A warning is going out to owners of IBM’s Storwize arrays, SAN Volume Controller and Flex System V7000, because they could have their contents disappear forever.
“Administrative access to the system via the IP interface may be obtained without authentication,” said the IBM advisory.
“The vulnerabilities can be exploited by a user with access to the system’s management IP interface using vulnerabilities in the Apache Struts component,” the advisory said. “If successful, the user can gain access with superuser privilege which will allow any modification to the configuration, including complete deletion.”
The fix is to upgrade Storwize appliances to version 126.96.36.199 of their operating system.
IBM said the web interface does not face the Internet, so for someone to attack and wipe out data, it has to be an inside job.