Lucene search

IBM0C0A19924CA8D6F79A90B19E3EBA05E1C51218A4B03315789663395D4297CB82

HistoryMay 23, 2022 - 11:34 a.m.

Security Bulletin: This Power System update is being released to address CVE 2022-22309

2022-05-2311:34:20

www.ibm.com

power system

fsp

vulnerability

firmware

update

cve-2022-22309

serial port

security issue

CVSS2

4.6

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSS3

6.8

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

21.6%

JSON

Summary

POWER8/POWER9: The POWER systems FSP is vulnerable to unauthenticated logins through the physical serial port/TTY interface. This vulnerability can be more critical if the serial port is connected to a serial-over-lan device. In response to this security issue, a new Power System firmware update is being released to address Common Vulnerabilities and Exposures issue number CVE-2022-22309

Vulnerability Details

CVEID:CVE-2022-22309
**DESCRIPTION:**The POWER systems FSP is vulnerable to unauthenticated logins through the serial port/TTY interface. This vulnerability can be more critical if the serial port is connected to a serial-over-lan device.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217095 for the current score.
CVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Firmware release FW860, FW940 and FW950 are affected.

Remediation/Fixes

Customers with the products below, install FW860.B0

IBM Power System S812(8284-21A)
IBM Power System S822(8284-22A)
IBM Power System S814(8286-41A)
IBM Power System S824(8286-42A)
IBM Power System S812L(8247-21L)
IBM Power System S822L(8247-22L)
IBM Power System S824L(8247-42L)
IBM Power System E850(8408-E8E)
IBM Power System E850C(8408-44E)
IBM Power System E870(9119-MME)
IBM Power System E870C(9080-MME)
IBM Power System E880(9119-MHE)
IBM Power System E880C(9080-MHE)
IBM Power System S812L(5148-21L)
IBM Power System S822L(5148-22L)

Customers with the products below, install FW940.60 or FW950.40 or above.

IBM Power System S922 (9009-22A)
IBM Power System H922 (9223-22H)
IBM Power System S914 (9009-41A)
IBM Power System S924 (9009-42A)
IBM Power System H924 (9223-42H)
IBM Power System L922 (9008-22L)
IBM Power System E950 (9040-MR9)

Customers with the products below, install FW950.40 or above.

IBM Power System S914 (9009-41G)
IBM Power System S922 (9009-22G)
IBM Power System S924(9009-42G)
IBM ESS 5000 Server (5105-22E)

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmpower_hardware_management_consoleMatchany

VendorProductVersionCPE
ibmpower_hardware_management_consoleanycpe:2.3:a:ibm:power_hardware_management_console:any:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	power_hardware_management_console	any	cpe:2.3:a:ibm:power_hardware_management_console:any:::::::*

CVSS2

4.6

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSS3

6.8

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

21.6%

JSON

Related for 0C0A19924CA8D6F79A90B19E3EBA05E1C51218A4B03315789663395D4297CB82