM Storwize V7000: before 7.5.0.12
IBM FlashSystem V9000: before 7.6.1.8
CPE2.3- cpe:2.3:h:ibm_corporation:ibm_san_volume_controller:*:*:*:*:*:*:*:*
- cpe:2.3:h:ibm_corporation:ibm_storwize_v3500:*:*:*:*:*:*:*:*
- cpe:2.3:h:ibm_corporation:ibm_storwize_v3700:*:*:*:*:*:*:*:*
- cpe:2.3:h:ibm_corporation:ibm_storwize_v5000:*:*:*:*:*:*:*:*
- cpe:2.3:h:ibm_corporation:ibm_storwize_v7000:*:*:*:*:*:*:*:*
- cpe:2.3:h:ibm_corporation:ibm_flashsystem_v9000:*:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/697341
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Information disclosure
EUVDB-ID: #VU7328
Risk: Low
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-5549
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information.
The weakness exists due to unknown error in Oracle Java SE and Java SE Embedded related to the Libraries component. A remote attacker can trick the victim into visiting a specially crafted webpage and read important files on the target system.
Successful exploitation of the vulnerability results in information disclosure.
Install update from vendor's website.
Vulnerable software versionsIBM SAN Volume Controller: before 7.5.0.12
IBM Storwize V3500: before 7.5.0.12
IBM Storwize V3700: before 7.5.0.12
IBM Storwize V5000: before 7.5.0.12
IBM Storwize V7000: before 7.5.0.12
IBM FlashSystem V9000: before 7.6.1.8
CPE2.3- cpe:2.3:h:ibm_corporation:ibm_san_volume_controller:*:*:*:*:*:*:*:*
- cpe:2.3:h:ibm_corporation:ibm_storwize_v3500:*:*:*:*:*:*:*:*
- cpe:2.3:h:ibm_corporation:ibm_storwize_v3700:*:*:*:*:*:*:*:*
- cpe:2.3:h:ibm_corporation:ibm_storwize_v5000:*:*:*:*:*:*:*:*
- cpe:2.3:h:ibm_corporation:ibm_storwize_v7000:*:*:*:*:*:*:*:*
- cpe:2.3:h:ibm_corporation:ibm_flashsystem_v9000:*:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/697341
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Denial of service
EUVDB-ID: #VU7326
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-5547
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.
The weakness exists due to unknown error in Oracle Java SE Java SE Embedded and Jrockit related to the Libraries component. A remote attacker can cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Install update from vendor's website.
Vulnerable software versionsIBM SAN Volume Controller: before 7.5.0.12
IBM Storwize V3500: before 7.5.0.12
IBM Storwize V3700: before 7.5.0.12
IBM Storwize V5000: before 7.5.0.12
IBM Storwize V7000: before 7.5.0.12
IBM FlashSystem V9000: before 7.6.1.8
CPE2.3- cpe:2.3:h:ibm_corporation:ibm_san_volume_controller:*:*:*:*:*:*:*:*
- cpe:2.3:h:ibm_corporation:ibm_storwize_v3500:*:*:*:*:*:*:*:*
- cpe:2.3:h:ibm_corporation:ibm_storwize_v3700:*:*:*:*:*:*:*:*
- cpe:2.3:h:ibm_corporation:ibm_storwize_v5000:*:*:*:*:*:*:*:*
- cpe:2.3:h:ibm_corporation:ibm_storwize_v7000:*:*:*:*:*:*:*:*
- cpe:2.3:h:ibm_corporation:ibm_flashsystem_v9000:*:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/697341
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
