-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.1789
                A vulnerability in libsoup affects PowerKVM
                                20 May 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           PowerKVM
Publisher:         IBM
Operating System:  PowerKVM
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Access Privileged Data          -- Existing Account      
                   Denial of Service               -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-12910 CVE-2019-3816 CVE-2019-3863
                   CVE-2019-3838 CVE-2018-5407 CVE-2018-1084
                   CVE-2019-5736 CVE-2019-9636 

Reference:         ESB-2019.1726
                   ESB-2019.1690
                   ESB-2018.3474
                   ESB-2018.3386
                   ESB-2018.1955
                   ESB-2018.1937
                   ESB-2018.1181
                   ESB-2018.1178

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=ibm10879787
   http://www.ibm.com/support/docview.wss?uid=ibm10879789
   http://www.ibm.com/support/docview.wss?uid=ibm10878989
   http://www.ibm.com/support/docview.wss?uid=ibm10878987
   http://www.ibm.com/support/docview.wss?uid=ibm10879791
   http://www.ibm.com/support/docview.wss?uid=ibm10878985
   http://www.ibm.com/support/docview.wss?uid=ibm10874756
   http://www.ibm.com/support/docview.wss?uid=ibm10879787

Comment: This bulletin contains eight (8) IBM security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

A vulnerability in libsoup affects PowerKVM

Product:             PowerKVM
Software version:    3.1
Operating system(s): Linux
Reference #:         0879787

Security Bulletin

Summary

PowerKVM is affected by a vulnerability in libsoup. IBM has now addressed this
vulnerability.

Vulnerability Details

CVEID: CVE-2018-12910
DESCRIPTION: An unspecified error in get_cookies function in soup-cookie-jar.c
in libsoup has an unknown impact via an empty hostname.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
147348 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

PowerKVM 3.1

Remediation/Fixes

Customers can update PowerKVM systems by using "yum update".

Fix images are made available via Fix Central. For version 3.1, see https://
ibm.biz/BdHggw. This issue is addressed starting with v3.1.0.2 update 18.

Workarounds and Mitigations

none

Change History

3 April 2019 - Initial Version

=================================================================================

A vulnerability in OpenWSMAN affects PowerKVM

Product:             PowerKVM
Software version:    3.1
Operating system(s): Linux
Reference #:         0879789

Security Bulletin

Summary

PowerKVM is affected by a vulnerability in OpenWSMAN. IBM has now addressed
this vulnerability.

Vulnerability Details

CVEID: CVE-2019-3816
DESCRIPTION: OpenWSMAN could allow a remote attacker to obtain sensitive
information, caused by the working directory of openwsmand daemon being set to
root directory. By sending a specially crafted HTTP request, an attacker could
exploit this vulnerability to view arbitrary files outside of the registered
URIs.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
158792 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

PowerKVM 3.1

Remediation/Fixes

Customers can update PowerKVM systems by using "yum update".

Fix images are made available via Fix Central. For version 3.1, see https://
ibm.biz/BdHggw. This issue is addressed starting with v3.1.0.2 update 18.

Workarounds and Mitigations

none

Change History

3 April 2019 - Initial Version

=================================================================================

Vulnerabiliies in libssh2 affect PowerKVM

Product:             PowerKVM
Software version:    3.1
Operating system(s): Linux
Reference #:         0878989

Security Bulletin

Summary

PowerKVM is affected by vulnerabilities in libssh2. IBM has now addressed these
vulnerabilities.

Vulnerability Details

CVEID: CVE-2019-3863
DESCRIPTION: libssh2 could allow a remote attacker to execute arbitrary code on
the system, caused by an integer overflow in user authenticate keyboard
interactive. By sending a specially crafted message, a remote attacker could
exploit this vulnerability to trigger an out-of-bounds write and execute
arbitrary code on the client system.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
158347 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID: CVE-2019-3857
DESCRIPTION: libssh2 could allow a remote attacker to execute arbitrary code on
the system, caused by an integer overflow. By sending a specially crafted
SSH_MSG_CHANNEL_REQUEST packet with an exit signal message, a remote attacker
could exploit this vulnerability to trigger an out-of-bounds write and execute
arbitrary code on the client system.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
158341 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID: CVE-2019-3856
DESCRIPTION: libssh2 could allow a remote attacker to execute arbitrary code on
the system, caused by an integer overflow in keyboard interactive handling. By
sending a specially crafted request, a remote attacker could exploit this
vulnerability to trigger an out-of-bounds write and execute arbitrary code on
the client system.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
158340 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID: CVE-2019-3855
DESCRIPTION: libssh2 could allow a remote attacker to execute arbitrary code on
the system, caused by an integer overflow in transport read. By sending
specially crafted packets, a remote attacker could exploit this vulnerability
to trigger an out-of-bounds read and execute arbitrary code on the client
system.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
158339 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)

Affected Products and Versions

PowerKVM 3.1

Remediation/Fixes

Customers can update PowerKVM systems by using "yum update".

Fix images are made available via Fix Central. For version 3.1, see https://
ibm.biz/BdHggw. This issue is addressed starting with v3.1.0.2 update 18.

Workarounds and Mitigations

none

Change History

28 March 2019 - Initial Version

=================================================================================

Vulnerabiliies in ghostscript affect PowerKVM

Product:             PowerKVM
Software version:    3.1
Operating system(s): Linux
Reference #:         0878987

Security Bulletin

Summary

PowerKVM is affected by vulnerabilities in ghostscript. IBM has now addressed
these vulnerabilities.

Vulnerability Details

CVEID: CVE-2019-3838
DESCRIPTION: Ghostscript could allow a remote attacker to bypass security
restrictions, caused by improper usage of forceput operator. By persuading a
victim to open a specially-crafted PostScript file, a remote attacker could
exploit this vulnerability to gain access to the file system outside of the
constraints imposed by -dSAFER.
CVSS Base Score: 5.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
158503 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

CVEID: CVE-2019-3835
DESCRIPTION: Ghostscript could allow a remote attacker to bypass security
restrictions, caused by improper usage of superexec operator. By persuading a
victim to open a specially-crafted PostScript file, a remote attacker could
exploit this vulnerability to gain access to the file system outside of the
constraints imposed by -dSAFER.
CVSS Base Score: 5.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
158502 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

Affected Products and Versions

PowerKVM 3.1

Remediation/Fixes

Customers can update PowerKVM systems by using "yum update".

Fix images are made available via Fix Central. For version 3.1, see https://
ibm.biz/BdHggw. This issue is addressed starting with v3.1.0.2 update 18.

Workarounds and Mitigations

none

Change History

28 March 2019 - Initial Version

=================================================================================

A vulnerability in OpenSSL affects PowerKVM

Product:             PowerKVM
Software version:    3.1
Operating system(s): Linux
Reference #:         0879791

Security Bulletin

Summary

PowerKVM is affected by a vulnerability in OpenSSL. IBM has now addressed this
vulnerability.

Vulnerability Details

CVEID: CVE-2018-5407
DESCRIPTION: Multiple SMT/Hyper-Threading architectures and processors could
allow a local attacker to obtain sensitive information, caused by execution
engine sharing on Simultaneous Multithreading (SMT) architecture. By using the
PortSmash new side-channel attack, an attacker could run a malicious process
next to legitimate processes using the architectures parallel thread running
capabilities to leak encrypted data from the CPU's internal processes. Note:
This vulnerability is known as PortSmash.
CVSS Base Score: 5.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
152484 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

PowerKVM 3.1

Remediation/Fixes

Customers can update PowerKVM systems by using "yum update".

Fix images are made available via Fix Central. For version 3.1, see https://
ibm.biz/BdHggw. This issue is addressed starting with v3.1.0.2 update 18.

Workarounds and Mitigations

none

Change History

3 April 2019 - Initial Version

=================================================================================

A vulnerability in Corosync affects PowerKVM

Product:             PowerKVM
Software version:    3.1
Operating system(s): Linux
Reference #:         0878985

Security Bulletin

Summary

PowerKVM is affected by a vulnerability in Corosync. IBM has now addressed this
vulnerability.

Vulnerability Details

CVEID: CVE-2018-1084
DESCRIPTION: Corosync is vulnerable to a denial of service, caused by an
integer overflow in exec/totemcrypto.c. By sending a specially-crafted packet,
a remote attacker could exploit this vulnerability to cause the application to
crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
141586 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

PowerKVM 3.1

Remediation/Fixes

Customers can update PowerKVM systems by using "yum update".

Fix images are made available via Fix Central. For version 3.1, see https://
ibm.biz/BdHggw. This issue is addressed starting with v3.1.0.2 update 18.

Workarounds and Mitigations

none

Change History

28 Mar 2019 - Initial Version

=================================================================================

A vulnerability in Docker affects PowerKVM

Product:             PowerKVM
Software version:    3.1
Operating system(s): Linux
Reference #:         0874756

Security Bulletin

Summary

PowerKVM is affected by a vulnerability in Docker. IBM has now addressed this
vulnerability.

Vulnerability Details

CVEID: CVE-2019-5736
DESCRIPTION: Runc could allow a local attacker to execute arbitrary commands on
the system, cause by the improper handling of system file descriptors when
running containers. An attacker could exploit this vulnerability using a
malicious container to overwrite the contents of the host runc binary and
execute arbitrary commands with root privileges on the host system.
CVSS Base Score: 7.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
156819 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

Affected Products and Versions

PowerKVM 3.1

Remediation/Fixes

Customers can update PowerKVM systems by using "yum update".

Fix images are made available via Fix Central. For version 3.1, see https://
ibm.biz/BdHggw. This issue is addressed starting with v3.1.0.2 update 18.

Workarounds and Mitigations

none

Change History

4 Mar 2019 - Initial Version

=================================================================================

A vulnerability in Python affects PowerKVM

Product:             PowerKVM
Software version:    3.1
Operating system(s): Linux
Reference #:         0880407

Summary

PowerKVM is affected by a vulnerability in Python. IBM has now addressed this 
vulnerability.

Vulnerability Details
CVEID: CVE-2019-9636
DESCRIPTION: Python urllib.parse.urlsplit and urllib.parse.urlparse components could 
allow a remote attacker to obtain sensitive information, caused by improper unicode 
encoding handling in NFKC normalization. By using a specially-crafted URL, an attacker 
could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/158114 
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) 

Affected Products and Versions

PowerKVM 3.1
Remediation/Fixes

Customers can update PowerKVM systems by using "yum update".

Fix images are made available via Fix Central. For version 3.1, see 
https://ibm.biz/BdHggw. This issue is addressed starting with v3.1.0.2 update 18.

Workarounds and Mitigations

none

Change History

9 April 2019 - Initial Version

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXOH3hmaOgq3Tt24GAQgyjg/+KlQDxQ0HeMS6wGgra+Dqaoyp2WNBdkb8
EIYm+WehFMyDh+3NovEgf+fHd1v5kVr9FoIuXKOaNe4e6YC4ZBKjIcN7D8aFCJvd
/IFtYd0eJSIwn7c67snUDiGQ7eDzGTMow5R6fqdiJdr+F917fWYIZzLPgSq+s/mj
Sz61OrK74wqqzDzuc42qppZeAW2eYORZygFBqatGQTKDzYfveyWFnSc0otUfSJdV
tN+e1VCQ6Aa5f2nXs0w+2+ZOIUa1MNmKyOlkyN5DdePpjl78MI0wg9CngoXgJvb5
54lUeCFoS05FWrcmSt4PyTpAWK92GnO3rGKWwhFyVaRup2DN65orjz/ENMyFc8sb
BI+aPStAvU/vpyXK+wgeuwxF0HiDNi+Yz2ytAWI04dXL6vjCbzH4c7IcUEgi8EET
1LK5KeXGkKIlmVKTbl+Eq86xv6RS+gXrxhC+YIlTgVudAeFx39XTrRt3PRhpiyBd
h6ODmyuHTFZ3WWM3jpxkS0sEO0w3h1AdmCLJA2Y034UkhoP34qi4J3p0mC8ZcTRE
F7wSLU8q/cB9i21U7NLylY3JE45aLPrB89THzAZZFxZ+KAyIdZi4uiTDp8eQqXE9
Dslj3xpPLDZYxeOG6XHNqHvMaxnH//tgqM/EKgGxBCtxKWk4H+ctn7ga0o9WKHrY
hO6VjYMvit0=
=hVic
-----END PGP SIGNATURE-----