CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
56.5%
The updates indicated below have been released to address the following vulnerabilities: CVE-2023-46169 (Arbitrary file deletion), CVE-2023-46171 (view sensitive log information), CVE-2023-46172 (Bypass authentication restrictions for authorized user), CVE-2023-46170 (Arbitrary file read) , CVE-2023-40743 (Apache Axis). Note 1: CVEs 2023-46169, 2023-461670, 2023-461671, and 2023-461672 only affect HMC log files that do not contain any customer data. DS8900HMC does not contain any files with customer data. External users cannot access customer data. Note 2: CVE-2023-40743 only affects those DS8900F HMCs that uses LDAP authentication via CSM as an LDAP Proxy.
CVEID:CVE-2023-46171
**DESCRIPTION:**IBM DS8900F HMC could allow an authenticated user to view sensitive log information after enumerating filenames.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/269408 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
CVEID:CVE-2023-46170
**DESCRIPTION:**IBM DS8900F HMC could allow an authenticated user to arbitrarily read files after enumerating file names.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/269407 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
CVEID:CVE-2023-46172
**DESCRIPTION:**IBM DS8900F HMC could allow a remote attacker to bypass authentication restrictions for authorized user.
CVSS Base score: 5.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/269409 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID:CVE-2023-46169
**DESCRIPTION:**IBM DS8900F HMC could allow an authenticated user to arbitrarily delete a file.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/269406 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
CVEID:CVE-2023-40743
**DESCRIPTION:**Apache Axis could allow a remote attacker to execute arbitrary code on the system, caused by improper input validation by the ServiceFactory.getService function. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code, cause a denial of service or perform SSRF attacks.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/265157 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
All versions of microcode for the DS8900F prior to and including the following version(s) are affected.
**Note 1:**CVEs 2023-46169, 2023-461670, 2023-461671, and 2023-461672 only affect HMC log files that do not contain any customer data. DS8900HMC does not contain any files with customer data. External users cannot access customer data.
Note 2: CVE-2023-40743 only affects those DS8900F HMCs that uses LDAP authentication via CSM as an LDAP Proxy.
Affected Product(s) | Version(s) |
---|---|
R9.2 | |
89.22.19.0 | |
R9.3 |
89.30.68.0
89.32.40.0
89.33.48.0
DS8900F fixes are delivered in Microcode Bundle 89.40.89.0 R9.4 GA2
DS8900F fixes for CVE-2023-40743are delivered in:
DS8900F customers should either schedule Remote Code Load (RCL) via <https://www.ibm.com/support/pages/ibm-remote-code-load> or contact IBM support, and request that 89.40.89.0, or 89.33.51.0, or ICS CVE_NI_AXIS_v1.0.iso be applied to their systems.
NOTE : For the current recommended code releases, please see <https://www.ibm.com/support/pages/ds8000-code-recommendation>
None
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
56.5%