Security Bulletin: Vulnerabilities in NTP affect PowerKVM

Summary

PowerKVM is affected by vulnerabilities in NTP. IBM has now addressed these vulnerabilities.

Vulnerability Details

CVEID: CVE-2017-6464 DESCRIPTION: NTP is vulnerable to a denial of service. A remote authenticated attacker could exploit this vulnerability using a malformed mode configuration directive to cause the application to crash.
CVSS Base Score: 4.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123610 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H)

CVEID: CVE-2017-6463 DESCRIPTION: NTP is vulnerable to a denial of service. By sending an invalid setting, a remote authenticated attacker could exploit this vulnerability using the :config directive to cause the daemon to crash.
CVSS Base Score: 4.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123612 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H)

CVEID: CVE-2017-6462 DESCRIPTION: NTP is vulnerable to a denial of service, caused by a buffer overflow in the legacy Datum Programmable Time Server refclock driver. By sending specially crafted packets, a local authenticated attacker could exploit this vulnerability to overflow a buffer and cause a denial of service.
CVSS Base Score: 1.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123611 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L)

Affected Products and Versions

P:owerKVM v3.1

Remediation/Fixes

Customers can update PowerKVM systems by using “yum update”.

Fix images are made available via Fix Central. For version 3.1, see <https://ibm.biz/BdHggw&gt;. This issue is addressed starting with v3.1.0.2 update 14.

Workarounds and Mitigations

none