SB2023022028 - Multiple vulnerabilities in IBM FlashSystem models 840 and 900 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2023022028

SB2023022028 - Multiple vulnerabilities in IBM FlashSystem models 840 and 900

Published: February 20, 2023

Security Bulletin ID SB2023022028
Severity
Medium
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 20% Low 80%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Modification of information (CVE-ID: CVE-2016-5546)

The vulnerability allows a remote unauthenticated attacker to modify information.

The weakness exists due to unknown error in Oracle Java SE Java SE Embedded and Jrockit related to the Libraries component. A remote attacker can modify arbitrary data on the system.

2) Denial of service (CVE-ID: CVE-2016-5547)

The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.

The weakness exists due to unknown error in Oracle Java SE Java SE Embedded and Jrockit related to the Libraries component. A remote attacker can cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

3) Information disclosure (CVE-ID: CVE-2016-5548)

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information.

The weakness exists due to unknown error in Oracle Java SE and Java SE Embedded related to the Libraries component. A remote attacker can trick the victim into visiting a specially crafted webpage and read important files on the target system.

Successful exploitation of the vulnerability results in information disclosure.

4) Information disclosure (CVE-ID: CVE-2016-5549)

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information.

The weakness exists due to unknown error in Oracle Java SE and Java SE Embedded related to the Libraries component. A remote attacker can trick the victim into visiting a specially crafted webpage and read important files on the target system.

Successful exploitation of the vulnerability results in information disclosure.

5) Information disclosure (CVE-ID: CVE-2016-2183)

The vulnerability allows a remote attacker to decrypt transmitted data.

The vulnerability exists due to remote user's ability to control the network and capture long duration 3DES CBC mode encrypted session during which he can see a part of the text. In case of repeated sending the attacker can read the part and reconstruct the whole text.

Successful exploitation of this vulnerability may allow a remote attacker to decode transmitted data. This vulnerability is known as SWEET32.


Remediation

Install update from vendor's website.

References