Lucene search

K
ibmIBM4D703B44BD9E2BE8BBA4FF0E8BD24FB1775E4C5B0286FB23E427AC57E0738ADA
HistoryMar 27, 2024 - 8:42 p.m.

Security Bulletin: This Power System update is being released to address CVE 2020-10735

2024-03-2720:42:56
www.ibm.com
10
power system
openbmc
python
denial of service
vulnerability
firmware
update

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.2 High

AI Score

Confidence

High

0.006 Low

EPSS

Percentile

77.9%

Summary

BMC firmware version OP910 uses Python to help serve HTTPS requests but Python is not used to process the request body, so this access vector is not vulnerable the Python long integer vulnerability. A BMC administrator who uses Python from the BMC’s command line is subject to this vulnerability.

Vulnerability Details

CVEID:CVE-2020-10735
**DESCRIPTION:**Python is vulnerable to a denial of service, caused by the failure to limit amount of digits converting text to int by the int() type in PyLong_FromString(). A remote attacker could exploit this vulnerability to consume all available resources.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235840 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
OPENBMC OP910.00 - OP910.70
OPENBMC OP910.00C - OP910.70C

Remediation/Fixes

Customers with the products below should install OP910.80 or newer to remediate this vulnerability.

Power 9

  1. IBM Power System AC922 (8335-GTG)

Customers with the products below should install OP910.80C or newer to remediate this vulnerability.

Power 9

  1. IBM Power System AC922 (8335-GTC, 8335-GTW)

Workarounds and Mitigations

Avoid using Python to convert integers longer than 4300 digits.

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.2 High

AI Score

Confidence

High

0.006 Low

EPSS

Percentile

77.9%