ESB-2018.2910 - [Linux] IBM PowerKVM: Multiple vulnerabilities 2018-09-27

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2910
       Multiple vulnerabilities have been identified in IBM PowerKVM
                             27 September 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM PowerKVM
Publisher:         IBM
Operating System:  Linux variants
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Access Privileged Data          -- Remote/Unauthenticated      
                   Increased Privileges            -- Existing Account            
                   Overwrite Arbitrary Files       -- Remote with User Interaction
                   Denial of Service               -- Remote/Unauthenticated      
                   Provide Misleading Information  -- Remote/Unauthenticated      
                   Unauthorised Access             -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-1000001 CVE-2018-12020 CVE-2018-11235
                   CVE-2018-10915 CVE-2018-10897 CVE-2018-10881
                   CVE-2018-6412 CVE-2018-3620 CVE-2018-1093
                   CVE-2018-1092 CVE-2018-1087 CVE-2018-1068
                   CVE-2018-1063 CVE-2017-16939 CVE-2017-15804
                   CVE-2017-15670 CVE-2017-15116 CVE-2017-14992
                   CVE-2017-12190 CVE-2017-12132 CVE-2016-9962
                   CVE-2016-2183 CVE-2015-5180 CVE-2014-9402

Reference:         ASB-2018.0204
                   ASB-2018.0203
                   ASB-2017.0219
                   ASB-2017.0169
                   ESB-2016.2263
                   ESB-2016.2239.2
                   ESB-2016.2238
                   ESB-2015.0428

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=ibm10730491
   http://www.ibm.com/support/docview.wss?uid=ibm10716905
   http://www.ibm.com/support/docview.wss?uid=ibm10716881
   http://www.ibm.com/support/docview.wss?uid=ibm10720353
   http://www.ibm.com/support/docview.wss?uid=ibm10728473
   http://www.ibm.com/support/docview.wss?uid=ibm10728307
   http://www.ibm.com/support/docview.wss?uid=ibm10733108
   http://www.ibm.com/support/docview.wss?uid=ibm10725649
   http://www.ibm.com/support/docview.wss?uid=ibm10716885
   http://www.ibm.com/support/docview.wss?uid=ibm10716879

Comment: This bulletin contains ten (10) IBM security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: A vulnerability in PostgreSQL affects PowerKVM

Security Bulletin

Document information

More support for: PowerKVM

Software version: 3.1

Operating system(s): Linux

Reference #: 0730491

Modified date: 26 September 2018

Summary

PowerKVM is affected by a vulnerability in PostgreSQL. IBM has now addressed
this vulnerability.

Vulnerability Details

CVEID: CVE-2018-10915
DESCRIPTION: PostgreSQL could allow a remote attacker to bypass security
restrictions, caused by an issue with improperly resting internal state in
between connections in the libpq library. By sending a specially-crafted
request, an attacker could exploit this vulnerability to bypass client-side
connection security features.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
148225 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

PowerKVM v3.1

Remediation/Fixes

Customers can update PowerKVM systems by using "yum update".

Fix images are made available via Fix Central. See https://ibm.biz/BdHggw. This
issue is addressed starting with v3.1.0.2 update 15.

Workarounds and Mitigations

none



Change History

5 September 2018 - Initial Version

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: A vulnerability in Python affects PowerKVM

Security Bulletin

Document information

More support for: PowerKVM

Software version: 3.1

Operating system(s): Linux

Reference #: 0716905

Modified date: 26 September 2018

Summary

PowerKVM is affected by a vulnerability in Python. IBM has now addressed this
vulnerability.

Vulnerability Details

CVEID: CVE-2016-2183
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive
information, caused by an error in the DES/3DES cipher, used as a part of the
SSL/TLS protocol. By capturing large amounts of encrypted traffic between the
SSL/TLS server and the client, a remote attacker able to conduct a
man-in-the-middle attack could exploit this vulnerability to recover the
plaintext data and obtain sensitive information. This vulnerability is known as
the SWEET32 Birthday attack.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
116337 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

PowerKVM 3.1

Remediation/Fixes

Customers can update PowerKVM systems by using "yum update".

Fix images are made available via Fix Central. See https://ibm.biz/BdHggw. This
issue is addressed starting with v3.1.0.2 update 15.

This update modifies the Python SSL module to disable 3DES cipher suites by
default.

Workarounds and Mitigations

none



Change History

10 July 2018 - Initial Version

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: A vulnerability in git affects PowerKVM

Security Bulletin

Document information

More support for: PowerKVM

Software version: 3.1

Operating system(s): Linux

Reference #: 0716881

Modified date: 26 September 2018

Summary

PowerKVM is affected by a vulnerability in git. IBM has now addressed this
vulnerability.

Vulnerability Details

CVEID: CVE-2018-11235
DESCRIPTION: Git could allow a remote attacker to execute arbitrary code on the
system, caused by improper validation of submodule "names" supplied via the
untrusted .gitmodules file when appending them to the '$GIT_DIR/modules'
directory. By sending specially-crafted data, an attacker could exploit this
vulnerability to execute arbitrary code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
144075 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

PowerKVM 3.1

Remediation/Fixes

Customers can update PowerKVM systems by using "yum update".

Fix images are made available via Fix Central. See https://ibm.biz/BdHggw. This
issue is addressed starting with v3.1.0.2 update 15.

Workarounds and Mitigations

none



Change History

10 July 2018 - Initial Version

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: A vulnerability in gnupg2 affects PowerKVM

Security Bulletin

Document information

More support for: PowerKVM

Software version: 3.1

Operating system(s): Linux

Reference #: 0720353

Modified date: 26 September 2018

Summary

PowerKVM is affected by a vulnerability in gnupg2. IBM has now addressed this
vulnerability.

Vulnerability Details

CVEID: CVE-2018-12020
DESCRIPTION: GnuPG could allow a remote attacker to conduct spoofing attacks,
caused by the improper handling of the original filename during decryption and
verification actions in mainproc.c. An attacker could exploit this
vulnerability to spoof the output that GnuPG sends on file descriptor 2 to
other programs that use the --status-fd 2 option.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
144556 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

PowerKVM v3.1

Remediation/Fixes

Customers can update PowerKVM systems by using "yum update".

Fix images are made available via Fix Central. See https://ibm.biz/BdHggw. This
issue is addressed starting with v3.1.0.2 update 15.

Workarounds and Mitigations

none



Change History

9 August 2018 - Initial Version

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: A vulnerability in policycoreutils affects PowerKVM

Security Bulletin

Document information

More support for: PowerKVM

Software version: 3.1

Operating system(s): Linux

Reference #: 0728473

Modified date: 26 September 2018

Summary

PowerKVM is affected by a vulnerability in policycoreutils. IBM has now
addressed this vulnerability.

Vulnerability Details

CVEID: CVE-2018-1063
DESCRIPTION: Policycoreutils could allow a local authenticated attacker to
launch a symlink attack. Context relabeling of filesystems creates temporary
files insecurely. A local attacker could exploit this vulnerability by creating
a symbolic link from a temporary file to various files on the system, which
could allow the attacker to overwrite arbitrary files on the system with
elevated privileges.
CVSS Base Score: 3.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
139845 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

PowerKVM v3.1

Remediation/Fixes

Customers can update PowerKVM systems by using "yum update".

Fix images are made available via Fix Central. See https://ibm.biz/BdHggw. This
issue is addressed starting with v3.1.0.2 update 15.

Workarounds and Mitigations

none



Change History

20 August 2018 - Initial Version

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: A vulnerability in yum-utils affects PowerKVM

Security Bulletin

Document information

More support for: PowerKVM

Software version: 3.1

Operating system(s): Linux

Reference #: 0728307

Modified date: 26 September 2018

Summary

PowerKVM is affected by a vulnerability in yum-utils. IBM has now addressed
this vulnerability.

Vulnerability Details

CVEID: CVE-2018-10897
DESCRIPTION: reposync could allow a remote attacker to traverse directories on
the system, caused by the improper sanitation of paths in remote repository
configuration files. By persuading a victim to open a specially crafted file,
an attacker could exploit this vulnerability using path traversal to overwrite
critical system files and compromise the system.
CVSS Base Score: 8.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
147685 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Affected Products and Versions

PowerKVM v3.1

Remediation/Fixes

Customers can update PowerKVM systems by using "yum update".

Fix images are made available via Fix Central. See https://ibm.biz/BdHggw. This
issue is addressed starting with v3.1.0.2 update 15.

Workarounds and Mitigations

none



Change History

19 August 2018 - Initial Version

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: PowerKVM has released fixes in response to the
vulnerabilities known as Foreshadow

Security Bulletin

Document information

More support for: PowerKVM

Software version: 3.1

Operating system(s): Linux

Reference #: 0733108

Modified date: 26 September 2018

Summary

PowerKVM is affected by vulnerabilities in the Linux kernel. IBM has now
addressed these vulnerabilities. Note that, although the CVE descriptions do
not reference POWER, POWER CPUs are afftected.

Vulnerability Details

CVEID: CVE-2018-3620
DESCRIPTION: Multiple Intel CPU''s could allow a local attacker to obtain
sensitive information, caused by a flaw in the CPU speculative branch
instruction execution feature. By conducting targeted cache side-channel
attacks and via a terminal page fault, an attacker could exploit this
vulnerability to leak information residing in the L1 data cache and read data
belonging to different security contexts. Note: This vulnerability is also
known as the "L1 Terminal Fault (L1TF)" or "Foreshadow" attack.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
148318 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)

Affected Products and Versions

PowerKVM 3.1
 
Remediation/Fixes

Customers can update PowerKVM systems by using "yum update".

Fix images are made available via Fix Central. See https://ibm.biz/BdHggw. This
issue is addressed starting with v3.1.0.2 update 12.

Refer to the following reference URLs for remediation and additional
vulnerability details:
Source Bulletin: http://www.ibm.com/support/docview.wss?uid=isg3T1026853

Workarounds and Mitigations

none



Change History

10 July 2018 - Initial Version

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: Vulnerabilities in docker affect PowerKVM

Security Bulletin

Document information

More support for: PowerKVM

Software version: 3.1

Operating system(s): Linux

Reference #: 0725649

Modified date: 26 September 2018

Summary

PowerKVM is affected by vulnerabilities in docker. IBM has now addressed these
vulnerabilities.

Vulnerability Details

CVEID: CVE-2017-14992
DESCRIPTION: Docker-CE (Also known as Moby) is vulnerable to a denial of
service, caused by the lack of content verification. By using a
specially-crafted image layer payload, a remote attacker could exploit this
vulnerability to cause the application to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
134421 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-9962
DESCRIPTION: Docker Engine could allow a local authenticated attacker to gain
elevated privileges on the system, caused by an error in the RunC when running
as root. By using "runc exec", an attacker could exploit this vulnerability to
gain access to file-descriptors and escape or modify runC state.
CVSS Base Score: 7.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
120498 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

PowerKVM V3.1

Remediation/Fixes

Customers can update PowerKVM systems by using "yum update".

Fix images are made available via Fix Central. See https://ibm.biz/BdHggw. This
issue is addressed starting with v3.1.0.2 update 15.

Workarounds and Mitigations

none



Change History

10 August 2018 - Initial version

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: Vulnerabilities in glibc affect PowerKVM

Security Bulletin

Document information

More support for: PowerKVM

Software version: 3.1

Operating system(s): Linux

Reference #: 0716885

Modified date: 26 September 2018

Summary

PowerKVM is affected by vulnerabilities in the GNU C Library (aka glibc or
libc6). IBM has now addressed these vulnerabilities.

Vulnerability Details

CVEID: CVE-2018-1000001
DESCRIPTION: Glibc could allow a local attacker to execute arbitrary code on
the system, caused by a buffer underflow in the __realpath() function in stdlib
/canonicalize.c. An attacker could exploit this vulnerability to execute
arbitrary code on the system and obtain privileges.
CVSS Base Score: 8.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
137516 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2017-15804
DESCRIPTION: GNU C Library (aka glibc or libc6) is vulnerable to a buffer
overflow, caused by improper bounds checking by glob function in glob.c. By
using a specially-crafted file, a local attacker could overflow a buffer.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
133996 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)

CVEID: CVE-2017-15670
DESCRIPTION: GNU C Library is vulnerable to a heap-based buffer overflow,
caused by improper bounds checking by the glob function in glob.c. By sending a
specially-crafted string, a remote attacker could overflow a buffer and execute
arbitrary code on the system.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
133915 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2017-12132
DESCRIPTION: GNU C Library (aka glibc or libc6) could allow a remote attacker
to conduct spoofing attacks, caused by a flaw in the DNS stub resolver. An
attacker could exploit this vulnerability to perform off-path DNS spoofing
attacks.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
129949 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2015-5180
DESCRIPTION: glibc is vulnerable to a denial of service, caused by a NULL
pointer dereference in the res_query function in libresolv. By using a
malformed pattern, a remote attacker could cause the process to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
130620 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2014-9402
DESCRIPTION: glibc is vulnerable to a denial of service, caused by an error in
the getanswer_r() function. If the DNS backend is activated, a remote attacker
could exploit this vulnerability to cause the application to enter into an
infinite loop.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
99289 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

Affected Products and Versions

PowerKVM v3.1

Remediation/Fixes

Customers can update PowerKVM systems by using "yum update".

Fix images are made available via Fix Central. See https://ibm.biz/BdHggw. This
issue is addressed starting with v3.1.0.2 update 15.

Workarounds and Mitigations

none

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

10 July 2018 - Initial version

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: Vulnerabilities in the Linux kernel affect PowerKVM

Security Bulletin

Document information

More support for: PowerKVM

Software version: 3.1

Operating system(s): Linux

Reference #: 0716879

Modified date: 26 September 2018

Summary

PowerKVM is affected by vulnerabilities in the Linux kernel . IBM has now
addressed these vulnerabilities.

Vulnerability Details

CVEID: CVE-2017-15116
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by NULL
pointer dereference in the rngapi_reset function in crypto/rng.c. By sending a
specially-crafted packet, a remote attacker could exploit this vulnerability to
cause a denial of service condition.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
135735 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2017-12190
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an
out-of-memory condition in the bio_map_user_iov and bio_unmap_user functions in
block/bio.c. A local attacker could exploit this vulnerability to cause the
system to crash.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
135759 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-10881
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an
out-of-bound access in the ext4_get_group_info function. By mounting and
operating on a specially crafted ext4 filesystem image, a local attacker could
exploit this vulnerability to cause the system to crash.
CVSS Base Score: 6.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
147820 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-6412
DESCRIPTION: Linux Kernel could allow a remote attacker to obtain sensitive
information, caused by an integer signedness error in the sbusfb_ioctl_helper
function in drivers/video/fbdev/sbuslib.c. By using vector related to the
FBIOPUTCMAP_SPARC and FBIOGETCMAP_SPARC commands, a remote attacker could
exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
138494 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2018-1093
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an
out-of-bounds read flaw in the ext4_valid_block_bitmap function in fs/ext4/
balloc.c. By persuading a victim to open a specially-crafted file, a remote
attacker could exploit this vulnerability to cause the system to crash.
CVSS Base Score: 5.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
141197 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-1092
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a
NULL pointer dereference flaw in the ext4_iget function in fs/ext4/inode.c. By
persuading a victim to open a specially-crafted file, a remote attacker could
exploit this vulnerability to cause the system to crash.
CVSS Base Score: 5.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
141196 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-1087
DESCRIPTION: Linux Kernel could allow a local attacker to gain elevated
privileges on the system, caused by the improper handling of exceptions
delivered after a stack switch operation using the MOV to SS and POP SS
instructions by the KVM hypervisor. An attacker could exploit this
vulnerability to gain elevated privileges or cause the guest to crash.
CVSS Base Score: 8.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
142976 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-1068
DESCRIPTION: Linux Kernel could allow a local authenticated attacker to gain
elevated privileges on the system, caused by an error in the implementation of
32 bit syscall interface. An attacker could exploit this vulnerability to gain
root privileges on the system.
CVSS Base Score: 8.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
140403 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

CVEID: CVE-2017-16939
DESCRIPTION: Linux Kernel could allow a remote attacker to gain elevated
privileges on the system, caused by an use-after-free in the Netlink socket
subsystem XFRM. By sending a specially-crafted request, an attacker could
exploit this vulnerability to gain privileges.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
135317 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

PowerKVM 3.1

Remediation/Fixes

Customers can update PowerKVM systems by using "yum update".

Fix images are made available via Fix Central. See https://ibm.biz/BdHggw. This
issue is addressed starting with v3.1.0.2 update 15.

Workarounds and Mitigations

none



Change History

10 July 2018 - Initial Version

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Security Bulletin: A vulnerability in PostgreSQL affects PowerKVM

Security Bulletin

Document information

More support for: PowerKVM

Software version: 3.1

Operating system(s): Linux

Reference #: 0730491

Modified date: 26 September 2018

Summary

PowerKVM is affected by a vulnerability in PostgreSQL. IBM has now addressed
this vulnerability.

Vulnerability Details

CVEID: CVE-2018-10915
DESCRIPTION: PostgreSQL could allow a remote attacker to bypass security
restrictions, caused by an issue with improperly resting internal state in
between connections in the libpq library. By sending a specially-crafted
request, an attacker could exploit this vulnerability to bypass client-side
connection security features.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
148225 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

PowerKVM v3.1

Remediation/Fixes

Customers can update PowerKVM systems by using "yum update".

Fix images are made available via Fix Central. See https://ibm.biz/BdHggw. This
issue is addressed starting with v3.1.0.2 update 15.

Workarounds and Mitigations

none



Change History

5 September 2018 - Initial Version

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: A vulnerability in Python affects PowerKVM

Security Bulletin

Document information

More support for: PowerKVM

Software version: 3.1

Operating system(s): Linux

Reference #: 0716905

Modified date: 26 September 2018

Summary

PowerKVM is affected by a vulnerability in Python. IBM has now addressed this
vulnerability.

Vulnerability Details

CVEID: CVE-2016-2183
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive
information, caused by an error in the DES/3DES cipher, used as a part of the
SSL/TLS protocol. By capturing large amounts of encrypted traffic between the
SSL/TLS server and the client, a remote attacker able to conduct a
man-in-the-middle attack could exploit this vulnerability to recover the
plaintext data and obtain sensitive information. This vulnerability is known as
the SWEET32 Birthday attack.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
116337 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

PowerKVM 3.1

Remediation/Fixes

Customers can update PowerKVM systems by using "yum update".

Fix images are made available via Fix Central. See https://ibm.biz/BdHggw. This
issue is addressed starting with v3.1.0.2 update 15.

This update modifies the Python SSL module to disable 3DES cipher suites by
default.

Workarounds and Mitigations

none



Change History

10 July 2018 - Initial Version

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: A vulnerability in git affects PowerKVM

Security Bulletin

Document information

More support for: PowerKVM

Software version: 3.1

Operating system(s): Linux

Reference #: 0716881

Modified date: 26 September 2018

Summary

PowerKVM is affected by a vulnerability in git. IBM has now addressed this
vulnerability.

Vulnerability Details

CVEID: CVE-2018-11235
DESCRIPTION: Git could allow a remote attacker to execute arbitrary code on the
system, caused by improper validation of submodule "names" supplied via the
untrusted .gitmodules file when appending them to the '$GIT_DIR/modules'
directory. By sending specially-crafted data, an attacker could exploit this
vulnerability to execute arbitrary code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
144075 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

PowerKVM 3.1

Remediation/Fixes

Customers can update PowerKVM systems by using "yum update".

Fix images are made available via Fix Central. See https://ibm.biz/BdHggw. This
issue is addressed starting with v3.1.0.2 update 15.

Workarounds and Mitigations

none



Change History

10 July 2018 - Initial Version

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: A vulnerability in gnupg2 affects PowerKVM

Security Bulletin

Document information

More support for: PowerKVM

Software version: 3.1

Operating system(s): Linux

Reference #: 0720353

Modified date: 26 September 2018

Summary

PowerKVM is affected by a vulnerability in gnupg2. IBM has now addressed this
vulnerability.

Vulnerability Details

CVEID: CVE-2018-12020
DESCRIPTION: GnuPG could allow a remote attacker to conduct spoofing attacks,
caused by the improper handling of the original filename during decryption and
verification actions in mainproc.c. An attacker could exploit this
vulnerability to spoof the output that GnuPG sends on file descriptor 2 to
other programs that use the --status-fd 2 option.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
144556 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

PowerKVM v3.1

Remediation/Fixes

Customers can update PowerKVM systems by using "yum update".

Fix images are made available via Fix Central. See https://ibm.biz/BdHggw. This
issue is addressed starting with v3.1.0.2 update 15.

Workarounds and Mitigations

none



Change History

9 August 2018 - Initial Version

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: A vulnerability in policycoreutils affects PowerKVM

Security Bulletin

Document information

More support for: PowerKVM

Software version: 3.1

Operating system(s): Linux

Reference #: 0728473

Modified date: 26 September 2018

Summary

PowerKVM is affected by a vulnerability in policycoreutils. IBM has now
addressed this vulnerability.

Vulnerability Details

CVEID: CVE-2018-1063
DESCRIPTION: Policycoreutils could allow a local authenticated attacker to
launch a symlink attack. Context relabeling of filesystems creates temporary
files insecurely. A local attacker could exploit this vulnerability by creating
a symbolic link from a temporary file to various files on the system, which
could allow the attacker to overwrite arbitrary files on the system with
elevated privileges.
CVSS Base Score: 3.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
139845 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

PowerKVM v3.1

Remediation/Fixes

Customers can update PowerKVM systems by using "yum update".

Fix images are made available via Fix Central. See https://ibm.biz/BdHggw. This
issue is addressed starting with v3.1.0.2 update 15.

Workarounds and Mitigations

none



Change History

20 August 2018 - Initial Version

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: A vulnerability in yum-utils affects PowerKVM

Security Bulletin

Document information

More support for: PowerKVM

Software version: 3.1

Operating system(s): Linux

Reference #: 0728307

Modified date: 26 September 2018

Summary

PowerKVM is affected by a vulnerability in yum-utils. IBM has now addressed
this vulnerability.

Vulnerability Details

CVEID: CVE-2018-10897
DESCRIPTION: reposync could allow a remote attacker to traverse directories on
the system, caused by the improper sanitation of paths in remote repository
configuration files. By persuading a victim to open a specially crafted file,
an attacker could exploit this vulnerability using path traversal to overwrite
critical system files and compromise the system.
CVSS Base Score: 8.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
147685 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Affected Products and Versions

PowerKVM v3.1

Remediation/Fixes

Customers can update PowerKVM systems by using "yum update".

Fix images are made available via Fix Central. See https://ibm.biz/BdHggw. This
issue is addressed starting with v3.1.0.2 update 15.

Workarounds and Mitigations

none



Change History

19 August 2018 - Initial Version

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: PowerKVM has released fixes in response to the
vulnerabilities known as Foreshadow

Security Bulletin

Document information

More support for: PowerKVM

Software version: 3.1

Operating system(s): Linux

Reference #: 0733108

Modified date: 26 September 2018

Summary

PowerKVM is affected by vulnerabilities in the Linux kernel. IBM has now
addressed these vulnerabilities. Note that, although the CVE descriptions do
not reference POWER, POWER CPUs are afftected.

Vulnerability Details

CVEID: CVE-2018-3620
DESCRIPTION: Multiple Intel CPU''s could allow a local attacker to obtain
sensitive information, caused by a flaw in the CPU speculative branch
instruction execution feature. By conducting targeted cache side-channel
attacks and via a terminal page fault, an attacker could exploit this
vulnerability to leak information residing in the L1 data cache and read data
belonging to different security contexts. Note: This vulnerability is also
known as the "L1 Terminal Fault (L1TF)" or "Foreshadow" attack.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
148318 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)

Affected Products and Versions

PowerKVM 3.1
 
Remediation/Fixes

Customers can update PowerKVM systems by using "yum update".

Fix images are made available via Fix Central. See https://ibm.biz/BdHggw. This
issue is addressed starting with v3.1.0.2 update 12.

Refer to the following reference URLs for remediation and additional
vulnerability details:
Source Bulletin: http://www.ibm.com/support/docview.wss?uid=isg3T1026853

Workarounds and Mitigations

none



Change History

10 July 2018 - Initial Version

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: Vulnerabilities in docker affect PowerKVM

Security Bulletin

Document information

More support for: PowerKVM

Software version: 3.1

Operating system(s): Linux

Reference #: 0725649

Modified date: 26 September 2018

Summary

PowerKVM is affected by vulnerabilities in docker. IBM has now addressed these
vulnerabilities.

Vulnerability Details

CVEID: CVE-2017-14992
DESCRIPTION: Docker-CE (Also known as Moby) is vulnerable to a denial of
service, caused by the lack of content verification. By using a
specially-crafted image layer payload, a remote attacker could exploit this
vulnerability to cause the application to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
134421 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-9962
DESCRIPTION: Docker Engine could allow a local authenticated attacker to gain
elevated privileges on the system, caused by an error in the RunC when running
as root. By using "runc exec", an attacker could exploit this vulnerability to
gain access to file-descriptors and escape or modify runC state.
CVSS Base Score: 7.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
120498 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

PowerKVM V3.1

Remediation/Fixes

Customers can update PowerKVM systems by using "yum update".

Fix images are made available via Fix Central. See https://ibm.biz/BdHggw. This
issue is addressed starting with v3.1.0.2 update 15.

Workarounds and Mitigations

none



Change History

10 August 2018 - Initial version

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: Vulnerabilities in glibc affect PowerKVM

Security Bulletin

Document information

More support for: PowerKVM

Software version: 3.1

Operating system(s): Linux

Reference #: 0716885

Modified date: 26 September 2018

Summary

PowerKVM is affected by vulnerabilities in the GNU C Library (aka glibc or
libc6). IBM has now addressed these vulnerabilities.

Vulnerability Details

CVEID: CVE-2018-1000001
DESCRIPTION: Glibc could allow a local attacker to execute arbitrary code on
the system, caused by a buffer underflow in the __realpath() function in stdlib
/canonicalize.c. An attacker could exploit this vulnerability to execute
arbitrary code on the system and obtain privileges.
CVSS Base Score: 8.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
137516 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2017-15804
DESCRIPTION: GNU C Library (aka glibc or libc6) is vulnerable to a buffer
overflow, caused by improper bounds checking by glob function in glob.c. By
using a specially-crafted file, a local attacker could overflow a buffer.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
133996 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)

CVEID: CVE-2017-15670
DESCRIPTION: GNU C Library is vulnerable to a heap-based buffer overflow,
caused by improper bounds checking by the glob function in glob.c. By sending a
specially-crafted string, a remote attacker could overflow a buffer and execute
arbitrary code on the system.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
133915 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2017-12132
DESCRIPTION: GNU C Library (aka glibc or libc6) could allow a remote attacker
to conduct spoofing attacks, caused by a flaw in the DNS stub resolver. An
attacker could exploit this vulnerability to perform off-path DNS spoofing
attacks.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
129949 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2015-5180
DESCRIPTION: glibc is vulnerable to a denial of service, caused by a NULL
pointer dereference in the res_query function in libresolv. By using a
malformed pattern, a remote attacker could cause the process to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
130620 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2014-9402
DESCRIPTION: glibc is vulnerable to a denial of service, caused by an error in
the getanswer_r() function. If the DNS backend is activated, a remote attacker
could exploit this vulnerability to cause the application to enter into an
infinite loop.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
99289 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

Affected Products and Versions

PowerKVM v3.1

Remediation/Fixes

Customers can update PowerKVM systems by using "yum update".

Fix images are made available via Fix Central. See https://ibm.biz/BdHggw. This
issue is addressed starting with v3.1.0.2 update 15.

Workarounds and Mitigations

none

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

Reference

Complete CVSS v2 Guide
On-line Calculator v2

Complete CVSS v3 Guide
On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

10 July 2018 - Initial version

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: Vulnerabilities in the Linux kernel affect PowerKVM

Security Bulletin

Document information

More support for: PowerKVM

Software version: 3.1

Operating system(s): Linux

Reference #: 0716879

Modified date: 26 September 2018

Summary

PowerKVM is affected by vulnerabilities in the Linux kernel . IBM has now
addressed these vulnerabilities.

Vulnerability Details

CVEID: CVE-2017-15116
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by NULL
pointer dereference in the rngapi_reset function in crypto/rng.c. By sending a
specially-crafted packet, a remote attacker could exploit this vulnerability to
cause a denial of service condition.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
135735 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2017-12190
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an
out-of-memory condition in the bio_map_user_iov and bio_unmap_user functions in
block/bio.c. A local attacker could exploit this vulnerability to cause the
system to crash.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
135759 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-10881
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an
out-of-bound access in the ext4_get_group_info function. By mounting and
operating on a specially crafted ext4 filesystem image, a local attacker could
exploit this vulnerability to cause the system to crash.
CVSS Base Score: 6.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
147820 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-6412
DESCRIPTION: Linux Kernel could allow a remote attacker to obtain sensitive
information, caused by an integer signedness error in the sbusfb_ioctl_helper
function in drivers/video/fbdev/sbuslib.c. By using vector related to the
FBIOPUTCMAP_SPARC and FBIOGETCMAP_SPARC commands, a remote attacker could
exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
138494 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2018-1093
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an
out-of-bounds read flaw in the ext4_valid_block_bitmap function in fs/ext4/
balloc.c. By persuading a victim to open a specially-crafted file, a remote
attacker could exploit this vulnerability to cause the system to crash.
CVSS Base Score: 5.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
141197 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-1092
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a
NULL pointer dereference flaw in the ext4_iget function in fs/ext4/inode.c. By
persuading a victim to open a specially-crafted file, a remote attacker could
exploit this vulnerability to cause the system to crash.
CVSS Base Score: 5.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
141196 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-1087
DESCRIPTION: Linux Kernel could allow a local attacker to gain elevated
privileges on the system, caused by the improper handling of exceptions
delivered after a stack switch operation using the MOV to SS and POP SS
instructions by the KVM hypervisor. An attacker could exploit this
vulnerability to gain elevated privileges or cause the guest to crash.
CVSS Base Score: 8.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
142976 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-1068
DESCRIPTION: Linux Kernel could allow a local authenticated attacker to gain
elevated privileges on the system, caused by an error in the implementation of
32 bit syscall interface. An attacker could exploit this vulnerability to gain
root privileges on the system.
CVSS Base Score: 8.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
140403 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

CVEID: CVE-2017-16939
DESCRIPTION: Linux Kernel could allow a remote attacker to gain elevated
privileges on the system, caused by an use-after-free in the Netlink socket
subsystem XFRM. By sending a specially-crafted request, an attacker could
exploit this vulnerability to gain privileges.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
135317 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

PowerKVM 3.1

Remediation/Fixes

Customers can update PowerKVM systems by using "yum update".

Fix images are made available via Fix Central. See https://ibm.biz/BdHggw. This
issue is addressed starting with v3.1.0.2 update 15.

Workarounds and Mitigations

none



Change History

10 July 2018 - Initial Version

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Security Bulletin: A vulnerability in PostgreSQL affects PowerKVM

Security Bulletin

Document information

More support for: PowerKVM

Software version: 3.1

Operating system(s): Linux

Reference #: 0730491

Modified date: 26 September 2018

Summary

PowerKVM is affected by a vulnerability in PostgreSQL. IBM has now addressed
this vulnerability.

Vulnerability Details

CVEID: CVE-2018-10915
DESCRIPTION: PostgreSQL could allow a remote attacker to bypass security
restrictions, caused by an issue with improperly resting internal state in
between connections in the libpq library. By sending a specially-crafted
request, an attacker could exploit this vulnerability to bypass client-side
connection security features.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
148225 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

PowerKVM v3.1

Remediation/Fixes

Customers can update PowerKVM systems by using "yum update".

Fix images are made available via Fix Central. See https://ibm.biz/BdHggw. This
issue is addressed starting with v3.1.0.2 update 15.

Workarounds and Mitigations

none



Change History

5 September 2018 - Initial Version

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: A vulnerability in Python affects PowerKVM

Security Bulletin

Document information

More support for: PowerKVM

Software version: 3.1

Operating system(s): Linux

Reference #: 0716905

Modified date: 26 September 2018

Summary

PowerKVM is affected by a vulnerability in Python. IBM has now addressed this
vulnerability.

Vulnerability Details

CVEID: CVE-2016-2183
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive
information, caused by an error in the DES/3DES cipher, used as a part of the
SSL/TLS protocol. By capturing large amounts of encrypted traffic between the
SSL/TLS server and the client, a remote attacker able to conduct a
man-in-the-middle attack could exploit this vulnerability to recover the
plaintext data and obtain sensitive information. This vulnerability is known as
the SWEET32 Birthday attack.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
116337 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

PowerKVM 3.1

Remediation/Fixes

Customers can update PowerKVM systems by using "yum update".

Fix images are made available via Fix Central. See https://ibm.biz/BdHggw. This
issue is addressed starting with v3.1.0.2 update 15.

This update modifies the Python SSL module to disable 3DES cipher suites by
default.

Workarounds and Mitigations

none



Change History

10 July 2018 - Initial Version

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: A vulnerability in git affects PowerKVM

Security Bulletin

Document information

More support for: PowerKVM

Software version: 3.1

Operating system(s): Linux

Reference #: 0716881

Modified date: 26 September 2018

Summary

PowerKVM is affected by a vulnerability in git. IBM has now addressed this
vulnerability.

Vulnerability Details

CVEID: CVE-2018-11235
DESCRIPTION: Git could allow a remote attacker to execute arbitrary code on the
system, caused by improper validation of submodule "names" supplied via the
untrusted .gitmodules file when appending them to the '$GIT_DIR/modules'
directory. By sending specially-crafted data, an attacker could exploit this
vulnerability to execute arbitrary code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
144075 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

PowerKVM 3.1

Remediation/Fixes

Customers can update PowerKVM systems by using "yum update".

Fix images are made available via Fix Central. See https://ibm.biz/BdHggw. This
issue is addressed starting with v3.1.0.2 update 15.

Workarounds and Mitigations

none



Change History

10 July 2018 - Initial Version

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: A vulnerability in gnupg2 affects PowerKVM

Security Bulletin

Document information

More support for: PowerKVM

Software version: 3.1

Operating system(s): Linux

Reference #: 0720353

Modified date: 26 September 2018

Summary

PowerKVM is affected by a vulnerability in gnupg2. IBM has now addressed this
vulnerability.

Vulnerability Details

CVEID: CVE-2018-12020
DESCRIPTION: GnuPG could allow a remote attacker to conduct spoofing attacks,
caused by the improper handling of the original filename during decryption and
verification actions in mainproc.c. An attacker could exploit this
vulnerability to spoof the output that GnuPG sends on file descriptor 2 to
other programs that use the --status-fd 2 option.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
144556 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

PowerKVM v3.1

Remediation/Fixes

Customers can update PowerKVM systems by using "yum update".

Fix images are made available via Fix Central. See https://ibm.biz/BdHggw. This
issue is addressed starting with v3.1.0.2 update 15.

Workarounds and Mitigations

none



Change History

9 August 2018 - Initial Version

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: A vulnerability in policycoreutils affects PowerKVM

Security Bulletin

Document information

More support for: PowerKVM

Software version: 3.1

Operating system(s): Linux

Reference #: 0728473

Modified date: 26 September 2018

Summary

PowerKVM is affected by a vulnerability in policycoreutils. IBM has now
addressed this vulnerability.

Vulnerability Details

CVEID: CVE-2018-1063
DESCRIPTION: Policycoreutils could allow a local authenticated attacker to
launch a symlink attack. Context relabeling of filesystems creates temporary
files insecurely. A local attacker could exploit this vulnerability by creating
a symbolic link from a temporary file to various files on the system, which
could allow the attacker to overwrite arbitrary files on the system with
elevated privileges.
CVSS Base Score: 3.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
139845 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

PowerKVM v3.1

Remediation/Fixes

Customers can update PowerKVM systems by using "yum update".

Fix images are made available via Fix Central. See https://ibm.biz/BdHggw. This
issue is addressed starting with v3.1.0.2 update 15.

Workarounds and Mitigations

none



Change History

20 August 2018 - Initial Version

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: A vulnerability in yum-utils affects PowerKVM

Security Bulletin

Document information

More support for: PowerKVM

Software version: 3.1

Operating system(s): Linux

Reference #: 0728307

Modified date: 26 September 2018

Summary

PowerKVM is affected by a vulnerability in yum-utils. IBM has now addressed
this vulnerability.

Vulnerability Details

CVEID: CVE-2018-10897
DESCRIPTION: reposync could allow a remote attacker to traverse directories on
the system, caused by the improper sanitation of paths in remote repository
configuration files. By persuading a victim to open a specially crafted file,
an attacker could exploit this vulnerability using path traversal to overwrite
critical system files and compromise the system.
CVSS Base Score: 8.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
147685 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Affected Products and Versions

PowerKVM v3.1

Remediation/Fixes

Customers can update PowerKVM systems by using "yum update".

Fix images are made available via Fix Central. See https://ibm.biz/BdHggw. This
issue is addressed starting with v3.1.0.2 update 15.

Workarounds and Mitigations

none



Change History

19 August 2018 - Initial Version

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: PowerKVM has released fixes in response to the
vulnerabilities known as Foreshadow

Security Bulletin

Document information

More support for: PowerKVM

Software version: 3.1

Operating system(s): Linux

Reference #: 0733108

Modified date: 26 September 2018

Summary

PowerKVM is affected by vulnerabilities in the Linux kernel. IBM has now
addressed these vulnerabilities. Note that, although the CVE descriptions do
not reference POWER, POWER CPUs are afftected.

Vulnerability Details

CVEID: CVE-2018-3620
DESCRIPTION: Multiple Intel CPU''s could allow a local attacker to obtain
sensitive information, caused by a flaw in the CPU speculative branch
instruction execution feature. By conducting targeted cache side-channel
attacks and via a terminal page fault, an attacker could exploit this
vulnerability to leak information residing in the L1 data cache and read data
belonging to different security contexts. Note: This vulnerability is also
known as the "L1 Terminal Fault (L1TF)" or "Foreshadow" attack.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
148318 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)

Affected Products and Versions

PowerKVM 3.1
 
Remediation/Fixes

Customers can update PowerKVM systems by using "yum update".

Fix images are made available via Fix Central. See https://ibm.biz/BdHggw. This
issue is addressed starting with v3.1.0.2 update 12.

Refer to the following reference URLs for remediation and additional
vulnerability details:
Source Bulletin: http://www.ibm.com/support/docview.wss?uid=isg3T1026853

Workarounds and Mitigations

none



Change History

10 July 2018 - Initial Version

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: Vulnerabilities in docker affect PowerKVM

Security Bulletin

Document information

More support for: PowerKVM

Software version: 3.1

Operating system(s): Linux

Reference #: 0725649

Modified date: 26 September 2018

Summary

PowerKVM is affected by vulnerabilities in docker. IBM has now addressed these
vulnerabilities.

Vulnerability Details

CVEID: CVE-2017-14992
DESCRIPTION: Docker-CE (Also known as Moby) is vulnerable to a denial of
service, caused by the lack of content verification. By using a
specially-crafted image layer payload, a remote attacker could exploit this
vulnerability to cause the application to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
134421 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-9962
DESCRIPTION: Docker Engine could allow a local authenticated attacker to gain
elevated privileges on the system, caused by an error in the RunC when running
as root. By using "runc exec", an attacker could exploit this vulnerability to
gain access to file-descriptors and escape or modify runC state.
CVSS Base Score: 7.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
120498 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

PowerKVM V3.1

Remediation/Fixes

Customers can update PowerKVM systems by using "yum update".

Fix images are made available via Fix Central. See https://ibm.biz/BdHggw. This
issue is addressed starting with v3.1.0.2 update 15.

Workarounds and Mitigations

none



Change History

10 August 2018 - Initial version

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: Vulnerabilities in glibc affect PowerKVM

Security Bulletin

Document information

More support for: PowerKVM

Software version: 3.1

Operating system(s): Linux

Reference #: 0716885

Modified date: 26 September 2018

Summary

PowerKVM is affected by vulnerabilities in the GNU C Library (aka glibc or
libc6). IBM has now addressed these vulnerabilities.

Vulnerability Details

CVEID: CVE-2018-1000001
DESCRIPTION: Glibc could allow a local attacker to execute arbitrary code on
the system, caused by a buffer underflow in the __realpath() function in stdlib
/canonicalize.c. An attacker could exploit this vulnerability to execute
arbitrary code on the system and obtain privileges.
CVSS Base Score: 8.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
137516 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2017-15804
DESCRIPTION: GNU C Library (aka glibc or libc6) is vulnerable to a buffer
overflow, caused by improper bounds checking by glob function in glob.c. By
using a specially-crafted file, a local attacker could overflow a buffer.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
133996 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)

CVEID: CVE-2017-15670
DESCRIPTION: GNU C Library is vulnerable to a heap-based buffer overflow,
caused by improper bounds checking by the glob function in glob.c. By sending a
specially-crafted string, a remote attacker could overflow a buffer and execute
arbitrary code on the system.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
133915 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2017-12132
DESCRIPTION: GNU C Library (aka glibc or libc6) could allow a remote attacker
to conduct spoofing attacks, caused by a flaw in the DNS stub resolver. An
attacker could exploit this vulnerability to perform off-path DNS spoofing
attacks.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
129949 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2015-5180
DESCRIPTION: glibc is vulnerable to a denial of service, caused by a NULL
pointer dereference in the res_query function in libresolv. By using a
malformed pattern, a remote attacker could cause the process to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
130620 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2014-9402
DESCRIPTION: glibc is vulnerable to a denial of service, caused by an error in
the getanswer_r() function. If the DNS backend is activated, a remote attacker
could exploit this vulnerability to cause the application to enter into an
infinite loop.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
99289 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

Affected Products and Versions

PowerKVM v3.1

Remediation/Fixes

Customers can update PowerKVM systems by using "yum update".

Fix images are made available via Fix Central. See https://ibm.biz/BdHggw. This
issue is addressed starting with v3.1.0.2 update 15.

Workarounds and Mitigations

none

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

10 July 2018 - Initial version

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------------------------------------------------------------

Security Bulletin: Vulnerabilities in the Linux kernel affect PowerKVM

Security Bulletin

Document information

More support for: PowerKVM

Software version: 3.1

Operating system(s): Linux

Reference #: 0716879

Modified date: 26 September 2018

Summary

PowerKVM is affected by vulnerabilities in the Linux kernel . IBM has now
addressed these vulnerabilities.

Vulnerability Details

CVEID: CVE-2017-15116
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by NULL
pointer dereference in the rngapi_reset function in crypto/rng.c. By sending a
specially-crafted packet, a remote attacker could exploit this vulnerability to
cause a denial of service condition.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
135735 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2017-12190
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an
out-of-memory condition in the bio_map_user_iov and bio_unmap_user functions in
block/bio.c. A local attacker could exploit this vulnerability to cause the
system to crash.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
135759 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-10881
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an
out-of-bound access in the ext4_get_group_info function. By mounting and
operating on a specially crafted ext4 filesystem image, a local attacker could
exploit this vulnerability to cause the system to crash.
CVSS Base Score: 6.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
147820 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-6412
DESCRIPTION: Linux Kernel could allow a remote attacker to obtain sensitive
information, caused by an integer signedness error in the sbusfb_ioctl_helper
function in drivers/video/fbdev/sbuslib.c. By using vector related to the
FBIOPUTCMAP_SPARC and FBIOGETCMAP_SPARC commands, a remote attacker could
exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
138494 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2018-1093
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an
out-of-bounds read flaw in the ext4_valid_block_bitmap function in fs/ext4/
balloc.c. By persuading a victim to open a specially-crafted file, a remote
attacker could exploit this vulnerability to cause the system to crash.
CVSS Base Score: 5.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
141197 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-1092
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a
NULL pointer dereference flaw in the ext4_iget function in fs/ext4/inode.c. By
persuading a victim to open a specially-crafted file, a remote attacker could
exploit this vulnerability to cause the system to crash.
CVSS Base Score: 5.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
141196 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-1087
DESCRIPTION: Linux Kernel could allow a local attacker to gain elevated
privileges on the system, caused by the improper handling of exceptions
delivered after a stack switch operation using the MOV to SS and POP SS
instructions by the KVM hypervisor. An attacker could exploit this
vulnerability to gain elevated privileges or cause the guest to crash.
CVSS Base Score: 8.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
142976 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-1068
DESCRIPTION: Linux Kernel could allow a local authenticated attacker to gain
elevated privileges on the system, caused by an error in the implementation of
32 bit syscall interface. An attacker could exploit this vulnerability to gain
root privileges on the system.
CVSS Base Score: 8.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
140403 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

CVEID: CVE-2017-16939
DESCRIPTION: Linux Kernel could allow a remote attacker to gain elevated
privileges on the system, caused by an use-after-free in the Netlink socket
subsystem XFRM. By sending a specially-crafted request, an attacker could
exploit this vulnerability to gain privileges.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
135317 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

PowerKVM 3.1

Remediation/Fixes

Customers can update PowerKVM systems by using "yum update".

Fix images are made available via Fix Central. See https://ibm.biz/BdHggw. This
issue is addressed starting with v3.1.0.2 update 15.

Workarounds and Mitigations

none

Change History

10 July 2018 - Initial Version

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW6xfLGaOgq3Tt24GAQjTxRAAmBWrlGp6ULV5d/wWxF6UwL6DtvdrYWJT
LF5IFIg9VGEsvuleplgEMpUbr/VFCG3c97Ih+xbAWYMnENG/Bl+nHI0/lhYPuyX0
VP1Bj8cqm2mlsMbpNYkNyKQ/ywlBp7fIDD35oGjH9wnnn+4OvI61bTnudgpAh5BK
mdSRiYspsFja8hgIONLW4GSgaKd9bX7O7YjGznYdqTuBtTkj9bTgVPLvSLCuwP4O
e5UzfjOJrY6aEB5p92WJ0uq0UshirUTaqDxUOZes5sUJ35Max7Pp3uaw1qUIvfQf
kCXoccJmtIsXUrCWBowa2e0jufXTjxE39rdAP0vMEcjUVTb6lhg9aF1U228X0/WE
ROgI9qqSwbYXwVD+00lhvildrLzSMX3hXhGOtPdzehFz4dXDajcG16KNNYiE7fLv
rtYGMlEcfjzg1llfoPCLTgw2vPF9EUHC8KjBdtntE37W+1n2b5tLjcTFWcxLWH+j
9kbN2anKIFDmJUFQbSM+w5UYRTm7vOZI0cjgC0pBd4BAIaZavTl8oDQhe1Vfgx7z
MFDfPh5iJXmHZQpMOl7eH37poLsv95osP9HDAQGtQt7K+40xZI91ydASlrs5hSnm
AlaQpBuDTJIFedHnsBeKk5oC6NQ2VpwLlwIEzP6Fn46OkMPKEQynLxJ5qbL5joET
31KajXicvzE=
=tJTE
-----END PGP SIGNATURE-----

« Back to bulletins