Security restrictions bypass in Sun ZFS Storage Appliance Kit

#VU11917 Security restrictions bypass in Sun ZFS Storage Appliance Kit

Published: 2018-04-18

Vulnerability identifier: #VU11917

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-2863

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Sun ZFS Storage Appliance Kit
Server applications / Application servers

Vendor: Oracle

Description
The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists in the Sun ZFS Storage Appliance Kit (AK) API frameworks component due to improper security restrictions. A remote attacker can partially access data.

Mitigation
Update to version 8.7.17.

Vulnerable software versions

Sun ZFS Storage Appliance Kit: 8.7.13

External links
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Oracle Sun Systems Products