Lucene search

K
ibmIBM2DD7BCD39183E22AA61C4A0B4A33A2A0AB69DB257B24A4A837DCC4309ED8D2A3
HistorySep 10, 2024 - 3:20 p.m.

Security Bulletin: Vulnerability in shadow-utils library (CVE-2023-4641) affects Power HMC.

2024-09-1015:20:22
www.ibm.com
9
shadow-utils
power hmc
cve-2023-4641
ibm fix
local attacker
sensitive information
fix central

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

7.1

Confidence

High

Summary

The shadow-utils library is used by Power Hardware Management Console (HMC). HMC has addressed the applicable CVE.

Vulnerability Details

**CVEID:**CVE-2023-4641 DESCRIPTION: shadow-maint shadow-utils could allow a local authenticated attacker to obtain sensitive information, caused by failing to clean the buffer used to store password information. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain password information, and use this information to launch further attacks against the affected system.
CVSS Base score: 4.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/271763 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
HMC V10.2.1030.0 V10.2.1030.0
HMC V10.3.1050.0 V10.3.1050.0

Remediation/Fixes

The following fixes are available on IBM Fix Central at: http://www-933.ibm.com/support/fixcentral/

Product VRMF APAR Remediation/Fix
Power HMC V10.2.1040.0 SP2 x86
MB04466

| MF71701
Power HMC | V10.2.1040.0 SP2 ppc |

MB04467

| MF71702
Power HMC | V10.3.1060.0 x86 |

MB04468

| MF71703
Power HMC | V10.3.1060.0 ppc |

MB04469

| MF71704

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmhardware_management_consoleMatchany
VendorProductVersionCPE
ibmhardware_management_consoleanycpe:2.3:a:ibm:hardware_management_console:any:*:*:*:*:*:*:*

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

7.1

Confidence

High