First published: Tue Apr 13 2021(Updated: )
An internal product security audit of Lenovo XClarity Controller (XCC) discovered that the XCC configuration backup/restore password may be written to an internal XCC log buffer if Lenovo XClarity Administrator (LXCA) is used to perform the backup/restore. The backup/restore password typically exists in this internal log buffer for less than 10 minutes before being overwritten. Generating an FFDC service log will include the log buffer contents, including the backup/restore password if present. The FFDC service log is only generated when requested by a privileged XCC user and it is only accessible to the privileged XCC user that requested the file. The backup/restore password is not captured if the backup/restore is initiated directly from XCC.
Credit: psirt@lenovo.com
Affected Software | Affected Version | How to fix |
---|---|---|
Lenovo XClarity Controller | =6.00_cdi370q | |
Lenovo Thinkagile Hx1320 | ||
Lenovo Thinkagile Hx2320 | ||
Lenovo Thinkagile Hx3320 | ||
Lenovo Thinkagile Hx3375 | ||
Lenovo Thinkagile Hx3520-g | ||
Lenovo Thinkagile Hx3720 | ||
Lenovo Thinkagile Hx5520 | ||
Lenovo Thinkagile Hx7520 | ||
Lenovo Thinkagile Hx7820 | ||
Lenovo Thinkagile Mx Certified Nodes | ||
Lenovo Thinkagile Vx 1u | ||
Lenovo Thinkagile Vx 2u | ||
Lenovo Thinkagile Vx Dense | ||
Lenovo Thinksystem Sr530 | ||
Lenovo Thinksystem Sr570 | ||
Lenovo Thinksystem Sr590 | ||
Lenovo Thinksystem Sr630 | ||
Lenovo Thinksystem Sr650 | ||
Lenovo Thinksystem St550 | ||
Lenovo Thinksystem St558 | ||
Lenovo XClarity Controller | =1.10_tgbt12q | |
Lenovo Thinkagile Mx1020 | ||
Lenovo Thinksystem Se350 | ||
Lenovo Thinksystem Sr670 | ||
Lenovo Thinksystem Sr850p | ||
Lenovo XClarity Controller | =2.14_psi338i | |
Lenovo Thinksystem Sr950 | ||
Lenovo XClarity Controller | =4.40_tei3b2p | |
Lenovo Thinksystem Sd530 | ||
Lenovo Thinksystem Sd650 | ||
Lenovo Thinksystem Sn550 | ||
Lenovo Thinksystem Sn850 | ||
Lenovo Thinksystem Sr150 | ||
Lenovo Thinksystem Sr158 | ||
Lenovo Thinksystem Sr250 | ||
Lenovo Thinksystem Sr258 | ||
Lenovo Thinksystem Sr850 | ||
Lenovo Thinksystem Sr860 | ||
Lenovo Thinksystem St250 | ||
Lenovo Thinksystem St258 |
Update to the Lenovo XClarity Controller (XCC) version (or higher) as recommended in the Product Impact section of LEN-52117.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2021-3473.
The severity of CVE-2021-3473 is medium with a severity value of 4.9.
The Lenovo XClarity Controller version 6.00_cdi370q is affected by CVE-2021-3473.
The vulnerability in Lenovo XClarity Controller can be exploited by writing the configuration backup/restore password to an internal XCC log buffer if Lenovo XClarity Administrator (LXCA) is used to perform the backup/restore.
To fix CVE-2021-3473, it is recommended to apply the necessary patches or updates provided by Lenovo.