Title: CVE-2015-2471 MSXML Vulnerability in StarWind Products

Note: StarWind will continue to update information regarding this vulnerability as new details become available.

Vulnerability ID: SW-20151106-0001

Version: 1.0

Date: 2015-11-06

Status: Final

CVEs: CVE-2015-2471

Summary

StarWind VSAN product incorporates MSXML service. Service version prior to 6.0 sp3 is supports SSL 2.0, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by sniffing the network and conducting a decryption attack, aka “MSXML Information Disclosure Vulnerability,” a different vulnerability than CVE-2015-2434

Impact 

Successful defeat of cryptographic protection mechanisms by sniffing the network and conducting a decryption attack

Vulnerability Scoring

CVE CVSS 2.0 Score CVSS 3.x Score
CVE-2015-2471 4.3 (MEDIUM)  N/A

Vector

CVSS:2.0 (AV:N/AC:M/Au:N/C:P/I:N/A:N)

References

Resource Hyperlink
NVD https://nvd.nist.gov/vuln/detail/CVE-2015-2471

Affected Products:

StarWind HCA and software installations with the following builds:

StarWind VSAN v8 build 8198

StarWind VSAN v8 build 7929

StarWind VSAN v8 build 7774

StarWind VSAN v8 build 7509

StarWind VSAN v8 build 7471

StarWind VSAN v8 build 7354

StarWind VSAN v8 build 7145

StarWind VSAN v8 build 6884

StarWind VTL component

StarWind Tape Redirector component

StarWind V2V

Not affected products:

N/A

Software Versions and Fixes

Fixed in StarWind VSAN v8 build 8716

Workaround

Update to StarWind VSAN build 8716 or higher

Obtaining Software Fixes 

Software updates will be available in StarWind release notes – https://www.starwindsoftware.com/release-notes-build. To update the software, perform the steps described at the following link  – https://knowledgebase.starwindsoftware.com/guidance/upgrading-from-any-starwind-version-to-any-starwind-version/ or contact support to perform an update. You can submit a support request using the following link https://www.starwindsoftware.com/support-form or contact Support directly via email support@starwind.com or via phone +1 617 829 4499.

Status of Notice

Final

StarWind will continue to update information regarding this vulnerability as new details become available.

This vulnerability article should be considered as the single source of current, up-to-date, authorized and accurate information posted by StarWind Software.

Revision History 

Revision # Date Comments
1.0 2015-11-06 Initial Public Release and Final Status