IBM DS8000 Missing Authorization Vulnerability in Safeguarded Copy Backup Management

A vulnerability exists in IBM System Storage DS8000 models DS8A00 (R10.1) version 10.10.106.0, DS8A00 (R10.0) versions 10.1.3.010.2.45.0, and DS8900F (R9.4) versions 89.40.83.089.42.18.089.44.5.0. This vulnerability allows a local user with authorized CCW update permissions to delete or corrupt backups. The issue arises from inadequate authorization in the IBM Safeguarded Copy and GDPS Logical corruption protection mechanisms, potentially leading to data loss or backup integrity issues.

Impact

Exploitation of this vulnerability could result in unauthorized deletion or corruption of backup data, undermining data recovery processes and backup integrity.

Remediation

Users can apply the fix included in the DS8900F Microcode Bundle 89.44.17.0 R9.4 SP4.2 or the DS8A00 Microcode Bundle 10.11.30.0 R10.1.1. Instructions for scheduling a Remote Code Load (RCL) are available on the IBM Support website.