Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM4D703B44BD9E2BE8BBA4FF0E8BD24FB1775E4C5B0286FB23E427AC57E0738ADA
HistoryMar 27, 2024 - 8:42 p.m.

Security Bulletin: This Power System update is being released to address CVE 2020-10735

2024-03-2720:42:56
www.ibm.com
8
power system
openbmc
python
denial of service
vulnerability
firmware
update

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.2 High

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.005 Low

EPSS

Percentile

76.9%

JSON

Summary

BMC firmware version OP910 uses Python to help serve HTTPS requests but Python is not used to process the request body, so this access vector is not vulnerable the Python long integer vulnerability. A BMC administrator who uses Python from the BMC’s command line is subject to this vulnerability.

Vulnerability Details

CVEID:CVE-2020-10735
**DESCRIPTION:**Python is vulnerable to a denial of service, caused by the failure to limit amount of digits converting text to int by the int() type in PyLong_FromString(). A remote attacker could exploit this vulnerability to consume all available resources.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235840 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
OPENBMC OP910.00 - OP910.70
OPENBMC OP910.00C - OP910.70C

Remediation/Fixes

Customers with the products below should install OP910.80 or newer to remediate this vulnerability.

Power 9

  1. IBM Power System AC922 (8335-GTG)

Customers with the products below should install OP910.80C or newer to remediate this vulnerability.

Power 9

  1. IBM Power System AC922 (8335-GTC, 8335-GTW)

Workarounds and Mitigations

Avoid using Python to convert integers longer than 4300 digits.

Related

nessus 49
fedora 24
osv 10
openvas 44
rocky 2
prion 1
ibm 16
redhat 24
debiancve 1
cbl_mariner 1
oraclelinux 4
freebsd 1
veracode 1
ubuntucve 1
almalinux 4
redhatcve 1
cve 1
amazon 1
cgr 1
slackware 1
wolfi 1
suse 2
aix 1
mageia 1
photon 2
debian 1
ics 1
oracle 2
nessus
nessus
EulerOS Virtualization 2.10.0 : python3 (EulerOS-SA-2023-1172)
2023-01-10 00:00:00
Fedora 36 : python3.6 (2022-d4570fc1a6)
2022-12-23 00:00:00
FreeBSD : Python -- multiple vulnerabilities (80e057e7-2f0a-11ed-978f-fcaa147e860e)
2022-09-08 00:00:00
fedora
fedora
[SECURITY] Fedora 35 Update: python3.8-3.8.14-1.fc35
2022-09-14 01:43:00
[SECURITY] Fedora 37 Update: python3-docs-3.11.0~rc2-1.fc37
2022-09-18 00:20:16
[SECURITY] Fedora 35 Update: python3-docs-3.10.7-1.fc35
2022-09-25 01:43:47
osv
osv
CVE-2020-10735
2022-09-09 14:15:08
BIT-python-2020-10735
2024-03-06 11:08:16
Moderate: python3.9 security update
2022-11-02 00:00:00
openvas
openvas
Fedora: Security Advisory for python3.11 (FEDORA-2022-0b3904c674)
2022-09-24 00:00:00
Slackware: Security Advisory (SSA:2022-250-01)
2022-09-08 00:00:00
Fedora: Security Advisory for python3.9 (FEDORA-2022-6d57598a23)
2022-09-15 00:00:00
rocky
rocky
python3.9 security update
2022-11-02 13:53:37
python3 security update
2023-02-22 01:08:44
prion
prion
Design/Logic Flaw
2022-09-09 14:15:00
ibm
ibm
Security Bulletin: Vulnerabilities in Python may affect IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift
2023-05-22 23:42:14
Security Bulletin: IBM Security SOAR is using a component with known vulnerabilities (CVE-2020-10735)
2023-01-24 10:51:23
Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service in Python (CVE-2020-10735)
2023-05-03 14:08:15
redhat
redhat
(RHSA-2022:7323) Moderate: python3.9 security update
2022-11-02 13:53:37
(RHSA-2022:6766) Moderate: rh-python38-python security update
2022-10-03 15:00:33
(RHSA-2023:2763) Moderate: python38:3.8 and python38-devel:3.8 security update
2023-05-16 05:54:00
debiancve
debiancve
CVE-2020-10735
2022-09-09 14:15:00
cbl_mariner
cbl_mariner
CVE-2020-10735 affecting package python3 3.7.13-6
2023-06-13 20:02:41
oraclelinux
oraclelinux
python3.9 security update
2022-11-02 00:00:00
python3 security update
2023-02-22 00:00:00
python38:3.8 and python38-devel:3.8 security update
2023-05-23 00:00:00
freebsd
freebsd
Python -- multiple vulnerabilities
2020-03-20 00:00:00
veracode
veracode
Denial Of Service (DoS)
2022-09-19 16:12:15
ubuntucve
ubuntucve
CVE-2020-10735
2022-09-09 00:00:00
almalinux
almalinux
Moderate: python3.9 security update
2022-11-02 00:00:00
Moderate: python3 security update
2023-02-21 00:00:00
Moderate: python38:3.8 and python38-devel:3.8 security update
2023-05-16 00:00:00
redhatcve
redhatcve
CVE-2020-10735
2022-09-05 05:58:38
cve
cve
CVE-2020-10735
2022-09-09 14:15:00
amazon
amazon
Medium: python3
2022-12-01 20:31:00
cgr
cgr
CVE-2020-10735 vulnerabilities
2024-04-30 21:06:17
slackware
slackware
[slackware-security] python3
2022-09-07 18:45:50
wolfi
wolfi
CVE-2020-10735 vulnerabilities
2024-04-30 21:06:17
suse
suse
Security update for python310 (important)
2022-09-30 00:00:00
Security update for python39 (important)
2022-10-01 00:00:00
aix
aix
AIX is affected by arbitrary code execution and denial of service due to Python
2022-11-01 10:11:15
mageia
mageia
Updated python3 packages fix security vulnerability
2022-10-08 23:22:22
photon
photon
Important Photon OS Security Update - PHSA-2023-4.0-0329
2023-02-08 00:00:00
Important Photon OS Security Update - PHSA-2023-3.0-0528
2023-02-08 00:00:00
debian
debian
[SECURITY] [DLA 3477-1] python3.7 security update
2023-06-30 20:52:04
ics
ics
Siemens SCALANCE XCM-/XRM-300
2024-02-15 12:00:00
oracle
oracle
Oracle Critical Patch Update Advisory - January 2023
2023-01-17 00:00:00
Oracle Critical Patch Update Advisory - July 2023
2023-07-18 00:00:00

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.2 High

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.005 Low

EPSS

Percentile

76.9%

JSON
Related for 4D703B44BD9E2BE8BBA4FF0E8BD24FB1775E4C5B0286FB23E427AC57E0738ADA
nessus49fedora24osv10openvas44rocky2prion1ibm16redhat24debiancve1cbl_mariner1oraclelinux4freebsd1veracode1ubuntucve1almalinux4redhatcve1cve1amazon1cgr1slackware1wolfi1suse2aix1mageia1photon2debian1ics1oracle2