Stored XSS Vulnerability in legacy IBM System x IMM
Stored XSS Vulnerability in legacy IBM System x IMM
Stored XSS Vulnerability in legacy IBM System x IMM
Lenovo Security Advisory: LEN-24785
Potential Impact: Code execution
Severity: High
Scope of Impact: Lenovo-specific
CVE Identifier: CVE-2019-6159
Summary Description:
A stored cross-site scripting (XSS) vulnerability exists in the legacy IBM System x IMM (IMM v1) embedded Baseboard Management Controller (BMC). This vulnerability could allow an unauthenticated user to cause JavaScript code to be stored in the IMM log which may then be executed in the user's web browser when IMM log records containing the JavaScript code are viewed. The JavaScript code is not executed on IMM itself. The later IMM2 (IMM v2) is not affected.
Mitigation Strategy for Customers (what you should do to protect yourself):
A patch will not be available for this vulnerability as IMM (IMM v1) is approaching end of support.
To mitigate this vulnerability, users should:
- Restrict network access of the IMM web interface to only trusted networks.
- View IMM logs through an SSH session or the IMM web interface after disabling JavaScript in the web browser.
- Send IMM logs to a log management system that does not render JavaScript.
Acknowledgements:
Lenovo thanks Christopher Arnold for reporting this issue.
Product Impact:
BladeCenter HS22
BladeCenter HS22V
BladeCenter HX5
System x iDataPlex dx360 M2
System x iDataPlex dx360 M3
System x3400 M3
System x3500 M2
System x3500 M3
System x3550 M3
System x3560 M2
System x3630 M3
System x3650 M3
System x3690 X5
System x3850 X5
System x3950 X5
Revision History:
Revision | Date | Description |
---|---|---|
1 | 2019-08-08 | Initial release |
For a complete list of all Lenovo Product Security Advisories, click here.
For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on an “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.
Your feedback helps to improve the overall experience