Security Bulletin: IBM System Storage DS Storage Manager Profiler SQL Injection and Cross-Site Scripting Vulnerabilities (CVE-2012-2171, CVE-2012-2172)
IBM PSIRT 270004PFE3 firstname.lastname@example.org | | Tags:  psirtmedium psirtstorage
0 Comments | 7,408 Visits
IBM Support cross-reference - RETAIN tip: H206045
The IBM System Storage DS Storage Manager Profiler is vulnerable to multiple SQL injection and cross-site scripting vulnerabilities
CVE ID: CVE-2012-2171
DESCRIPTION:The IBM System Storage Manager Profiler, as used in the IBM System Storage DS Series, is vulnerable to SQL injection. Among other things, a remote attacker with access to the Storage Manager Profiler could exploit this vulnerability to inject and execute SQL code.
CVSS Base Score: 6.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/75236 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:P/A:P)
The IBM System Storage Manager Profiler, as used in the IBM System Storage DS Series, is susceptible to multiple cross-site scripting vulnerabilities. Among other things, a remote attacker could exploit these vulnerabilities to execute arbitrary script in a user’s browser session.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/75239 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
AFFECTED PLATFORMS:DS4100 (FAStT100) Dual-Controller Storage Server, Type 1724, any model
DS4200 Storage Server, Type 1814, any model
DS4300 (FAStT600) Dual Controller and Turbo Storage Server, Type 1722, any model
DS4400 (FAStT700) Storage Server, Type 1742, any model
DS4500 (FAStT900) Storage Server, Type 1742, any model
DS4700 Storage Server, Type 1814, any model
DS4800 Storage Server, Type 1815, any model
IBM System Storage DCS3700 Storage Subsystem, Type 1818,model 80C
IBM System Storage DS3200, Type 1726, any model
IBM System Storage DS3300, Type 1726, any model
IBM System Storage DS3400, Type 1726, any model
IBM System Storage DS3512, Type 1746, any model
IBM System Storage DS3524, Type 1746, any model
IBM System Storage DS3950 Express, Type 1814, any model
IBM System Storage DS5020 Disk Controller (1814-20A), any model
IBM System Storage DS5100 Storage Controller, Type 1818, any model
IBM System Storage DS5300 Storage Controller, Type 1818, any model
The recommended solution is to apply the fix. The fix remediates this vulnerability by removing the Storage Manager Profiler from the IBM System Storage DS Storage Manager.
Fix:The IBM Storage Manager Profiler is no longer part of the IBM
System Storage DS Storage Manager installation package in
versions 10.83.xx.18 and newer. IBM recommends that users
upgrade their DS Storage Managers to the latest version.
These updates are available by selecting the appropriate
Product Group, Product name, Product machine type, and
Operating system on IBM Support's Fix Central web page, at
the following URL:
IBM highly recommends that users upgrade all of their DS
Storage Managers to the latest version.
Workaround:Since the IBM Storage Manager Profiler is separately installed
software, it can be uninstalled while leaving your version
10.60.xx.xx to 10.77.xx.xx IBM DS Storage Manager installed
and working properly.
Mitigation:None known, apply fixes.
Complete CVSS Guide
On-line Calculator V2
X-Force Vulnerability Database - SQL Injection
X-Force Vulnerability Database - Cross-site scripting
Zero Science Labs Advisory ZSL-2012-5094
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
This vulnerability was reported to IBM by Gjoko Krstic of Zero Science Lab.
6/20/2012: Original copy published.
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.