Operating System:

[LINUX]

Published:

14 June 2019

Protect yourself against future threats.

//Service

Early Warning SMS

Receive SMS notifications for the most critical security threats and vulnerabilities.

Read more
Resources > Security Bulletins > ESB-2019.2110 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.2110
                A vulnerability in Python affects PowerKVM
                               14 June 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           PowerKVM
Publisher:         IBM
Operating System:  Linux variants
Impact/Access:     Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-9636  

Reference:         ESB-2019.1789
                   ESB-2019.1601
                   ESB-2019.1596
                   ESB-2019.1462

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=ibm10880407

- --------------------------BEGIN INCLUDED TEXT--------------------

A vulnerability in Python affects PowerKVM

Product:             PowerKVM
Software version:    3.1
Operating system(s): Linux
Reference #:         0880407

Security Bulletin

Summary

PowerKVM is affected by a vulnerability in Python. IBM has now addressed this
vulnerability.

Vulnerability Details

CVEID: CVE-2019-9636
DESCRIPTION: Python urllib.parse.urlsplit and urllib.parse.urlparse components
could allow a remote attacker to obtain sensitive information, caused by
improper unicode encoding handling in NFKC normalization. By using a
specially-crafted URL, an attacker could exploit this vulnerability to obtain
sensitive information.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
158114 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

PowerKVM 3.1

Remediation/Fixes

Customers can update PowerKVM systems by using "yum update".

Fix images are made available via Fix Central. For version 3.1, see https://
ibm.biz/BdHggw. This issue is addressed starting with v3.1.0.2 update 18.

Workarounds and Mitigations

none

Change History

9 April 2019 - Initial Version

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXQLp4maOgq3Tt24GAQjT+RAAlfd/DXvT2IyvGldAwkybipAepFv/oetD
5yyhNwhHreWGNxDNGvxv79M68/6Lex0BLVPaWXwBVKOoFeBzVFM2IwjdmzWIY8Dw
NABUzjLsM9jwi2IYMdi39VCrLUfJKw6vC2703QfOPyplM8sp76XdJX4HJdea1hIh
lYe14ixKFsbxWQuSkXuWZ8OohVBB8pjQVMhQKmYCV9z1z7u4+MOzPyGJ4rXrqn6f
UmXyHvCI0nwU3aw6LeO1HVj1NgV5Po6tb+33U9tU29FIEW2wKTWtoASba/9Kwpc3
LuqgnlESiTQd9Bs7GJAxGpQT++vAD10Ox2HYbDvhZLNAoj+kyRE9gkpLDXHMCRPR
1Eel1YwJeahKWtZ3GRvfYzATmoqzGBobKParVCVYEvSEt/LnPCdZg4QQKC/N6bfj
dUa0jRGUVQv6D2KgiOL4ao+C2vNtrsmkyB0XNZWSgwBFPSSGEWjkC+/+w9OmUMUf
be+YPucWPfi0Mx27mbjB3iaYizdDdVNaXAdeF4UIjDA9MK/ybcyrNZKB5NL9nl3D
ZqsnN/yXPi8Cb8/TP9n7nYJIx6kVCIbWPDtPgRLyatmraeT57/8mPUho7hs9e1rt
3PQ8S3DYl62lWkNBeK+mVuwsIBZKKY4s9KSzvJrqBSpQWFdvF8li3RssX8bMO9YK
y7kVI9GeTuY=
=3jSG
-----END PGP SIGNATURE-----