Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2015.0137
PowerKVM Multiple vulnerabilities
21 January 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM PowerKVM
Publisher: IBM
Operating System: Linux variants
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Root Compromise -- Existing Account
Access Privileged Data -- Remote/Unauthenticated
Increased Privileges -- Existing Account
Overwrite Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Unauthorised Access -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2014-9130 CVE-2014-9087 CVE-2014-8884
CVE-2014-8769 CVE-2014-8767 CVE-2014-8709
CVE-2014-8369 CVE-2014-8106 CVE-2014-7975
CVE-2014-7970 CVE-2014-7841 CVE-2014-7826
CVE-2014-7825 CVE-2014-7824 CVE-2014-7823
CVE-2014-7815 CVE-2014-7283 CVE-2014-7145
CVE-2014-6418 CVE-2014-6417 CVE-2014-6416
CVE-2014-6410 CVE-2014-5388 CVE-2014-5077
CVE-2014-5031 CVE-2014-5030 CVE-2014-5029
CVE-2014-4943 CVE-2014-4877 CVE-2014-4667
CVE-2014-4656 CVE-2014-4655 CVE-2014-4654
CVE-2014-4653 CVE-2014-4652 CVE-2014-4650
CVE-2014-4607 CVE-2014-4171 CVE-2014-4014
CVE-2014-3917 CVE-2014-3689 CVE-2014-3687
CVE-2014-3673 CVE-2014-3660 CVE-2014-3640
CVE-2014-3639 CVE-2014-3638 CVE-2014-3637
CVE-2014-3636 CVE-2014-3635 CVE-2014-3537
CVE-2014-3186 CVE-2014-3185 CVE-2014-3184
CVE-2014-3183 CVE-2014-3182 CVE-2014-3181
CVE-2014-0206 CVE-2014-0181 CVE-2013-6399
CVE-2013-4542 CVE-2013-4540 CVE-2013-4539
CVE-2013-4538 CVE-2013-4536 CVE-2013-4535
CVE-2013-4533 CVE-2013-4531 CVE-2013-4530
CVE-2013-4529 CVE-2013-4527 CVE-2013-4526
CVE-2013-4151 CVE-2013-4150 CVE-2013-4148
Reference: ESB-2015.0093
ESB-2015.0018
ESB-2015.0003
ESB-2014.2341
ESB-2014.2275
ESB-2014.1333
ESB-2014.1239
ESB-2014.1208
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=isg3T1021961
http://www-01.ibm.com/support/docview.wss?uid=isg3T1021964
http://www-01.ibm.com/support/docview.wss?uid=isg3T1021943
http://www-01.ibm.com/support/docview.wss?uid=isg3T1021954
http://www-01.ibm.com/support/docview.wss?uid=isg3T1021951
http://www-01.ibm.com/support/docview.wss?uid=isg3T1021952
http://www-01.ibm.com/support/docview.wss?uid=isg3T1021950
http://www-01.ibm.com/support/docview.wss?uid=isg3T1021963
http://www-01.ibm.com/support/docview.wss?uid=isg3T1021958
http://www-01.ibm.com/support/docview.wss?uid=isg3T1021949
http://www-01.ibm.com/support/docview.wss?uid=isg3T1021955
http://www-01.ibm.com/support/docview.wss?uid=isg3T1021953
http://www-01.ibm.com/support/docview.wss?uid=isg3T1021956
Comment: This bulletin contains thirteen (13) IBM security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: PowerKVM LibYAML Vulnerability - CVE-2014-9130
Document information
More support for:
PowerKVM
Software version:
2.1
Operating system(s):
Linux
Software edition: KVM
Reference #:
T1021961
Modified date:
2015-01-20
Security Bulletin
Summary
PowerKVM's LibYAML and the perl YAML-LibYAML module are vulnerable to a denial
of service attack.
Vulnerability Details
CVEID: CVE-2014-9130
DESCRIPTION: LibYAML and the perl YAML-LibYAML module are vulnerable to a
denial of service, caused by an error in the scanner.c file. A remote attacker
could exploit this vulnerability using a specially-crafted yaml file to
trigger an assertion failure.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/99047 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
Effective CVSS Score: 4.30
Affected Products and Versions
PowerKVM 2.1
Remediation/Fixes
Fix is made available via Fix Central https://ibm.biz/BdEnT8 in fix pack
"ibm-powerkvm-updates-2.1.1.0-33.0" and all later fix packs. See the README at
https://ibm.biz/BdEnTL for prerequisite fixes and instructions.
Workarounds and Mitigations
none
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
References
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
none
Change History
January 8, 2015 - Original Version Published
January 15, 2015 - Updated summary and CVSS details
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------------------------------------------------------
Security Bulletin: PowerKVM CUPS Vulnerabilities: Multiple CVEs
Document information
More support for:
PowerKVM
Software version:
2.1
Operating system(s):
Linux
Software edition:
KVM
Reference #:
T1021964
Modified date:
2015-01-20
Security Bulletin
Summary
PowerKVM has four local and remote CUPS vulnerabilities..
Vulnerability Details
CVEID: CVE-2014-5029
DESCRIPTION: CUPS could allow a local attacker to gain elevated privileges on
the system, caused by an incomplete fix related to a symlink attack. A local
attacker with lp group privileges could exploit this vulnerability by creating
a symbolic link from /var/cache/cups/rss/ to a local target file and then
sending a request to the Web interface using the rss/ web resource, which
could allow the attacker to view arbitrary files on the system with elevated
privileges.
CVSS Base Score: 4.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/94805 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:P/I:P/A:P)
CVEID: CVE-2014-5030
DESCRIPTION: CUPS could allow a local attacker to gain elevated privileges on
the system, caused by an incomplete fix related to a symlink attack. A local
attacker with lp group privileges could exploit this vulnerability by creating
a symbolic link from /var/cache/cups/rss/ to a local target file and then
sending a request to the Web interface using the rss/ web resource, which
could allow the attacker to view arbitrary files on the system with elevated
privileges.
CVSS Base Score: 4.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/94806 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:P/I:P/A:P)
CVEID: CVE-2014-5031
DESCRIPTION: CUPS could allow a local attacker to gain elevated privileges on
the system, caused by an incomplete fix related to a symlink attack. A local
attacker with lp group privileges could exploit this vulnerability by creating
a symbolic link from /var/cache/cups/rss/ to a local target file and then
sending a request to the Web interface using the rss/ web resource, which
could allow the attacker to view arbitrary files on the system with elevated
privileges.
CVSS Base Score: 4.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/94807 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:P/I:P/A:P)
CVEID: CVE-2014-3537
DESCRIPTION: CUPS could allow a local attacker to gain elevated privileges on
the system, caused by an error in the get_file() function. A local attacker
with lp group privileges could exploit this vulnerability by creating a
symbolic link from /var/cache/cups/rss/ to a local target file and then
sending a request to the Web interface using the rss/ web resource, which
could allow the attacker to view arbitrary files on the system with elevated
privileges.
CVSS Base Score: 4.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/94749 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:P/I:P/A:P)
Effective CVSS Score: 4.40
Affected Products and Versions
PowerKVM 2.1
Remediation/Fixes
Fix is made available via Fix Central https://ibm.biz/BdEnT8 in fix pack
"ibm-powerkvm-updates-2.1.1.0-33.0" and all later fix packs. See the README at
https://ibm.biz/BdEnTL for prerequisite fixes and instructions.
Workarounds and Mitigations
none
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
References
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
none
Change History
January 9, 2015 - Original Version Published
January 15, 2015 - Updated summary and CVSS details
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- ---------------------------------------------------------------------------
Security Bulletin: PowerKVM Kernel Vulnerabilities - Multiple CVEs
Document information
More support for:
PowerKVM
Software version:
2.1
Operating system(s):
Linux
Software edition:
KVM
Reference #:
T1021943
Modified date:
2015-01-20
Security Bulletin
Summary
There are 36 kernel vulnerabilities from 2014 in PowerKVM.
Vulnerability Details
CVEID: CVE-2014-4014
DESCRIPTION: Linux Kernel could allow a local attacker to gain elevated
privileges on the system, caused by an error in the inode_capable() function.
An attacker could exploit this vulnerability to execute arbitrary code on the
system with kernel-level privileges.
CVSS Base Score: 7.2
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93767 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2014-4655
DESCRIPTION: Linux Kernel is vulnerable to a buffer overflow, caused by
improper bounds checking bysound/core/control.c. By sending an overly long
argument, a local attacker could overflow a buffer and execute arbitrary code
on the system or cause the application to crash.
CVSS Base Score: 4.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/94101 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:P)
CVEID: CVE-2014-3181
DESCRIPTION: Linux Kernel is vulnerable to a stack-based buffer overflow,
caused by improper bounds checking by the magicmouse_raw_event function within
the Magic Mouse HID driver. By sending an overly long string, a local attacker
could overflow a buffer and execute arbitrary code on the system or cause the
application to crash.
CVSS Base Score: 7.2
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/95927 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2014-5077
DESCRIPTION: Linux Kernel is vulnerable to a denial of service caused by a
NULL pointer dereference in the sctp_assoc_update() function on systems with
SCTP authentication enabled. By sending specially-crafted SCTP data, a remote
attacker could exploit this vulnerability to cause the system kernel to crash.
CVSS Base Score: 7.1
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/95134 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C)
CVEID: CVE-2014-7825
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an
out-of-bounds memory access error in trace_syscalls.c. A local attacker could
exploit this vulnerability to cause the system to crash.
CVSS Base Score: 4.9
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/98557 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:N/I:N/A:C)
CVEID: CVE-2014-3917
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an
error in the audit_filter_syscall() function. A local attacker could exploit
this vulnerability to cause the kernel to crash.
CVSS Base Score: 4.9
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93437 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:N/I:N/A:C)
CVEID: CVE-2014-4656
DESCRIPTION: Linux Kernel is vulnerable to a buffer overflow, caused by
improper bounds checking by the snd_ctl_add() and
snd_ctl_remove_numid_conflict() functions. By sending an overly long argument,
a local attacker could overflow a buffer and execute arbitrary code on the
system or cause the application to crash.
CVSS Base Score: 4.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/94100 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:P)
CVEID: CVE-2014-6410
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an
error when processing indirect ICBs. A local attacker could exploit this
vulnerability to cause the system to enter into an infinite loop.
CVSS Base Score: 4.9
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/95963 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:N/I:N/A:C)
CVEID: CVE-2014-3182
DESCRIPTION: Linux Kernel is vulnerable to a buffer overflow, caused by
improper bounds checking by the logi_dj_recv_destroy_djhid_device function. By
sending an overly long string, a local attacker could overflow a buffer and
execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 7.2
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/95928 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2014-7283
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an
error in the xfs_da3_fixhashpath() function when ordering directory hashes. By
creating directories, a local attacker could exploit this vulnerability to
cause a kernel panic.
CVSS Base Score: 4.9
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/96836 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:N/I:N/A:C)
CVEID: CVE-2014-7826
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an
out-of-bounds memory access error in trace_syscalls.c. A local attacker could
exploit this vulnerability to cause the system to crash.
CVSS Base Score: 4.9
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/98556 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:N/I:N/A:C)
CVEID: CVE-2014-0181
DESCRIPTION: Linux Kernel could allow a local attacker to bypass security
restrictions, caused by the failure to provide a mechanism for authorizing
socket operations by the Netlink implementation. By using a Netlink socket for
the stdout or stderr of a setuid program, an attacker could exploit this
vulnerability to bypass restrictions and modify network configurations.
CVSS Base Score: 2.1
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92890 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:N/I:P/A:N)
CVEID: CVE-2014-4667
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an
error in the sctp_association_free() function when handling a COOKIE_ECHO
chunk in an SCTP packet. By sending a specially-crafted SCTP packet, an
attacker could exploit this vulnerability to block connections to the sctp
server.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/94106 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2014-6416
DESCRIPTION: Linux Kernel libceph is vulnerable to a buffer overflow, caused
by improper bounds checking by the auth ticket size. By sending an overly
large amount of tickets, a remote attacker could overflow a buffer and execute
arbitrary code on the system or cause a denial of service.
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/95964 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVEID: CVE-2014-3183
DESCRIPTION: Linux Kernel is vulnerable to a heap-based buffer overflow,
caused by improper bounds checking by the logi_dj_ll_raw_request() function.
By sending an overly long string, a local attacker could overflow a buffer and
execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 7.2
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/95929 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2014-7970
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an
error in the VFS filesystem pivot_root() function. A local attacker could
exploit this vulnerability to cause the system to crash.
CVSS Base Score: 4.9
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/96921 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:N/I:N/A:C)
CVEID: CVE-2014-3687
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an
error when sctp stack receives duplicate ASCONF chunks. A remote attacker
could exploit this vulnerability to cause a kernel panic.
CVSS Base Score: 7.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/98310 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CVEID: CVE-2014-4652
DESCRIPTION: Linux Kernel could allow a local attacker to obtain sensitive
information, caused by a race condition in the tlv handler functionality in
the snd_ctl_elem_user_tlv function. By leveraging /dev/snd/controlCX access,
an attacker could exploit this vulnerability to obtain kernel memory.
CVSS Base Score: 4.7
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/94412 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:C/I:N/A:N)
CVEID: CVE-2014-0206
DESCRIPTION: Linux Kernel could allow a local attacker to obtain sensitive
information, caused by the failure to properly sanitize AIO ring head by the
aio_read_events_ring() function. An attacker could exploit this vulnerability
to obtain kernel information.
CVSS Base Score: 4.9
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93944 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:C/I:N/A:N)
CVEID: CVE-2014-6417
DESCRIPTION: Linux Kernel libceph is vulnerable to a denial of service, caused
by the improper handling of kmalloc failures. An attacker could exploit this
vulnerability to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/95965 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2014-3184
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by
multiple off-by-one errors in report descriptor size checking. By sending an
overly long string, a local attacker could exploit this vulnerability to cause
the application to crash.
CVSS Base Score: 4.9
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/95930 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:N/I:N/A:C)
CVEID: CVE-2014-7975
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an
error in do_umount function in fs/namespace.c. A local attacker could exploit
this vulnerability using a umount call to cause the file system to become
inaccessible.
CVSS Base Score: 4.9
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/96994 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:N/I:N/A:C)
CVEID: CVE-2014-3673
DESCRIPTION: Linux Kernel is vulnerable to a denial of service. By sending
specially-crafted ASCONF chunks to SCTP, a remote attacker could exploit this
vulnerability to cause a kernel panic.
CVSS Base Score: 7.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/98489 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CVEID: CVE-2014-4653
DESCRIPTION: Linux Kernel could allow a local attacker to execute arbitrary
code on the system, caused by a use-after-free error in the
sound/core/control.c. An attacker could exploit this vulnerability to execute
arbitrary code on the system.
CVSS Base Score: 4.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/94099 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:P)
CVEID: CVE-2014-4171
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an
error in the shmem_fallocate() function. A local attacker could exploit this
vulnerability to cause the kernel to hang.
CVSS Base Score: 4.9
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93870 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:N/I:N/A:C)
CVEID: CVE-2014-6418
DESCRIPTION: Linux Kernel libceph is vulnerable to a denial of service, caused
by missing validation of the auth reply. An attacker could exploit this
vulnerability to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/95966 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2014-3185
DESCRIPTION: Linux Kernel is vulnerable to a buffer overflow, caused by
improper bounds checking by the command_port_read_callback function within the
whiteheat USB driver. By sending an overly long string, a local attacker could
overflow a buffer and execute arbitrary code on the system or cause the
application to crash.
CVSS Base Score: 7.2
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/95931 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2014-8709
DESCRIPTION: Linux Kernel could allow a remote attacker to obtain sensitive
information, caused by the failure to properly maintain a certain tail pointer
by the ieee80211_fragment function. By reading packets, an attacker could
exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/98922 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2014-8884
DESCRIPTION: Linux Kernel is vulnerable to a buffer overflow, caused by
improper bounds checking by the ttusbdecfe.c DVB-T usb driver. By sending an
overly long argument, a local attacker could overflow a buffer and execute
arbitrary code on the system or cause the application to crash.
CVSS Base Score: 4.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/98690 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:P)
CVEID: CVE-2014-4654
DESCRIPTION: Linux Kernel could allow a local attacker to execute arbitrary
code on the system, caused by a use-after-free error in the snd_ctl_elem_add()
function. An attacker could exploit this vulnerability to execute arbitrary
code on the system.
CVSS Base Score: 4.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/94098 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:P)
CVEID: CVE-2014-4943
DESCRIPTION: Linux Kernel could allow a local attacker to gain elevated
privileges on the system, caused by an error in the pppol2tp_setsockopt() and
pppol2tp_getsockopt() functions when CONFIG_PPPOL2TP is enabled. An attacker
could exploit this vulnerability to gain root privileges on the system.
CVSS Base Score: 6.9
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/94665 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2014-7145
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a
NULL pointer dereference in SMB2_tcon. A remote attacker could exploit this
vulnerability to cause the kernel to crash.
CVSS Base Score: 7.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/96025 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CVEID: CVE-2014-3186
DESCRIPTION: Linux Kernel is vulnerable to a buffer overflow, caused by
improper bounds checking by the PicoLCD HID device driver. By sending an
overly long string, a local attacker could overflow a buffer and execute
arbitrary code on the system or cause the application to crash.
CVSS Base Score: 7.2
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/95932 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:C/I:C/A:C)
CVEID: CVE-2014-8369
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an
incomplete fix related to an incorrect third parameter of kvm_unpin_pages()
when called from kvm_iommu_map_pages(). A remote attacker from within the
local network could exploit this vulnerability to corrupt the OS memory and
cause a denial of service.
CVSS Base Score: 3.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97755 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:A/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2014-7841
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a
NULL pointer dereference in the SCTP server. By sending a specially-crafted
SCTP packet, an attacker could exploit this vulnerability to cause the system
to crash.
CVSS Base Score: 7.1
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/98659 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C)
Effective CVSS Score: 7.80
Affected Products and Versions
PowerKVM 2.1
Remediation/Fixes
Fix is made available via Fix Central https://ibm.biz/BdEnT8 in fix pack
"ibm-powerkvm-updates-2.1.1.0-33.0" and all later fix packs. See the README at
https://ibm.biz/BdEnTL for prerequisite fixes and instructions.
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
References
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
None
Change History
January 8, 2015 - Original Version Published
January 15, 2015 - Updated summary and CVSS details
January 19, 2014 - Address the deficiency that the summary was not a complete
sentence.
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- ---------------------------------------------------------------------------
Security Bulletin: PowerKVM wget Vulnerability - CVE-2014-4877
Document information
More support for:
PowerKVM
Software version:
2.1
Operating system(s):
Linux
Software edition:
KVM
Reference #:
T1021954
Modified date:
2015-01-20
Security Bulletin
Summary
In PowerKVM, GNU Wget could allow a remote attacker to launch a symlink
attack.
Vulnerability Details
CVEID: CVE-2014-4877
DESCRIPTION: GNU Wget could allow a remote attacker to launch a symlink
attack. Temporary files are created insecurely. A remote attacker could
exploit this vulnerability by creating a symbolic link from a temporary file
to various files on the system, which could allow the attacker to overwrite
arbitrary files and possibly execute arbitrary code on the system.
CVSS Base Score: 6.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97778 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Effective CVSS Score: 6.80
Affected Products and Versions
PowerKVM 2.1
Remediation/Fixes
Fix is made available via Fix Central https://ibm.biz/BdEnT8 in fix pack
"ibm-powerkvm-updates-2.1.1.0-33.0" and all later fix packs. See the README at
https://ibm.biz/BdEnTL for prerequisite fixes and instructions.
Workarounds and Mitigations
none
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
References
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
none
Change History
January 8, 2015 - Original Version Published
January 15, 2015 - Updated summary and CVSS details
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- ---------------------------------------------------------------------------
Security Bulletin: PowerKVM libxml2 Vulnerability- CVE-2014-3660
Document information
More support for:
PowerKVM
Software version:
2.1
Operating system(s):
Linux
Software edition:
KVM
Reference #:
T1021951
Modified date:
2015-01-20
Security Bulletin
Summary
PowerKVM has a vulnerability to libxml2 variantsof the billion laugh DOS
attacks.
Vulnerability Details
CVEID: CVE-2014-3660
DESCRIPTION: Libxml2 is vulnerable to a denial of service, caused by the
expansion of recursive entities. A remote attacker could exploit this
vulnerability using a specially-crafted XML document processed by an
application using libxml2 to consume all available CPU resources.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97656 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Effective CVSS Score: 5.00
Affected Products and Versions
PowerKVM 2.1
Remediation/Fixes
Fix is made available via Fix Central https://ibm.biz/BdEnT8 in fix pack
"ibm-powerkvm-updates-2.1.1.0-33.0" and all later fix packs. See the README at
https://ibm.biz/BdEnTL for prerequisite fixes and instructions.
Workarounds and Mitigations
none
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
References
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
none
Change History
January 8, 2015 - Original Version Published
January 15, 2015 - Updated summary and CVSS details
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- ----------------------------------------------------------------------------
Security Bulletin: PowerKVM libksba Vulnerability - CVE-2014-9087
Document information
More support for:
PowerKVM
Software version:
2.1
Operating system(s):
Linux
Software edition:
KVM
Reference #:
T1021952
Modified date:
2015-01-20
Security Bulletin
Summary
Libksba in PowerKVM is vulnerable to a buffer overflow.
Vulnerability Details
CVEID: CVE-2014-9087
DESCRIPTION: Libksba is vulnerable to a buffer overflow, caused by improper
bounds checking by the ksba_oid_to_str() function. By sending a
specially-crafted S/MIME message or ECC based OpenPGP data, a remote attacker
could overflow a buffer and execute arbitrary code on the system or cause the
application to crash
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/98935 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Affected Products and Versions
PowerKVM 2.1
Remediation/Fixes
Fix is made available via Fix Central https://ibm.biz/BdEnT8 in fix pack
"ibm-powerkvm-updates-2.1.1.0-33.0" and all later fix packs. See the README at
https://ibm.biz/BdEnTL for prerequisite fixes and instructions.
Workarounds and Mitigations
none
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
References
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
none
Change History
January 8, 2015 - Original Version Published
January 15, 2015 - Updated summary and CVSS details
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- ----------------------------------------------------------------------------
Security Bulletin: PowerKVM Vulnerability - Python CGIHTTPServer module
Document information
More support for:
PowerKVM
Software version:
2.1
Operating system(s):
Linux
Software edition:
KVM
Reference #:
T1021950
Modified date:
2015-01-20
Security Bulletin
Summary
PowerKVM CGIHTTPServer module does not properly handle URL-encoded path
separators in URLs.
Vulnerability Details
CVEID: CVE-2014-4650
DESCRIPTION: Python CGIHTTPServer module could allow a remote attacker to
obtain sensitive information, caused by the failure to properly handle
URL-encoded path separators in URLs. An attacker could exploit this
vulnerability to obtain the source code of CGI scripts.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93932 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Effective CVSS Score: 5.00
Affected Products and Versions
PowerKVM 2.1
Remediation/Fixes
Fix is made available via Fix Central https://ibm.biz/BdEnT8 in fix pack
"ibm-powerkvm-updates-2.1.1.0-33.0" and all later fix packs. See the README at
https://ibm.biz/BdEnTL for prerequisite fixes and instructions.
Workarounds and Mitigations
none
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
References
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
none
Change History
January 8, 2015 - Original Version Published
January 15, 2015 - Updated summary and CVSS details
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- -----------------------------------------------------------------------------
Security Bulletin: PowerKVM libvirt Vulnerability: CVE-2014-7823
Document information
More support for:
PowerKVM
Software version:
2.1
Operating system(s):
Linux
Software edition:
KVM
Reference #:
T1021963
Modified date:
2015-01-20
Security Bulletin
Summary
PowerKVM has a libvirt remote vulnerability to obtain the VNC password
Vulnerability Details
CVEID: CVE-2014-7823
DESCRIPTION: Libvirt could allow a remote attacker to obtain sensitive
information. By leveraging the virDomainGetXMLDesc API with the
VIR_DOMAIN_XML_MIGRATABLE flag added, a remote attacker could exploit this
vulnerability to obtain the VNC password.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/98807 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Effective CVSS Score: 5.00
Affected Products and Versions
PowerKVM 2.1
Remediation/Fixes
Fix is made available via Fix Central https://ibm.biz/BdEnT8 in fix pack
"ibm-powerkvm-updates-2.1.1.0-33.0" and all later fix packs. See the README at
https://ibm.biz/BdEnTL for prerequisite fixes and instructions.
Workarounds and Mitigations
none
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
References
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
none
Change History
January 8, 2015 - Original Version Published
January 15, 2015 - Updated summary and CVSS details
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- -------------------------------------------------------------------------
Security Bulletin: PowerKVM grub2 vulnerability: CVE-2014-4607
Document information
More support for:
PowerKVM
Software version:
2.1
Operating system(s):
Linux
Software edition:
KVM
Reference #:
T1021958
Modified date:
2015-01-20
Security Bulletin
Summary
In PowerKVM grub2, Oberhumer LZO could allow a remote attacker to execute
arbitrary code on the system
Vulnerability Details
CVEID: CVE-2014-4607
DESCRIPTION: Oberhumer LZO could allow a remote attacker to execute arbitrary
code on the system, caused by an integer overflow in the
lzo1x_decompress_safe() function when processing zero bytes. An attacker could
exploit this vulnerability to execute arbitrary code on the system or cause a
denial of service.
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/94014 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Effective CVSS Score: 7.50
Affected Products and Versions
PowerKVM 2.1
Remediation/Fixes
Fix is made available via Fix Central https://ibm.biz/BdEnT8 in fix pack
"ibm-powerkvm-updates-2.1.1.0-33.0" and all later fix packs. See the README at
https://ibm.biz/BdEnTL for prerequisite fixes and instructions.
Workarounds and Mitigations
none
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
References
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
none
Change History
January 8, 2015 - Original Version Published
January 15, 2015 - Updated summary and CVSS details
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------------------------------------------------------
Security Bulletin: PowerKVM Qemu Cirrus Driver Vulnerability - CVE-2014-8106
Document information
More support for:
PowerKVM
Software version:
2.1
Operating system(s):
Linux
Software edition:
KVM
Reference #:
T1021949
Modified date:
2015-01-20
Security Bulletin
Summary
PowerKVM has a Qemu Security bypass risk due to improper Cirrus driver blit
region checks.
Vulnerability Details
CVEID: CVE-2014-8106
DESCRIPTION: QEMU could allow a remote attacker bypass security restrictions,
caused by improper Cirrus blit region checks within cirrus_vga.c. An attacker
could exploit this vulnerability to write outside of vram allocated buffer
boundaries and into qemu address space on the host and gain elevated
privileges on the system.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/99126 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Affected Products and Versions
PowerKVM 2.1
Remediation/Fixes
Fix is made available via Fix Central https://ibm.biz/BdEnT8 in fix pack
"ibm-powerkvm-updates-2.1.1.0-33.0" and all later fix packs. See the README at
https://ibm.biz/BdEnTL for prerequisite fixes and instructions.
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
References
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
January 8, 2015 - Original Version Published
January 15, 2015 - Updated summary and CVSS details
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------------------------------------------------------
Security Bulletin: PowerKVM D-Bus vulnerabilities: Multiple CVEs
Document information
More support for:
PowerKVM
Software version:
2.1
Operating system(s):
Linux
Software edition:
KVM
Reference #:
T1021955
Modified date:
2015-01-20
Security Bulletin
Summary
PowerKVM has multiple D-Bus vulnerabilities.
Vulnerability Details
CVEID: CVE-2014-7824
DESCRIPTION: D-Bus is vulnerable to a denial of service, caused by an
incomplete fix related to an error in the dbus-daemon. By sending an excessive
number of file descriptors, a local attacker could exploit this vulnerability
to cause the dbus-daemon to reach the RLIMIT_NOFILE and cause a denial of
service.
CVSS Base Score: 2.1
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/98576 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2014-3635
DESCRIPTION: D-Bus is vulnerable to a heap-based buffer overflow, caused by
improper bounds checking by the dbus-daemon. By sending an overly long D-Bus
message, a local attacker could overflow a buffer and execute arbitrary code
on the system or cause the dbus-daemon to crash.
CVSS Base Score: 4.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/96006 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:P)
CVEID: CVE-2014-3636
DESCRIPTION: D-Bus is vulnerable to a denial of service, caused by an error in
the dbus-daemon. By sending an excessive number of file descriptors, a local
attacker could exploit this vulnerability to cause the dbus-daemon to reach
the RLIMIT_NOFILE and cause a denial of service.
CVSS Base Score: 2.1
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/96007 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2014-3637
DESCRIPTION: D-Bus is vulnerable to a denial of service, caused by an error
related to the attachment of a file descriptor to a D-bus message. By sending
a specially-crafted message using the dbus-daemon, a local attacker could
exploit this vulnerability to kill processes and cause a denial of service.
CVSS Base Score: 2.1
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/96008 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2014-3639
DESCRIPTION: D-Bus is vulnerable to a denial of service, caused by an error
related to incomplete connections. By making repeated connection attempts, a
local attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 2.1
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/96010 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2014-3638
DESCRIPTION: D-Bus is vulnerable to a denial of service, caused by an error
related to method call replies. By sending the maximum number of parallel
method calls, a local attacker could exploit this vulnerability to cause a
denial of service.
CVSS Base Score: 2.1
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/96009 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:N/I:N/A:P)
Effective CVSS Score: 4.60
Affected Products and Versions
PowerKVM 2.1
Remediation/Fixes
Fix is made available via Fix Central https://ibm.biz/BdEnT8 in the service
pack "2.1.1 (SP1)" and all later fixes. See the README at
https://ibm.biz/BdEnTL for prerequisite fixes and instructions.
Workarounds and Mitigations
none
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
References
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
none
Change History
January 8, 2015 - Original Version Published
January 9, 2015 - Moved out to SP1
January 15, 2015 - Updated summary and CVSS details
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- ---------------------------------------------------------------------------
Security Bulletin: PowerKVM tcpdump DoS vulnerabilities: CVE-2014-8767 and
CVE-2014-8769
Document information
More support for:
PowerKVM
Software version:
2.1
Operating system(s):
Linux
Software edition:
KVM
Reference #:
T1021953
Modified date:
2015-01-20
Security Bulletin
Summary
PowerKVM tcpdump has denial of service (DoS) vulnerabilities.
Vulnerability Details
CVEID: CVE-2014-8767
DESCRIPTION: tcpdump is vulnerable to a denial of service, caused by an error
in the olsr_print() function. By sending specially-crafted Optimized Link
State Routing (OLSR) protocol traffic, a remote attacker could exploit this
vulnerability to cause the application to crash.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/98765 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2014-8769
DESCRIPTION: tcpdump is vulnerable to a denial of service, caused by the
improper handling of input by the application decoder for the Ad hoc On-Demand
Distance Vector (AODV) protocol. By sending specially-crafted data, a remote
attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/98764 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Effective CVSS Score: 5.00
Affected Products and Versions
PowerKVM 2.1
Remediation/Fixes
Fix is made available via Fix Central https://ibm.biz/BdEnT8 in fix pack
"ibm-powerkvm-updates-2.1.1.0-33.0" and all later fix packs. See the README at
https://ibm.biz/BdEnTL for prerequisite fixes and instructions.
Workarounds and Mitigations
none
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
References
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
none
Change History
January 8, 2015 - Original Version Published
January 15, 2015 - Updated summary and CVSS details
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- ---------------------------------------------------------------------------
Security Bulletin: PowerKVM Qemu Vulnerabilities: Multiple CVEs
Document information
More support for:
PowerKVM
Software version:
2.1
Operating system(s):
Linux
Software edition:
KVM
Reference #:
T1021956
Modified date:
2015-01-20
Security Bulletin
Summary
There are multiple vulnerabilities in Qemu code used in IBM PowerKVM.
Vulnerability Details
CVEID: CVE-2013-4148
DESCRIPTION: QEMU could allow a local attacker to execute arbitrary code on
the system, caused by a signedness error in virtio-net.h. An attacker could
exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 4.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93223 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:P)
CVEID: CVE-2013-4530
DESCRIPTION: QEMU is vulnerable to a buffer overflow, caused by improper
bounds checking by pl022.c. By sending an overly long argument, a local
attacker could overflow a buffer and execute arbitrary code on the system or
cause the application to crash.
CVSS Base Score: 4.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93230 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:P)
CVEID: CVE-2013-4538
DESCRIPTION: QEMU could allow a local attacker to execute arbitrary code on
the system, caused by an array indexing error in the ssd0323_load() function.
An attacker could exploit this vulnerability to execute arbitrary code on the
system.
CVSS Base Score: 4.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93237 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:P)
CVEID: CVE-2014-7815
DESCRIPTION: QEMU could allow a local attacker to execute arbitrary code on
the system, caused by an array indexing error in the ssd0323_load() function.
An attacker could exploit this vulnerability to execute arbitrary code on the
system.
CVSS Base Score: 5.2
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/98577 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:A/AC:M/Au:S/C:N/I:N/A:C)
CVEID: CVE-2013-4150
DESCRIPTION: QEMU is vulnerable to a buffer overflow, caused by improper
bounds checking by the virtio_net_load() function. By sending an overly long
argument, a local attacker could overflow a buffer and execute arbitrary code
on the system or cause the application to crash.
CVSS Base Score: 4.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93225 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:P)
CVEID: CVE-2013-4531
DESCRIPTION: QEMU is vulnerable to a buffer overflow, caused by improper
bounds checking by the cpu_post_load() function. By sending an overly long
argument, a local attacker could overflow a buffer and execute arbitrary code
on the system or cause the application to crash.
CVSS Base Score: 4.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93231 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:P)
CVEID: CVE-2013-4539
DESCRIPTION: QEMU could allow a local attacker to execute arbitrary code on
the system, caused by an array indexing error in the tsc210x_load() function.
An attacker could exploit this vulnerability to execute arbitrary code on the
system.
CVSS Base Score: 4.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93238 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:P)
CVEID: CVE-2013-4151
DESCRIPTION: QEMU could allow a local attacker to execute arbitrary code on
the system, caused by an out-of-bounds write error in the virtio_load()
function. An attacker could exploit this vulnerability to execute arbitrary
code on the system.
CVSS Base Score: 4.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93226 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:P)
CVEID: CVE-2013-6399
DESCRIPTION: QEMU could allow a local attacker to execute arbitrary code on
the system, caused by an array indexing error in the virtio_load() function.
An attacker could exploit this vulnerability to execute arbitrary code on the
system.
CVSS Base Score: 4.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93241 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:P)
CVEID: CVE-2013-4540
DESCRIPTION: QEMU is vulnerable to a buffer overflow, caused by improper
bounds checking by the scoop_gpio_handler_update() function. By sending an
overly long argument, a local attacker could overflow a buffer and execute
arbitrary code on the system or cause the application to crash.
CVSS Base Score: 4.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93239 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:P)
CVEID: CVE-2014-5388
DESCRIPTION: QEMU could allow a remote attacker to execute arbitrary code on
the system, caused by an out-of-bounds access error in ACPI PCI hotplug
interface. An attacker could exploit this vulnerability to corrupt QEMU
process memory and obtain sensitive information.
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/95419 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVEID: CVE-2013-4526
DESCRIPTION: QEMU could allow a local attacker to execute arbitrary code on
the system, caused by an aerror in ahci.c. An attacker could exploit this
vulnerability to execute arbitrary code on the system.
CVSS Base Score: 4.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93227 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:P)
CVEID: CVE-2013-4535
DESCRIPTION: QEMU could allow a local attacker to execute arbitrary code on
the system, caused by an error in the virtqueue_map_sg() function. An attacker
could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 4.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93234 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:P)
CVEID: CVE-2013-4542
DESCRIPTION: QEMU is vulnerable to a buffer overflow, caused by improper
bounds checking by the virtio_scsi_load_request() function. By sending an
overly long argument, a local attacker could overflow a buffer and execute
arbitrary code on the system or cause the application to crash.
CVSS Base Score: 4.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93240 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:P)
CVEID: CVE-2013-4527
DESCRIPTION: QEMU is vulnerable to a buffer overflow, caused by improper
bounds checking by hpet.c. By sending an overly long argument, a local
attacker could overflow a buffer and execute arbitrary code on the system or
cause the application to crash.
CVSS Base Score: 4.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93228 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:P)
CVEID: CVE-2013-4536
DESCRIPTION: QEMU could allow a local attacker to execute arbitrary code on
the system, caused by an error in virtio.c. An attacker could exploit this
vulnerability to execute arbitrary code on the system.
CVSS Base Score: 4.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93235 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:P)
CVEID: CVE-2014-3640
DESCRIPTION: QEMU is vulnerable to a denial of service, caused by a NULL
pointer dereference in the sosendto() function. A local attacker could exploit
this vulnerability to cause a denial of service.
CVSS Base Score: 2.1
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/96930 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2013-4529
DESCRIPTION: QEMU is vulnerable to a buffer overflow, caused by improper
bounds checking by pcie_aer.c. By sending an overly long argument, a local
attacker could overflow a buffer and execute arbitrary code on the system or
cause the application to crash.
CVSS Base Score: 4.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93229 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:P)
CVEID: CVE-2013-4533
DESCRIPTION: QEMU is vulnerable to a buffer overflow, caused by improper
bounds checking by the pxa2xx_ssp_load() function. By sending an overly long
argument, a local attacker could overflow a buffer and execute arbitrary code
on the system or cause the application to crash.
CVSS Base Score: 4.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93232 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:P)
CVEID: CVE-2014-3689
DESCRIPTION: QEMU could allow a remote attacker from within the local network
to bypass security restrictions, caused by the improper validation of
parameters by the vmware-vga driver within the rectangle handling
functionality. An attacker could exploit this vulnerability to write into qemu
address space on the host and gain elevated privileges on the system.
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/98578 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:A/AC:H/Au:S/C:P/I:P/A:P)
Affected Products and Versions
PowerKVM 2.1
Remediation/Fixes
Fix is made available via Fix Central https://ibm.biz/BdEnT8 in fix pack
"ibm-powerkvm-updates-2.1.1.0-33.0" and all later fix packs. See the README at
https://ibm.biz/BdEnTL for prerequisite fixes and instructions.
Workarounds and Mitigations
none
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
References
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
none
Change History
January 8, 2015 - Original Version Published
January 15, 2015 - Updated Summary and corrected the detailed CVSS description
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVL8ZlhLndAQH1ShLAQJwuQ//fgV3l62H5vNXxpgOB6VQBEwWR6CFrOge
rQjHz9mvrPR7lJgw/a+budDzoDdFq1P+Wtp6dUW5mqs8TQNTtdr4CLTTPJ9H7SvN
dPdtmbEPoJ3ksA/iyiThLIyD4gPPRmBOu0Y5/bRrBCgb8EDgahfOlp7ByIL3QDZk
saSQ9/Op/lvgMw6kSjk5X3k+oau9k1/fq+s7HhakbOa9cCERcMVgtvBPHSCP4OjK
GF5kCWWhby6xcKdeRjMC0YXrksukApS+RIa07vTPF3D5m4VnGN5HdniKunEyYeil
ah2aBKncbzFbu1Ux0OHs1QRRbyHiioq+CBTg/o4wsSjGmGOywQ9TlqoMvbexOWLf
KfNpd5fq9+V5h4WJe3lpThUdifywhxxlKPcnATYxdmwU1SPkffYqa1NzSMvCly/b
JquqF2oUaEWTAKTc0vBymLoc4alXDYIDSnfp8pRf60R5mz4ISfdr2TNqToqEBbsV
J/5FFJCJjA92jJGnYQHLxAhGeukAzeWDcr9cqGiAQs+119ucK/9iLLJaWekJ0oBa
FcXey6N5r9cPONYN4Ofrp5ju0yjsoGmXarfTVnrBqVzfHDESwUqAhufyrLT4be3t
LqiEne8+3HpYoDU/rPcgxdgD5BtH1TQnpzf20fvhGwg8+HFiTNelD7naFzKvfPDi
8VD8P7+T0FQ=
=auUl
-----END PGP SIGNATURE-----