Shellshock and IBM SVC and Storwize products

While blogging last week about how various vendors have responded to the Shellshock exploit, I noted that several vendors, notably Oracle and Cisco were open about products that they did not yet have a fix for.     IBM meanwhile appears to be only announcing vulnerability after they have the fix.   In other words, vulnerable customers are left without formal notification that they are exposed, or made aware of any workarounds, until a fix is actually available.   I am left slightly annoyed by this policy.

MrPotatoHead_11The formal notification for the Storwize family and IBM SVC family came out here on October 11, 2014.  At time of writing these are the fix levels:

Remediation/Fixes
IBM recommends that you fix this vulnerability by upgrading affected versions of IBM SAN Volume Controller, IBM Storwize V7000, V5000, V3700 and V3500 to the following code levels or higher:

7.1.0.11
7.2.0.9
7.3.0.7

More importantly it contains this critical piece of information:

Vulnerability Details

The following vulnerabilities are only exploitable by users who already have authenticated access to the system.

In other words, the best way to manage exposure is to limit the number of users who have CLI access and to use network restrictions (such as ACLs and Firewalls) to restrict network access to your devices.

So kudos to IBM for creating fixed versions, I just wish that acknowledgement and remediation advice could have been published earlier.

 

Advertisements

About Anthony Vandewerdt

I am an IT Professional who lives and works in Melbourne Australia. This blog is totally my own work. It does not represent the views of any corporation. Constructive and useful comments are very very welcome.
This entry was posted in Uncategorized and tagged , , , , . Bookmark the permalink.

2 Responses to Shellshock and IBM SVC and Storwize products

  1. Rob says:

    Well, IBM rarely releases a Flash unless it’s accompanied by a fix or some kind of remediation. It always annoyed my customers no end.

  2. Ram says:

    Thanks for sharing this information, It’s really helpful to everyone. Keep Posting.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s