IBM Storwize 1.3.x < 1.4.3.4 / 1.5.x < 1.5.0.2 Multiple Vulnerabilities

This script is Copyright (C) 2015-2016 Tenable Network Security, Inc.


Synopsis :

The remote IBM Storwize device is affected by multiple
vulnerabilities.

Description :

The remote IBM Storwize device is running a version that is 1.3.x
prior to 1.4.3.4 or 1.5.x prior to 1.5.0.2. It is, therefore, affected
by multiple vulnerabilities :

- A denial of service vulnerability exists due to a flaw
in the bundled version of Apache HTTP Server. A remote
attacker can exploit this, via partial HTTP requests,
to cause a daemon outage, resulting in a denial of
service condition. (CVE-2007-6750)

- An HTTP request smuggling vulnerability exists due to a
flaw in the bundled version of Apache Tomcat; when an
HTTP connector or AJP connector is used, Tomcat fails to
properly handle certain inconsistent HTTP request
headers. A remote attacker can exploit this flaw, via
multiple Content-Length headers or a Content-Length
header and a 'Transfer-Encoding: chunked' header, to
smuggle an HTTP request in one or more Content-Length
headers. (CVE-2013-4286)

- A denial of service vulnerability exists in the bundled
version of Apache Tomcat due to improper processing of
chunked transfer coding with a large amount of chunked
data or whitespace characters in an HTTP header value
within a trailer field. An unauthenticated, remote
attacker can exploit this to cause a denial of service
condition. (CVE-2013-4322)

- A denial of service vulnerability exists due to a flaw
in the bundled version of Apache Tomcat; an integer
overflow condition exists in the parseChunkHeader()
function in ChunkedInputFilter.java. A remote attacker
can exploit this, via a malformed chunk size that is
part of a chunked request, to cause excessive
consumption of resources, resulting in a denial of
service condition. (CVE-2014-0075)

- A remote code execution vulnerability exists due to a
flaw in the bundled version of Apache Struts. A remote
attacker can manipulate the ClassLoader via the class
parameter, resulting in the execution of arbitrary Java
code. (CVE-2014-0094)

- An XML External Entity (XXE) injection vulnerability
exists due to a flaw in the bundled version of Apache
Tomcat; an incorrectly configured XML parser accepts
XML external entities from an untrusted source via XSLT.
A remote attacker can exploit this, by sending specially
crafted XML data, to gain access to arbitrary files.
(CVE-2014-0096)

- An integer overflow condition exists in the bundled
version of Apache Tomcat. A remote attacker, via a
crafted Content-Length HTTP header, can conduct HTTP
request smuggling attacks. (CVE-2014-0099)

- An information disclosure vulnerability exists due to a
flaw in the bundled version of Apache Tomcat. Tomcat
fails to properly constrain the class loader that
accesses the XML parser used with an XSLT stylesheet. A
remote attacker can exploit this, via a crafted web
application that provides an XML external entity
declaration in conjunction with an entity reference, to
read arbitrary files. (CVE-2014-0119)

- A flaw exists in a bundled version of Samba due to a
flaw in the vfswrap_fsctl() function that is triggered
when responding to FSCTL_GET_SHADOW_COPY_DATA or
FSCTL_SRV_ENUMERATE_SNAPSHOTS client requests. An
unauthenticated, remote attacker can exploit this, via
a specially crafted request, to disclose sensitive
information from process memory. (CVE-2014-0178)

- Multiple flaws exist in the bundled version of Mozilla
Firefox that allow a remote attacker to execute
arbitrary code. (CVE-2014-1555, CVE-2014-1556,
CVE-2014-1557)

- An information disclosure vulnerability exists due to
the chkauth password being saved in plaintext in the
audit log. A local attacker can exploit this to gain
administrator access. (CVE-2014-3077)

- A denial of service vulnerability exists due to a flaw
in the bundled version of Samba. An authenticated,
remote attacker can exploit this, via an attempt to read
a Unicode pathname without specifying the use of
Unicode, to cause an application crash. (CVE-2014-3493)

- A security bypass vulnerability exists due to an
unspecified flaw. A remote attacker can exploit this
flaw to reset the administrator password to its default
value via a direct request to the administrative IP
address. Note that this vulnerability only affects the
1.4.x release levels. (CVE-2014-4811)

See also :

http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004834
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004836
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004837
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004854
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004860
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004861
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004867
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004869
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004835

Solution :

Upgrade to IBM Storwize version 1.4.3.4 / 1.5.0.2 or later.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.7
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true