Security Bulletin: PowerVC is affected by an Openstack Keystone vulnerability that could allow a remote authenticated attacker to discover restricted projects (CVE-2018-14432)

Summary

PowerVC has addressed the following vulnerability. An authenticated “GET /v3/OS-FEDERATION/projects” request to the identity API may bypass intended access restrictions on listing projects. An authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes.

Vulnerability Details

CVE-ID: CVE-2018-14432
Description: An authenticated “GET /v3/OS-FEDERATION/projects” request may bypass intended access restrictions on listing projects. An authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes.
CVSS Base Score: 4.3
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/147412&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

IBM PowerVC Standard and

IBM Cloud PowerVC Manager

| 1.3.3 | IT27707 | https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%20software&product=ibm/Other+software/PowerVC&release=1.3.3.1&platform=All&function=textSearch&text=APAR+IT27706_IT27707

IBM PowerVC Standard and

IBM Cloud PowerVC Manager

| 1.4.0 | IT27707 | https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%20software&product=ibm/Other+software/PowerVC&release=1.4.0.1&platform=All&function=textSearch&text=APAR+IT27706_IT27707

IBM PowerVC Standard and

IBM Cloud PowerVC Manager

| 1.4.1 | NA | https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%20software&product=ibm/Other+software/PowerVC&release=1.4.1.0&platform=All&function=textSearch&text=PowerVC+1.4.1.1

Workarounds and Mitigations

None