IBM126742A2D23D04968A64E6DCE8DECEC9AF4ADAEE767C7ADB9D4F8A8ED348D399Security Bulletin: This Power System update is being released to address CVE 2022-2809
8.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
0.001 Low
EPSS
Percentile
38.6%
Summary
POWER10: In response to a security issue with the BMC HTTPS server, a new Power System firmware update is being released to address Common Vulnerabilities and Exposures issue number CVE-2022-2809.
Vulnerability Details
CVEID:CVE-2022-2809
**DESCRIPTION:**In IBM OPENBMC, when using using a specially crafted multi-part HTTPS header on a specific URI only available to admin users, a bug causes a buffer overflow which can lead to denial of service.
CVSS Base score: 2.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238677 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L)
Affected Products and Versions
| Affected Product(s) | Version(s) | Release(s) |
|---|---|---|
| OPENBMC | FW1020 | FW1020.00 through FW1020.10 |
Remediation/Fixes
Customers with the products below running FW1020, install FW1020.20:
- IBM Power System S1022 (9105-22A)
- IBM Power System S1024 (9105-42A)
- IBM Power System S1022S (9105-22B)
- IBM Power System S1014 (9105-41B)
- IBM Power System E1050 (9043-MRX)
- IBM Power System L1022 (9786-22H)
- IBM Power System L1024 (9786-42H)
Workarounds and Mitigations
None
Affected configurations
Related
8.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
0.001 Low
EPSS
Percentile
38.6%