Security Bulletin:A vulnerability in the Linux Pluggable Authentication Module (PAM) affects the IBM FlashSystem models 840 and 900 (CVE-2015-3238)

Summary

There is a vulnerability in Linux Pluggable Authentication Module (PAM) to which the IBM® FlashSystem™ 840 and IBM FlashSystem 900 are susceptible. An exploit of this vulnerability could allow a remote attacker to expose sensitive information and/or cause a denial of service.

Vulnerability Details

CVEID: CVE-2015-3238 DESCRIPTION: Linux-PAM could allow a local attacker to obtain sensitive information, caused by an error in the _unix_run_helper_binary function in the pam_unix module. An attacker could exploit this vulnerability using an overly large password to enumerate usernames and cause the system to hang.
CVSS Base Score: 5.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/106368 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)

Affected Products and Versions

FlashSystem 840 including machine type and models (MTMs) for all available code levels. MTMs affected include 9840-AE1 and 9843-AE1.

FlashSystem 900 including machine type and models (MTMs) for all available code levels. MTMs affected include 9840-AE2 and 9843-AE2

Remediation/Fixes

MTMs

| VRMF| APAR| Remediation/First Fix
—|—|—|—
FlashSystem****840 MTM:
9840-AE1 &
9843-AE1

FlashSystem 900 MTMs:
9840-AE2 &
9843-AE2| _Code fixes are now available, the minimum VRMF containing the fix depends on the code stream:

_Fixed code VRMF .
1.4 stream: 1.4.0.10 (or later)
1.3 stream: 1.3.0.5 (or later)
1.2 stream: 1.2.1.9 (or later)| _ _N/A| No workarounds or mitigations, other than applying this code fix, are known for this vulnerability

** **FlashSystem 840 fixes****and FlashSystem 900 fixes****are available @ IBM’s Fix Central

Workarounds and Mitigations

None