Security Bulletin: This Power System update is being released to address CVE-2019-16649 and CVE-2019-16650

Summary

POWER8 and POWER9: In response to security issues with virtual media, new Power System firmware updates are being released to address Common Vulnerabilities and Exposures issue numbers CVE-2019-16649 and CVE-2019-16650.

Vulnerability Details

CVEID:CVE-2019-16649
**DESCRIPTION:**Multiple Supermicro products could allow a remote attacker to obtain sensitive information, caused by a combination of encryption and authentication problems in the virtual media service. A remote attacker could exploit this vulnerability to obtain sensitive information and then use this information to launch further attacks against the affected system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/167441 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2019-16650
**DESCRIPTION:**Supermicro X10 and X11 could allow a remote authenticated attacker to bypass security restrictions, caused by improper authentication. An attacker could exploit this vulnerability to bypass access restrictions.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/167440 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

Remediation/Fixes

Customers with the products below running OP825, install OP825.51:

1. IBM Power Scale-out LC server S821LC (8001-12C)
2. IBM Power Scale-out LC server S822LC (8001-22C)
3. IBM Power HMC 7063 Model CR1 firmware (7063-CR1)
4. IBM Power Hyperconverged CS server CS821 (8005-12N)
5. IBM Power Hyperconverged CS server CS822 (8005-22N)

Customers with the products below running OP920, install OP920.41:

1. IBM Power Scale-out LC server LC921 (9006-12P)
2. IBM Power Scale-out LC server LC922 (9006-22P)

Workarounds and Mitigations

Limit access to the BMC’s network interface.