There are vulnerabilities reported in the VMWare component that is used by IBM PureApplication System. IBM has released Version 2.2.5.3 for IBM PureApplication System, in response to CVE-2018-6981 and CVE-2018-6982. The following vulnerabilities have been addressed by IBM PureApplication System.
CVEID: CVE-2018-6981 DESCRIPTION: VMware ESXi, Workstation, and Fusion could allow a remote attacker to execute arbitrary code on the system, caused by an issue with uninitialized stack memory usage in the vmxnet3 virtual network adapter. If vmxnet3 is enabled, an attacker could exploit this vulnerability to execute arbitrary code and gain elevated privileges on the host system.
CVSS Base Score: 10
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152791> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVEID: CVE-2018-6982 DESCRIPTION: VMware ESXi, Workstation, and Fusion could allow a remote attacker to obtain sensitive information, caused by an issue with uninitialized stack memory usage in the vmxnet3 virtual network adapter. If vmxnet3 is enabled, an attacker could exploit this vulnerability to obtain sensitive information leaked from the host to the guest domain.
CVSS Base Score: 8.6
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152792> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)
IBM PureApplication System V2.2.3.0
IBM PureApplication System V2.2.3.1
IBM PureApplication System V2.2.3.2
IBM PureApplication System V2.2.4.0
IBM PureApplication System V2.2.5.0
IBM PureApplication System V2.2.5.1
IBM PureApplication System V2.2.5.2
The solution is to upgrade the IBM PureApplication System to the following fix pack release:
IBM PureApplication V2.2.5.3
IBM recommends upgrading to a fixed version of the product. Contact IBM for assistance.
Information on upgrading can be found here: <http://www-01.ibm.com/support/docview.wss?uid=swg27039159>
None