Lenovo XClarity Controller (XCC) Vulnerabilities
Lenovo XClarity Controller (XCC) Vulnerabilities
Lenovo XClarity Controller (XCC) Vulnerabilities
Lenovo Security Advisory: LEN-99936
Potential Impact: Elevation of Privileges, Denial of Service
Severity: High
Scope of Impact: Lenovo-specific
CVE Identifier: CVE-2023-0683, CVE-2023-25492, CVE-2023-25495
Summary Description:
An internal product security audit of Lenovo XClarity Controller (XCC) discovered the below vulnerabilities:
CVE-2023-0683: A valid, authenticated user with read only access may gain elevated privileges through a specifically crafted API call.
CVE-2023-25492: A valid, authenticated user may be able to trigger a denial of service of the XCC web user interface or other undefined behavior through a format string injection vulnerability in a web interface API. Rebooting XCC will recover from the denial of service.
CVE-2023-25495: A valid, authenticated administrative user can query a web interface API to reveal the configured LDAP client password used by XCC to authenticate to an external LDAP server in certain configurations. There is no exposure where no LDAP client password is configured.
Mitigation Strategy for Customers (what you should do to protect yourself):
Update to the Lenovo XClarity Controller (XCC) version (or higher) as recommended in the Product Impact section below.
Follow general security best practices, such as limiting access to only trusted users within the network.
To download the version specified for your product below, follow these steps:
Navigate to the Drivers & Software support site for your product:
- Lenovo Products (sold worldwide, except in China): https://support.lenovo.com/
- Lenovo Products (sold in China): https://newsupport.lenovo.com.cn/
- IBM-branded System x Legacy Products: https://www.ibm.com/support/fixcentral/
- Search for your product by name or machine type.
- Click Drivers & Software on the left menu panel.
- Click on Manual Update to browse by Component type.
- Compare the minimum fix version for your product from the applicable product table below with the latest version posted on the support site.
Lenovo also offers tools to assist with update management as an alternative to the manual steps described above. Refer to the following for additional help:
PC Products and Software: https://support.lenovo.com/us/en/solutions/ht504759
Server and Enterprise Software: https://support.lenovo.com/us/en/solutions/lnvo-lxcaupd and https://datacentersupport.lenovo.com/us/en/documents/lnvo-center
Click below links to view affected products:
Revision History:
Revision | Date | Description |
---|---|---|
1 | 2023-03-14 | Initial release |
For a complete list of all Lenovo Product Security Advisories, click here.
For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on an “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.
Product Impact:
Product | Component | Minimum Fixed Version |
HX5530 Appliance (ThinkAgile) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 2.24 AFBT24X |
HX7530 Appliance (ThinkAgile) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 2.24 AFBT24X |
VX3331 Certified Node (ThinkAgile) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 2.24 AFBT24X |
HX Enclosure Certified Node (ThinkAgile) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 5.43 TEI3D2S |
HX1021 Edge Certified Node 3yr (ThinkAgile) | Lenovo XClarity Controller (XCC) (For AnyOS) | 3.71 TEI388Q |
HX1320 Appliance (ThinkAgile) | Lenovo XClarity Controller (XCC) for SR530,SR550,SR570,SR590,SR630,SR650,ST550,ST558,HX Series,VX Series | Version 8.82 CDI3A2U |
HX1321 Certified Node (ThinkAgile) | Lenovo XClarity Controller (XCC) for SR530,SR550,SR570,SR590,SR630,SR650,ST550,ST558,HX Series,VX Series | Version 8.82 CDI3A2U |
HX1331 Certified Node (ThinkAgile) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 2.24 AFBT24X |
HX1520-R Appliance (ThinkAgile) | Lenovo XClarity Controller (XCC) for SR530,SR550,SR570,SR590,SR630,SR650,ST550,ST558,HX Series,VX Series | Version 8.82 CDI3A2U |
HX1521-R Certified Node (ThinkAgile) | Lenovo XClarity Controller (XCC) for SR530,SR550,SR570,SR590,SR630,SR650,ST550,ST558,HX Series,VX Series | Version 8.82 CDI3A2U |
HX2320-E Appliance (ThinkAgile) | Lenovo XClarity Controller (XCC) for SR530,SR550,SR570,SR590,SR630,SR650,ST550,ST558,HX Series,VX Series | Version 8.82 CDI3A2U |
HX2321 Certified Node (ThinkAgile) | Lenovo XClarity Controller (XCC) for SR530,SR550,SR570,SR590,SR630,SR650,ST550,ST558,HX Series,VX Series | Version 8.82 CDI3A2U |
HX2330 Appliance (ThinkAgile) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 2.24 AFBT24X |
HX2331 Certified Node (ThinkAgile) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 2.24 AFBT24X |
HX2720-E Appliance (ThinkAgile) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 5.43 TEI3D2S |
HX3320 Appliance (ThinkAgile) | Lenovo XClarity Controller (XCC) for SR530,SR550,SR570,SR590,SR630,SR650,ST550,ST558,HX Series,VX Series | Version 8.82 CDI3A2U |
HX3321 Certified Node (ThinkAgile) | Lenovo XClarity Controller (XCC) for SR530,SR550,SR570,SR590,SR630,SR650,ST550,ST558,HX Series,VX Series | Version 8.82 CDI3A2U |
HX3330 Appliance (ThinkAgile) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 2.24 AFBT24X |
HX3331 Certified Node (ThinkAgile) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 2.24 AFBT24X |
HX3331 Node SAP HANA (ThinkAgile) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 2.24 AFBT24X |
HX3375 Appliance (ThinkAgile) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 4.42 D8BT44R |
HX3376 Certified Node (ThinkAgile) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 4.42 D8BT44R |
HX3520-G Appliance (ThinkAgile) | Lenovo XClarity Controller (XCC) for SR530,SR550,SR570,SR590,SR630,SR650,ST550,ST558,HX Series,VX Series | Version 8.82 CDI3A2U |
HX3521-G Certified Node (ThinkAgile) | Lenovo XClarity Controller (XCC) for SR530,SR550,SR570,SR590,SR630,SR650,ST550,ST558,HX Series,VX Series | Version 8.82 CDI3A2U |
HX3720 Appliance (ThinkAgile) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 5.43 TEI3D2S |
HX3721 Certified Node (ThinkAgile) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 5.43 TEI3D2S |
HX5520 Appliance (ThinkAgile) | Lenovo XClarity Controller (XCC) for SR530,SR550,SR570,SR590,SR630,SR650,ST550,ST558,HX Series,VX Series | Version 8.82 CDI3A2U |
HX5520-C Appliance (ThinkAgile) | Lenovo XClarity Controller (XCC) for SR530,SR550,SR570,SR590,SR630,SR650,ST550,ST558,HX Series,VX Series | Version 8.82 CDI3A2U |
HX5521 Certified Node (ThinkAgile) | Lenovo XClarity Controller (XCC) for SR530,SR550,SR570,SR590,SR630,SR650,ST550,ST558,HX Series,VX Series | Version 8.82 CDI3A2U |
HX5521-C Certified Node (ThinkAgile) | Lenovo XClarity Controller (XCC) for SR530,SR550,SR570,SR590,SR630,SR650,ST550,ST558,HX Series,VX Series | Version 8.82 CDI3A2U |
HX5531 Certified Node (ThinkAgile) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 2.24 AFBT24X |
HX7520 Appliance (ThinkAgile) | Lenovo XClarity Controller (XCC) for SR530,SR550,SR570,SR590,SR630,SR650,ST550,ST558,HX Series,VX Series | Version 8.82 CDI3A2U |
HX7521 Certified Node (ThinkAgile) | Lenovo XClarity Controller (XCC) for SR530,SR550,SR570,SR590,SR630,SR650,ST550,ST558,HX Series,VX Series | Version 8.82 CDI3A2U |
HX7530 Appl for SAP HANA (ThinkAgile) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 2.24 AFBT24X |
HX7531 Certified Node (ThinkAgile) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 2.24 AFBT24X |
HX7531 Node SAP HANA (ThinkAgile) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 2.24 AFBT24X |
HX7820 Appliance (ThinkAgile) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 2.51 PSI348Q |
HX7821 Certified Node (ThinkAgile) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 2.51 PSI348Q |
MX Edge Appliance - MX1020 (ThinkAgile) | Lenovo XClarity Controller (XCC) (For AnyOS) | 3.71 TEI388Q |
MX3330-F All-flash Appliance (ThinkAgile) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 2.24 AFBT24X |
MX3330-H Hybrid Appliance (ThinkAgile) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 2.24 AFBT24X |
MX3331-F All-flash Certified node (ThinkAgile) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 2.24 AFBT24X |
MX3331-H Hybrid Certified node (ThinkAgile) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 2.24 AFBT24X |
MX3530 F All flash Appliance (ThinkAgile) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 2.24 AFBT24X |
MX3530-H Hybrid Appliance (ThinkAgile) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 2.24 AFBT24X |
MX3531 H Hybrid Certified node (ThinkAgile) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 2.24 AFBT24X |
MX3531-F All-flash Certified node (ThinkAgile) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 2.24 AFBT24X |
ThinkAgile MX1021 on SE350 | Lenovo XClarity Controller (XCC) (For AnyOS) | 3.71 TEI388Q |
ThinkAgile MX1021 on SE350 | Lenovo XClarity Controller (XCC) for ThinkSystem SE350 (For AnyOS) | 3.71 TEI388Q |
VX 1SE Certified Node (ThinkAgile) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 5.43 TEI3D2S |
VX 2U4N Certified Node (ThinkAgile) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 5.43 TEI3D2S |
VX 4U Certified Node (ThinkAgile) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 2.51 PSI348Q |
VX1320 (ThinkAgile) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 5.43 TEI3D2S |
VX2320 (ThinkAgile) | Lenovo XClarity Controller (XCC) for SR530,SR550,SR570,SR590,SR630,SR650,ST550,ST558,HX Series,VX Series | Version 8.82 CDI3A2U |
VX2330 Appliance (ThinkAgile) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 2.24 AFBT24X |
VX3320 (ThinkAgile) | Lenovo XClarity Controller (XCC) for SR530,SR550,SR570,SR590,SR630,SR650,ST550,ST558,HX Series,VX Series | Version 8.82 CDI3A2U |
VX3330 Appliance (ThinkAgile) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 2.24 AFBT24X |
VX3520-G (ThinkAgile) | Lenovo XClarity Controller (XCC) for SR530,SR550,SR570,SR590,SR630,SR650,ST550,ST558,HX Series,VX Series | Version 8.82 CDI3A2U |
VX3530-G Appliance (ThinkAgile) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 2.24 AFBT24X |
VX3720 (ThinkAgile) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 5.43 TEI3D2S |
VX5520 (ThinkAgile) | Lenovo XClarity Controller (XCC) for SR530,SR550,SR570,SR590,SR630,SR650,ST550,ST558,HX Series,VX Series | Version 8.82 CDI3A2U |
VX5530 Appliance (ThinkAgile) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 2.24 AFBT24X |
VX7320 N (ThinkAgile) | Lenovo XClarity Controller (XCC) for SR530,SR550,SR570,SR590,SR630,SR650,ST550,ST558,HX Series,VX Series | Version 8.82 CDI3A2U |
VX7330 Appliance (Thinkagile) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 2.24 AFBT24X |
VX7520 (ThinkAgile) | Lenovo XClarity Controller (XCC) for SR530,SR550,SR570,SR590,SR630,SR650,ST550,ST558,HX Series,VX Series | Version 8.82 CDI3A2U |
VX7520 N (ThinkAgile) | Lenovo XClarity Controller (XCC) for SR530,SR550,SR570,SR590,SR630,SR650,ST550,ST558,HX Series,VX Series | Version 8.82 CDI3A2U |
VX7530 Appliance (ThinkAgile) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 2.24 AFBT24X |
VX7531 Certified Node (ThinkAgile) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 2.24 AFBT24X |
VX7820 (ThinkAgile) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 2.51 PSI348Q |
Product | Component | Minimum Fixed Version |
P920 Rack Workstation (ThinkStation) | Lenovo XClarity Controller (XCC) for SR530,SR550,SR570,SR590,SR630,SR650,ST550,ST558,HX Series,VX Series | Version 8.82 CDI3A2U |
Product | Component | Minimum Fixed Version |
SD530 (ThinkSystem) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 5.43 TEI3D2S |
SD630 V2 (ThinkSystem) | Lenovo XClarity Controller (XCC) SD630 V2, SD650 V2, SN550 V2, ST650 V2, SR670 V2, SD650-N V2 (For AnyOS) | 2.30 TGBT38S |
SD650 DWC Dual Node Tray (ThinkSystem) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 5.43 TEI3D2S |
SD650 DWC Dual Node Tray (ThinkSystem) | Lenovo XClarity Controller (XCC) for SD530, SD650, SN550, SN850, SR850, SR860, HX Series, VX3720, VX Series,VX Enclosure | 5.43 TEI3D2S |
SD650 V2 (ThinkSystem) | Lenovo XClarity Controller (XCC) SD630 V2, SD650 V2, SN550 V2, ST650 V2, SR670 V2, SD650-N V2 (For AnyOS) | 2.30 TGBT38S |
SD650-N V2 (ThinkSystem) | Lenovo XClarity Controller (XCC) SD630 V2, SD650 V2, SN550 V2, ST650 V2, SR670 V2, SD650-N V2 (For AnyOS) | 2.30 TGBT38S |
SE350 (ThinkSystem) | Lenovo XClarity Controller (XCC) (For AnyOS) | 3.71 TEI388Q |
SE350 (ThinkSystem) | Lenovo XClarity Controller (XCC) for ThinkSystem SE350 (For AnyOS) | 3.71 TEI388Q |
SN550 (ThinkSystem) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 5.43 TEI3D2S |
SN550 (ThinkSystem) | Lenovo XClarity Controller (XCC) for SD530, SD650, SN550, SN850, SR850, SR860, HX Series, VX3720, VX Series,VX Enclosure | 5.43 TEI3D2S |
SN550 V2 (ThinkSystem) | Lenovo XClarity Controller (XCC) SD630 V2, SD650 V2, SN550 V2, ST650 V2, SR670 V2, SD650-N V2 (For AnyOS) | 2.30 TGBT38S |
SN850 (ThinkSystem) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 5.43 TEI3D2S |
SN850 (ThinkSystem) | Lenovo XClarity Controller (XCC) for SD530, SD650, SN550, SN850, SR850, SR860, HX Series, VX3720, VX Series,VX Enclosure | 5.43 TEI3D2S |
SR150 (ThinkSystem) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 5.43 TEI3D2S |
SR158 (ThinkSystem) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 5.43 TEI3D2S |
SR250 (ThinkSystem) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 5.43 TEI3D2S |
SR250 V2 (ThinkSystem) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 5.43 TEI3D2S |
SR258 (ThinkSystem) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 5.43 TEI3D2S |
SR258 V2 (ThinkSystem) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 5.43 TEI3D2S |
SR530 (ThinkSystem) | Lenovo XClarity Controller (XCC) for SR530,SR550,SR570,SR590,SR630,SR650,ST550,ST558,HX Series,VX Series | Version 8.82 CDI3A2U |
SR550 (ThinkSystem) | Lenovo XClarity Controller (XCC) for SR530,SR550,SR570,SR590,SR630,SR650,ST550,ST558,HX Series,VX Series | Version 8.82 CDI3A2U |
SR570 (ThinkSystem) | Lenovo XClarity Controller (XCC) for SR530,SR550,SR570,SR590,SR630,SR650,ST550,ST558,HX Series,VX Series | Version 8.82 CDI3A2U |
SR590 (ThinkSystem) | Lenovo XClarity Controller (XCC) for SR530,SR550,SR570,SR590,SR630,SR650,ST550,ST558,HX Series,VX Series | Version 8.82 CDI3A2U |
SR630 (ThinkSystem) | Lenovo XClarity Controller (XCC) for SR530,SR550,SR570,SR590,SR630,SR650,ST550,ST558,HX Series,VX Series | Version 8.82 CDI3A2U |
SR630 V2 (ThinkSystem) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 2.24 AFBT24X |
SR645 (ThinkSystem) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 4.42 D8BT44R |
SR650 (ThinkSystem) | Lenovo XClarity Controller (XCC) for SR530,SR550,SR570,SR590,SR630,SR650,ST550,ST558,HX Series,VX Series | Version 8.82 CDI3A2U |
SR650 V2 (ThinkSystem) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 2.24 AFBT24X |
SR665 (ThinkSystem) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 4.42 D8BT44R |
SR670 (ThinkSystem) | Lenovo XClarity Controller (XCC) (For AnyOS) | 3.71 TEI388Q |
SR670 V2 (ThinkSystem) | Lenovo XClarity Controller (XCC) SD630 V2, SD650 V2, SN550 V2, ST650 V2, SR670 V2, SD650-N V2 (For AnyOS) | 2.30 TGBT38S |
SR850 (ThinkSystem) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 5.43 TEI3D2S |
SR850 (ThinkSystem) | Lenovo XClarity Controller (XCC) for SD530, SD650, SN550, SN850, SR850, SR860, HX Series, VX3720, VX Series,VX Enclosure | 5.43 TEI3D2S |
SR850 V2 (ThinkSystem) | Lenovo XClarity Controller (XCC) SD630 V2, SD650 V2, SN550 V2, ST650 V2, SR670 V2, SD650-N V2 (For AnyOS) | 2.30 TGBT38S |
SR850 V2 (ThinkSystem) | Lenovo XClarity Controller (XCC) SR860 V2, SR850 V2 (For AnyOS) | 2.20 TGBT38R |
SR850P (ThinkSystem) | Lenovo XClarity Controller (XCC) (For AnyOS) | 3.71 TEI388Q |
SR860 (ThinkSystem) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 5.43 TEI3D2S |
SR860 (ThinkSystem) | Lenovo XClarity Controller (XCC) for SD530, SD650, SN550, SN850, SR850, SR860, HX Series, VX3720, VX Series,VX Enclosure | 5.43 TEI3D2S |
SR860 V2 (ThinkSystem) | Lenovo XClarity Controller (XCC) SD630 V2, SD650 V2, SN550 V2, ST650 V2, SR670 V2, SD650-N V2 (For AnyOS) | 2.30 TGBT38S |
SR860 V2 (ThinkSystem) | Lenovo XClarity Controller (XCC) SR860 V2, SR850 V2 (For AnyOS) | 2.20 TGBT38R |
SR950 (ThinkSystem) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 2.51 PSI348Q |
ST250 (ThinkSystem) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 5.43 TEI3D2S |
ST250 V2 (ThinkSystem) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 5.43 TEI3D2S |
ST258 (ThinkSystem) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 5.43 TEI3D2S |
ST258 V2 (ThinkSystem) | Lenovo XClarity Controller (XCC) Update (For AnyOS) | 5.43 TEI3D2S |
ST550 (ThinkSystem) | Lenovo XClarity Controller (XCC) for SR530,SR550,SR570,SR590,SR630,SR650,ST550,ST558,HX Series,VX Series | Version 8.82 CDI3A2U |
ST650 V2 (ThinkSystem) | Lenovo XClarity Controller (XCC) SD630 V2, SD650 V2, SN550 V2, ST650 V2, SR670 V2, SD650-N V2 (For AnyOS) | 2.30 TGBT38S |
ST658 V2 (ThinkSystem) | Lenovo XClarity Controller (XCC) SD630 V2, SD650 V2, SN550 V2, ST650 V2, SR670 V2, SD650-N V2 (For AnyOS) | 2.30 TGBT38S |
Your feedback helps to improve the overall experience