Information disclosure in SAN Volume Controller, Storwize family and FlashSystem V9000 products
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2017-5647 |
| CWE-ID | CWE-200 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
IBM SAN Volume Controller Hardware solutions / Other hardware appliances IBM Storwize V3500 Hardware solutions / Other hardware appliances IBM Storwize V3700 Hardware solutions / Other hardware appliances IBM Storwize V5000 Hardware solutions / Other hardware appliances IBM Storwize V7000 Hardware solutions / Other hardware appliances IBM FlashSystem V9000 Hardware solutions / Other hardware appliances |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Information disclosure
EUVDB-ID: #VU6674
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5647
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists in the handling of the pipelined requests when send file was used resulted in the pipelined request being lost when send file processing of the previous request completed. A remote attacker can cause responses to appear to be sent for the wrong request.
Install update from vendor's website.
Vulnerable software versionsIBM SAN Volume Controller: before 8.1.0.2
IBM Storwize V3500: before 8.1.0.2
IBM Storwize V3700: before 8.1.0.2
IBM Storwize V5000: before 8.1.0.2
IBM Storwize V7000: before 8.1.0.2
IBM FlashSystem V9000: before 8.1.0.2
External linkshttp://www.ibm.com/support/pages/node/698485
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
