BSA-2020-905
21577
24 January 2020
24 January 2020
Closed
Low
8.2
Yes
CVE-2019-16204
Summary Security Advisory ID : BSA-2020-905 Component : authentication Revision : 1.0: Final
Brocade Fabric OS Versions before v7.4.2f, v8.2.2a, v8.1.2j and v8.2.1d could expose external passwords, common secrets or authentication keys used between the switch and an external server.
When using certain CLI commands in which a password, common secret or authentication key is given as a command line option, the argument provided with the command line option can be captured and saved in the switch CLI History or Audit Log. The password or secret will not be exposed to any other user of the switch and cannot be viewed by any other user account on the switch including ADMIN.
However, the password or secret could be visible to a support engineer that has been given a SupportSave from the switch.
Affected Products
Brocade Fabric OS Versions before v7.4.2f, v8.2.2a, v8.1.2j and v8.2.1d.
Workaround:
Use the CLI in "interactive mode". When using the CLI in "interactive" mode the switch will not store any information provided.
The CLI History and Audit Log will only retain additional arguments when they are provided as a command line option.
Solution:
A security update has been provided in Brocade Fabric OS versions v7.4.2f, v8.2.2a, v8.1.2j, and v8.2.1d.
All later versions of Brocade Fabric OS including all Brocade Fabric OS v.9.X releases also contain this same security update.
Brocade strongly recommends that all customers running the impacted version(s) upgrade to one of the identified patch levels or a higher version of Brocade Fabric OS to obtain the Security update.
Revision History
Version |
Change |
Date |
---|---|---|
1.0 |
Initial Publication |
January 24, 2020 |