CVE-2019-19756

Description

An internal product security audit of Lenovo XClarity Administrator (LXCA) discovered Windows OS credentials, used to perform driver updates of managed systems, being written to a log file in clear text. This only affects LXCA version 2.6.0 when performing a Windows driver update. Affected logs are only accessible to authorized users in the First Failure Data Capture (FFDC) service log and log files on LXCA.

Remediation

Solution:

Update your LXCA installation to version 2.6.12 or later. Installation note: You will need to update to LXCA 2.6.0 before installing the latest fix bundle (v 2.6.12).

References

Link	Tags
https://support.lenovo.com/us/en/product_security/LEN-29942	vendor advisory

Frequently Asked Questions

What is the severity of CVE-2019-19756?: CVE-2019-19756 has been scored as a high severity vulnerability.
How to fix CVE-2019-19756?: To fix CVE-2019-19756: Update your LXCA installation to version 2.6.12 or later. Installation note: You will need to update to LXCA 2.6.0 before installing the latest fix bundle (v 2.6.12).
Is CVE-2019-19756 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2019-19756 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2019-19756?: CVE-2019-19756 affects Lenovo XClarity Administrator (LXCA).

This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.

Description

Remediation

Category

CWE-532 – Insertion of Sensitive Information into Log File

References

Frequently Asked Questions