Security Bulletin: Venom vulnerability affects IBM SmartCloud Provisioning 2.1 for IBM Software Virtual Appliance

2018-06-1722:30:13

www.ibm.com

7.7 High

CVSS2

Access Vector

ADJACENT_NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:A/AC:L/Au:S/C:C/I:C/A:C

JSON

Summary

IBM SmartCloud Provisioning 2.1 for IBM Software Virtual Appliance is vulnerable to Venom: Virtualized Environment Neglected Operation Manipulation (CVE-2015-3456).

Vulnerability Details

CVE-ID: CVE-2015-3456**
DESCRIPTION:Open Source QEMU (Quick Emulator) is vulnerable to a buffer overflow, which is caused by improper bounds checking by the Floppy Disk Controller (FDC) emulation. By sending specially crafted FDC commands, a guest operating system attacker with access to the FDC I/O ports might overflow a buffer and execute arbitrary code on the system with root privileges.
Note:** This vulnerability is also being called VENOM.
CVSS Base Score: 7.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/#/vulnerabilities/103116 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:A/AC:L/Au:S/C:C/I:C/A:C)

Affected Products and Versions

IBM SmartCloud Provisioning 2.1 for IBM Software Virtual Appliance up to interim fix 5

Remediation/Fixes

If you are running IBM SmartCloud Provisioning 2.1 for IBM Software Virtual Appliance, contact IBM support.

See the latest IBM Cloud Orchestrator fix release on IBM Fix Central.

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm service agility accelerator for cloudeq2.1
ibm service agility accelerator for cloudeq2.1.0.1
ibm service agility accelerator for cloudeq2.1.0.2
ibm service agility accelerator for cloudeq2.1.0.3

Name	Operator	Version
ibm service agility accelerator for cloud	eq	2.1
ibm service agility accelerator for cloud	eq	2.1.0.1
ibm service agility accelerator for cloud	eq	2.1.0.2
ibm service agility accelerator for cloud	eq	2.1.0.3