maxView™ Storage Manager: Redfish Server Vulnerability

• Vulnerability Type: Network
• CVE Identifier: CVE-2024-22216
• CVSS Score: 9.5
• Vulnerability Description:
  • In default installations of maxView Storage Manager where Redfish^® server is configured for remote system management, a vulnerability has been identified that can provide unauthorized access.
• Affected Versions: 
  • maxView Storage Manager v3.00.23484 (January 2019) through v4.14.00.26064 (July 2023), excluding the patched versions provided below.
• Vulnerability Status: 
  • Patched and mitigated.

Exploitation of the vulnerability could potentially result in loss of data by allowing modification of RAID configurations. Additionally, exploitation could potentially result in disclosure of information by providing read access to system files if directory location and file name are known.

Upgrade maxView Storage Manager to a version that resolves this vulnerability (details below).

The following versions of maxView Storage Manager have either been patched or they are the latest releases where this vulnerability has been resolved moving forward.

• Smart x100/x200 product family:
  • SR 2.8.2 & SR 3.3.2 – 4.16.00.26273 (or later)
  • SR 2.8.0 & SR 3.3.0 (Patched) – 4.14.00.26068
  • SR 2.7.0 & SR 3.2.0 (Patched) – 4.07.00.25339
• Series 8 product family:
  
  • 2020.2 (Patched) – 3.07.23980

Reported by the German Federal Office for Information Security (BSI) as part of their CVD process.

It is strongly recommended that all customers upgrade installations of maxView Storage Manager to the patched or current release versions of maxView Storage Manager where this vulnerability has been resolved.