Lenovo XClarity Administrator (LXCA) Vulnerabilities
Lenovo XClarity Administrator (LXCA) Vulnerabilities
Lenovo XClarity Administrator (LXCA) Vulnerabilities
Lenovo Security Advisory: LEN-98715
Potential Impact: Unauthorized Access, Denial of Service, Code Injection
Severity: High
Scope of Impact: Lenovo-specific
CVE Identifier: CVE-2023-3113, CVE-2023-34418, CVE-2023-34420, CVE-2023-34421, CVE-2023-34422
Summary Description:
The following vulnerabilities were discovered during an internal security review:
CVE-2023-3113: An unauthenticated XML external entity injection (XXE) vulnerability exists in LXCA's Common Information Model (CIM) server that could result in read-only access to specific files.
CVE-2023-34418: A valid, authenticated LXCA user may be able to gain unauthorized access to events and other data stored in LXCA due to a SQL injection vulnerability in a specific web API.
CVE-2023-34420: A valid, authenticated LXCA user with elevated privileges may be able to execute command injections through crafted calls to a specific web API.
CVE-2023-34421: A valid, authenticated LXCA user with elevated privileges may be able to replace filesystem data through a specifically crafted web API call due to insufficient input validation.
CVE-2023-34422: A valid, authenticated LXCA user with elevated privileges may be able to delete folders in the LXCA filesystem through a specifically crafted web API call due to insufficient input validation.
Mitigation Strategy for Customers (what you should do to protect yourself):
Restrict LXCA access to trusted users.
Update LXCA to version 4.0 or later.
To download the version specified for your product below, follow these steps:
Navigate to the Drivers & Software support site for your product:
- Lenovo Products (sold worldwide, except in China): https://support.lenovo.com/
- Lenovo Products (sold in China): https://newsupport.lenovo.com.cn/
- IBM-branded System x Legacy Products: https://www.ibm.com/support/fixcentral/
- Search for your product by name or machine type.
- Click Drivers & Software on the left menu panel.
- Click on Manual Update to browse by Component type.
- Compare the minimum fix version for your product from the applicable product table below with the latest version posted on the support site.
Lenovo also offers tools to assist with update management as an alternative to the manual steps described above. Refer to the following for additional help:
PC Products and Software: https://support.lenovo.com/us/en/solutions/ht504759
Server and Enterprise Software: https://support.lenovo.com/us/en/solutions/lnvo-lxcaupd and https://datacentersupport.lenovo.com/us/en/documents/lnvo-center
Revision History:
Revision | Date | Description |
---|---|---|
2 | 2023-06-16 | Updated Product Links |
1 | 2023-06-13 | Initial release |
For a complete list of all Lenovo Product Security Advisories, click here.
For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on an “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.
Product Impact:
Product | Component | Minimum Fixed Version |
Lenovo XClarity Administrator | Lenovo XClarity Administrator (LXCA) | LXCA v4.0 |
Lenovo XClarity Administrator | Lenovo XClarity Administrator Virtual Appliance Full Image (For KVM) | LXCA v4.0 |
Lenovo XClarity Administrator | Lenovo XClarity Administrator Virtual Appliance Full Image (For VMWare) | LXCA v4.0 |
Lenovo XClarity Administrator | Lenovo XClarity Administrator Virtual Appliance Full Image (For Windows) | LXCA v4.0 |
Your feedback helps to improve the overall experience