Multiple vulnerabilities in IBM FlashSystem models 840 and 900
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2016-3092 CVE-2016-5385 CVE-2016-5387 CVE-2016-5388 CVE-2016-5386 |
| CWE-ID | CWE-400 CWE-79 CWE-284 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #3 is available. |
| Vulnerable software Subscribe |
FlashSystem 840 9840-AE1 & 9843-AE1 Other software / Other software solutions FlashSystem 900 9840-AE2 and 9843-AE2 Hardware solutions / Firmware |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Resource exhaustion
EUVDB-ID: #VU197
Risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-3092
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause denial of service conditions on the target system.
The vulnerability exists due to input validation error when processing very long boundary strings within the MultipartStream class in Apache Commons Fileupload. A remote user can cause denial of service conditions by sending specially crafted boundary string and consume excessive CPU resources.
Successful exploitation of this vulnerability may result in denial of service attack.
Install update from vendor's website.
Vulnerable software versionsFlashSystem 840 9840-AE1 & 9843-AE1: All versions
FlashSystem 900 9840-AE2 and 9843-AE2: All versions
External linkshttp://www.ibm.com/support/pages/node/696993
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Environment variable injection in TYPO3
EUVDB-ID: #VU194
Risk: High
CVSSv3.1: 7.4 [AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-5385
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to redirect an application's outbound HTTP traffic.
The vulnerability exists in TYPO3 CMS. A remote attacker can redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request.
Successful exploitation of this vulnerability may result in XSS attack and data injection.
Install update from vendor's website.
Vulnerable software versionsFlashSystem 840 9840-AE1 & 9843-AE1: All versions
FlashSystem 900 9840-AE2 and 9843-AE2: All versions
External linkshttp://www.ibm.com/support/pages/node/696993
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Httpoxy issue
EUVDB-ID: #VU337
Risk: Medium
CVSSv3.1: 7.3 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2016-5387
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information and compromise vulnerable server.
The vulnerability exists due to a design error in multiple implementations of web servers. A remote unauthenticated attacker can use a specially crafted Proxy header in HTTP request to influence HTTP_PROXY environment variable and redirect application’s HTTP traffic to arbitrary proxy server.
Successful exploitation of this vulnerability may allow an attacker to gain unauthorized access to sensitive information and compromise vulnerable server.
This vulnerability is known as httppoxy.
MitigationInstall update from vendor's website.
Vulnerable software versionsFlashSystem 840 9840-AE1 & 9843-AE1: All versions
FlashSystem 900 9840-AE2 and 9843-AE2: All versions
External linkshttp://www.ibm.com/support/pages/node/696993
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
4) Improper access control
EUVDB-ID: #VU64586
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-5388
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable. A remote attacker can redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.
MitigationInstall update from vendor's website.
Vulnerable software versionsFlashSystem 840 9840-AE1 & 9843-AE1: All versions
FlashSystem 900 9840-AE2 and 9843-AE2: All versions
External linkshttp://www.ibm.com/support/pages/node/696993
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Improper access control
EUVDB-ID: #VU33632
Risk: High
CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-5386
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.
MitigationInstall update from vendor's website.
Vulnerable software versionsFlashSystem 840 9840-AE1 & 9843-AE1: All versions
FlashSystem 900 9840-AE2 and 9843-AE2: All versions
External linkshttp://www.ibm.com/support/pages/node/696993
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
