Security Bulletin: Vulnerabilities have been identified with the DS8900F Hardware Management Console (HMC)

Summary

The updates indicated below have been released to address the following vulnerabilities: CVE-2023-46169 (Arbitrary file deletion), CVE-2023-46171 (view sensitive log information), CVE-2023-46172 (Bypass authentication restrictions for authorized user), CVE-2023-46170 (Arbitrary file read) , CVE-2023-40743 (Apache Axis). Note 1: CVEs 2023-46169, 2023-461670, 2023-461671, and 2023-461672 only affect HMC log files that do not contain any customer data. DS8900HMC does not contain any files with customer data. External users cannot access customer data. Note 2: CVE-2023-40743 only affects those DS8900F HMCs that uses LDAP authentication via CSM as an LDAP Proxy.

Vulnerability Details

CVEID:CVE-2023-46171
**DESCRIPTION:**IBM DS8900F HMC could allow an authenticated user to view sensitive log information after enumerating filenames.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/269408 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2023-46170
**DESCRIPTION:**IBM DS8900F HMC could allow an authenticated user to arbitrarily read files after enumerating file names.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/269407 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2023-46172
**DESCRIPTION:**IBM DS8900F HMC could allow a remote attacker to bypass authentication restrictions for authorized user.
CVSS Base score: 5.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/269409 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2023-46169
**DESCRIPTION:**IBM DS8900F HMC could allow an authenticated user to arbitrarily delete a file.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/269406 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2023-40743
**DESCRIPTION:**Apache Axis could allow a remote attacker to execute arbitrary code on the system, caused by improper input validation by the ServiceFactory.getService function. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code, cause a denial of service or perform SSRF attacks.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/265157 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

All versions of microcode for the DS8900F prior to and including the following version(s) are affected.

**Note 1:**CVEs 2023-46169, 2023-461670, 2023-461671, and 2023-461672 only affect HMC log files that do not contain any customer data. DS8900HMC does not contain any files with customer data. External users cannot access customer data.

Note 2: CVE-2023-40743 only affects those DS8900F HMCs that uses LDAP authentication via CSM as an LDAP Proxy.

89.30.68.0

89.32.40.0

89.33.48.0

Remediation/Fixes

DS8900F fixes are delivered in Microcode Bundle 89.40.89.0 R9.4 GA2

DS8900F fixes for CVE-2023-40743are delivered in:

• Microcode Bundle 89.33.51.0 R9.3 Service Pack 3.5
• ICS CVE_NI_AXIS_v1.0.iso. This ICS is applicable from Microcode Bundle 89.32.37.0 R9.3 Service Pack 2 to Microcode Bundle 89.33.48.0 R9.3 Service Pack 3.4

DS8900F customers should either schedule Remote Code Load (RCL) via <https://www.ibm.com/support/pages/ibm-remote-code-load&gt; or contact IBM support, and request that 89.40.89.0, or 89.33.51.0, or ICS CVE_NI_AXIS_v1.0.iso be applied to their systems.
NOTE : For the current recommended code releases, please see <https://www.ibm.com/support/pages/ds8000-code-recommendation&gt;

Workarounds and Mitigations

None