Lenovo XClarity Controller (XCC) Information Disclosure Vulnerability
Lenovo XClarity Controller (XCC) Information Disclosure Vulnerability
Lenovo XClarity Controller (XCC) Information Disclosure Vulnerability
Lenovo Security Advisory: LEN-52117
Potential Impact: Information disclosure
Severity: Medium
Scope of Impact: Lenovo-specific
CVE Identifier: CVE-2021-3473
Summary Description:
An internal product security audit of Lenovo XClarity Controller (XCC) discovered that the XCC configuration backup/restore password may be written to an internal XCC log buffer if Lenovo XClarity Administrator (LXCA) is used to perform the backup/restore. The backup/restore password typically exists in this internal log buffer for less than 10 minutes before being overwritten. Generating an FFDC service log will include the log buffer contents, including the backup/restore password if present. The FFDC service log is only generated when requested by a privileged XCC user and it is only accessible to the privileged XCC user that requested the file. The backup/restore password is not captured if the backup/restore is initiated directly from XCC.
Mitigation Strategy for Customers (what you should do to protect yourself):
Update to the Lenovo XClarity Controller (XCC) version (or higher) as recommended in the Product Impact section below.
Product Impact:
Lenovo XClarity Controller (XCC) Version 6.00 CDI370Q: https://datacentersupport.lenovo.com/us/en/downloads/ds549001
- Supports Lenovo ThinkSystem SR550, Machine Types: 7X03,7X04
- Supports Lenovo ThinkSystem SR650, Machine Types: 7X05,7X06,7D5R,7Z20
- Supports Lenovo ThinkSystem SR530, Machine Types: 7X07,7X08
- Supports Lenovo ThinkSystem ST550, Machine Types: 7X09,7X10
- Supports Lenovo ThinkSystem SR590, Machine Types: 7X98,7X99
- Supports Lenovo ThinkSystem SR570, Machine Types: 7Y02,7Y03
- Supports Lenovo ThinkSystem ST558, Machine Types: 7Y15,7Y16
- Supports Lenovo ThinkAgile VX Series, Machine Types: 7Y13,7Y14,7Y93,7Y94
- Supports Lenovo ThinkAgile HX Series, Machine Types: 7X83,7X84,7Y89,7Y90,7Z04,7Z05,7Z06,7Z07
- Supports Lenovo ThinkAgile MX Certified Nodes, Machine Types: 7Z20
Lenovo XClarity Controller (XCC) Version 1.10 TGBT12Q: https://datacentersupport.lenovo.com/us/en/downloads/ds549049
- Supports Lenovo ThinkSystem SR860 V2, Machine Types: 7D42,7Z59,7Z60
Lenovo XClarity Controller (XCC) Version 3.20 TEI378W: https://datacentersupport.lenovo.com/us/en/downloads/ds548955
- Supports ThinkAgile MX Certified Node on SE350, Machine Types: 7D1B, 7D2U
- Supports HX Series, Machine Types: 7D1Z,7D20,7Z29,7D2T
- Supports ThinkAgile MX1020 MX Edge Appliance (BIS), Machine Types: 7D5T
- Supports ThinkAgile MX1020 MX Edge Appliance (WW), Machine Types: 7D5S
- Supports ThinkAgile VX Series, Machine Types: 7D1Y,7D28
- Supports Lenovo ThinkSystem SR850P, Machine Types: 7D2F,7D2G,7D2H
- Supports Lenovo ThinkSystem SR670 Server, Machine Types: 7Y36, 7Y37, 7Y38, 7D4L
Lenovo XClarity Controller (XCC) Version 2.14 PSI338I: https://datacentersupport.lenovo.com/us/en/downloads/ds549192
Lenovo XClarity Controller (XCC) Version 4.40 TEI3B2P: https://datacentersupport.lenovo.com/us/en/downloads/ds549048
- Supports Lenovo ThinkSystem SR860, Machine Types: 7X69, 7X70
- Supports Lenovo ThinkSystem SD530, Machine Types: 7X21
- Supports Lenovo ThinkSystem SN550, Machine Types: 7X16
- Supports Lenovo ThinkSystem SN850, Machine Types: 7X15
- Supports Lenovo ThinkSystem ST250/ST258, Machine Types: 7Y45,7Y46,7Y47
- Supports Lenovo ThinkSystem SR150/SR158, Machine Types: 7Y54,7Y55
- Supports Lenovo ThinkSystem SR250/SR258, Machine Types: 7Y51,7Y52,7Y72,7Y73,7Y53
- Supports Lenovo ThinkAgile HX series, Machine Types: 7X82, 7Y88, 7Z03
- Supports Lenovo ThinkAgile VX series, Machine Types: 7Y11, 7Y12, 7Y92
- Supports Lenovo ThinkSystem SD650 DWC Dual Node Tray, Machine Types: 7X58
Revision History:
Revision | Date | Description |
---|---|---|
1 | 2021-04-13 | Initial release |
For a complete list of all Lenovo Product Security Advisories, click here.
For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on an “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.
Your feedback helps to improve the overall experience