14 June 2019
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.2110 A vulnerability in Python affects PowerKVM 14 June 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: PowerKVM Publisher: IBM Operating System: Linux variants Impact/Access: Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-9636 Reference: ESB-2019.1789 ESB-2019.1601 ESB-2019.1596 ESB-2019.1462 Original Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10880407 - --------------------------BEGIN INCLUDED TEXT-------------------- A vulnerability in Python affects PowerKVM Product: PowerKVM Software version: 3.1 Operating system(s): Linux Reference #: 0880407 Security Bulletin Summary PowerKVM is affected by a vulnerability in Python. IBM has now addressed this vulnerability. Vulnerability Details CVEID: CVE-2019-9636 DESCRIPTION: Python urllib.parse.urlsplit and urllib.parse.urlparse components could allow a remote attacker to obtain sensitive information, caused by improper unicode encoding handling in NFKC normalization. By using a specially-crafted URL, an attacker could exploit this vulnerability to obtain sensitive information. CVSS Base Score: 7.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 158114 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) Affected Products and Versions PowerKVM 3.1 Remediation/Fixes Customers can update PowerKVM systems by using "yum update". Fix images are made available via Fix Central. For version 3.1, see https:// ibm.biz/BdHggw. This issue is addressed starting with v126.96.36.199 update 18. Workarounds and Mitigations none Change History 9 April 2019 - Initial Version - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to firstname.lastname@example.org and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: email@example.com Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXQLp4maOgq3Tt24GAQjT+RAAlfd/DXvT2IyvGldAwkybipAepFv/oetD 5yyhNwhHreWGNxDNGvxv79M68/6Lex0BLVPaWXwBVKOoFeBzVFM2IwjdmzWIY8Dw NABUzjLsM9jwi2IYMdi39VCrLUfJKw6vC2703QfOPyplM8sp76XdJX4HJdea1hIh lYe14ixKFsbxWQuSkXuWZ8OohVBB8pjQVMhQKmYCV9z1z7u4+MOzPyGJ4rXrqn6f UmXyHvCI0nwU3aw6LeO1HVj1NgV5Po6tb+33U9tU29FIEW2wKTWtoASba/9Kwpc3 LuqgnlESiTQd9Bs7GJAxGpQT++vAD10Ox2HYbDvhZLNAoj+kyRE9gkpLDXHMCRPR 1Eel1YwJeahKWtZ3GRvfYzATmoqzGBobKParVCVYEvSEt/LnPCdZg4QQKC/N6bfj dUa0jRGUVQv6D2KgiOL4ao+C2vNtrsmkyB0XNZWSgwBFPSSGEWjkC+/+w9OmUMUf be+YPucWPfi0Mx27mbjB3iaYizdDdVNaXAdeF4UIjDA9MK/ybcyrNZKB5NL9nl3D ZqsnN/yXPi8Cb8/TP9n7nYJIx6kVCIbWPDtPgRLyatmraeT57/8mPUho7hs9e1rt 3PQ8S3DYl62lWkNBeK+mVuwsIBZKKY4s9KSzvJrqBSpQWFdvF8li3RssX8bMO9YK y7kVI9GeTuY= =3jSG -----END PGP SIGNATURE-----