Rewterz Threat Advisory – Multiple IBM Flash System And Standards Processing Engine Vulnerabilities

Severity

Medium

Analysis Summary

CVE-2021-29873 

IBM Flash System 900 could allow an authenticated attacker to obtain sensitive information and cause a denial of service due to a restricted shell escape vulnerability.

CVE-2021-29883 

IBM Standards Processing Engine (IBM Transformation Extender Advanced 9.0 and 10.0) does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.

Impact

• Privilege Escalation
• Information Disclosure

Affected Vendors

IBM

Affected Products

• IBM SAN Volume Controller 7.8
• IBM Storwize V5000 7.8
• IBM Storwize V3700 7.8
• IBM Storwize V3500 7.8
• IBM FlashSystem V9000 7.8
• IBM Spectrum Virtualize Software 7.8
• IBM Spectrum Virtualize for Public Cloud 7.8
• IBM SAN Volume Controller 8.4
• IBM Storwize V7000 8.4
• IBM Storwize V5000 8.4
• IBM Storwize V5100 8.4
• IBM FlashSystem V9000 8.4
• IBM FlashSystem 9100 Family 8.4
• IBM Spectrum Virtualize Software 8.4
• IBM Spectrum Virtualize for Public Cloud 8.4
• IBM Storwize V7000 7.8
• IBM Storwize V5100 7.8
• IBM Storwize V3700 8.4
• IBM Storwize V3500 8.4
• IBM FlashSystem 9100 Family 7.8
• IBM FlashSystem 900 1.6.1.4
• IBM FlashSystem 900 1.5.2.10
• BM Transformation Extender Advanced 9.0
• IBM Transformation Extender Advanced 10.0

Remediation

Refer to IBM Security for patch, upgrade, or suggested workaround information.

CVE-2021-29873

CVE-2021-29883