Severity
Medium
Analysis Summary
CVE-2021-29873
IBM Flash System 900 could allow an authenticated attacker to obtain sensitive information and cause a denial of service due to a restricted shell escape vulnerability.
CVE-2021-29883
IBM Standards Processing Engine (IBM Transformation Extender Advanced 9.0 and 10.0) does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.
Impact
- Privilege Escalation
- Information Disclosure
Affected Vendors
IBM
Affected Products
- IBM SAN Volume Controller 7.8
- IBM Storwize V5000 7.8
- IBM Storwize V3700 7.8
- IBM Storwize V3500 7.8
- IBM FlashSystem V9000 7.8
- IBM Spectrum Virtualize Software 7.8
- IBM Spectrum Virtualize for Public Cloud 7.8
- IBM SAN Volume Controller 8.4
- IBM Storwize V7000 8.4
- IBM Storwize V5000 8.4
- IBM Storwize V5100 8.4
- IBM FlashSystem V9000 8.4
- IBM FlashSystem 9100 Family 8.4
- IBM Spectrum Virtualize Software 8.4
- IBM Spectrum Virtualize for Public Cloud 8.4
- IBM Storwize V7000 7.8
- IBM Storwize V5100 7.8
- IBM Storwize V3700 8.4
- IBM Storwize V3500 8.4
- IBM FlashSystem 9100 Family 7.8
- IBM FlashSystem 900 1.6.1.4
- IBM FlashSystem 900 1.5.2.10
- BM Transformation Extender Advanced 9.0
- IBM Transformation Extender Advanced 10.0
Remediation
Refer to IBM Security for patch, upgrade, or suggested workaround information.