IBM warns Storwize arrays can DELETE ALL DATA
Web interface authentication hole allows anyone to log in and drive the array
IBM has issued a warning to owners of its Storwize arrays, SAN Volume Controller and Flex System V7000, because all are at risk of having their contents erased.
Big Blue’s warning about the problem is blunt: “Administrative access to the system via the IP interface may be obtained without authentication.”
That’s bad news because “The vulnerabilities can be exploited by a user with access to the system's management IP interface using vulnerabilities in the Apache Struts component. If successful, the user can gain access with superuser privilege which will allow any modification to the configuration, including complete deletion.”
The fix sounds simple: upgrade Storwize appliances to version 220.127.116.11 of their operating system. We’ve qualified that statement with “sounds” because version 18.104.22.168 was released at the beginning of October. Plenty of storage administrators may have had good reason not to make the upgrade.
One piece of silver lining: IBM notes that the web interface is likely not exposed to the internet. That means an insider is the most likely threat, yet another reason for storage admins to keep those pesky network admins away from their beloved boxen. ®