请注意:本网站包含无障碍系统。 按 Control-F11 将网站调整为使用屏幕阅读器的视障人士;按 Control-F10 打开辅助功能菜单。

Stored XSS Vulnerability in legacy IBM System x IMM

Stored XSS Vulnerability in legacy IBM System x IMM

Stored XSS Vulnerability in legacy IBM System x IMM

Lenovo Security Advisory: LEN-24785

Potential Impact: Code execution

Severity: High

Scope of Impact: Lenovo-specific

CVE Identifier: CVE-2019-6159

Summary Description:

A stored cross-site scripting (XSS) vulnerability exists in the legacy IBM System x IMM (IMM v1) embedded Baseboard Management Controller (BMC). This vulnerability could allow an unauthenticated user to cause JavaScript code to be stored in the IMM log which may then be executed in the user's web browser when IMM log records containing the JavaScript code are viewed. The JavaScript code is not executed on IMM itself. The later IMM2 (IMM v2) is not affected.

Mitigation Strategy for Customers (what you should do to protect yourself):

A patch will not be available for this vulnerability as IMM (IMM v1) is approaching end of support.

To mitigate this vulnerability, users should:

  • Restrict network access of the IMM web interface to only trusted networks.
  • View IMM logs through an SSH session or the IMM web interface after disabling JavaScript in the web browser.
  • Send IMM logs to a log management system that does not render JavaScript.

Acknowledgements:

Lenovo thanks Christopher Arnold for reporting this issue.

Product Impact:

BladeCenter HS22

BladeCenter HS22V

BladeCenter HX5

System x iDataPlex dx360 M2

System x iDataPlex dx360 M3

System x3400 M3

System x3500 M2

System x3500 M3

System x3550 M3

System x3560 M2

System x3630 M3

System x3650 M3

System x3690 X5

System x3850 X5

System x3950 X5

Revision History:

Revision Date Description
1 2019-08-08 Initial release

For a complete list of all Lenovo Product Security Advisories, click here.

For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on an “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.


別名 Id:LEN-24785
文件ID:PS500266
原始發布日期:08/06/2019
Last Modified Date:08/08/2019