A fix is available for IBM Storwize V7000 Unified, for the security issue that Password provided for executing chkauth is logged in audit log
CVEID:
CVE-2014-3077
DESCRIPTION:
Under some circumstances, user details appear in the system audit log. An attacker could exploit this vulnerability to gain unauthorized access to the system.
CVSS Base Score: 1.7
CVSS Vector: (AV:L/AC:L/Au:S/C:P/I:N/A:N)
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93906 for the current score
IBM Storwize V7000 Unified
The product is affected when running code releases 1.3.0.0 to 1.4.3.3
A fix for this issue is in version 1.4.3.4 of IBM Storwize V7000 Unified. Customers running an affected version of V7000 Unified should upgrade to 1.4.3.4 or a later version, so that the fix gets applied.
Workaround(s) :
Avoid use of authentication server which is not protected behind a firewall. This vulnerability can be exploited only by someone who could obtain access to the authentication server.
Mitigation(s) : None